[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED

Roel van Meer roel at 1afa.com
Thu Aug 6 08:36:21 UTC 2015


Rowland Penny writes:

> As you have 2 DCs, /etc/resolv.conf on both machines should contain this:
>
> search <your dns domain>
> nameserver <your other DC>
> nameserver <this DC>
>
> i.e. each DC should use the other for DNS resolving.

Maybe I should say that my DC's are in different locations, so this is not  
true in my case.  If I would resolve DNS via a DC that's in a different  
location, this would only introduce unnecessary delays.

So currently I'm always using the local Samba DC for DNS resolving.  Samba  
replication will ensure all DC's have the same DNS records to hand out for  
local domains.

(Although I still don't know why samba_dnsupdate fails if I use the local  
Samba as DNS server on the second DC.  Everything I've checked so far  
resolves identically on both DC's.  But I'm not giving up yet..)

Regards,

Roel



> Rowland
>
>>
>> So it is a DNS issue (possibly related to replication problems? I don't  
>> know.)
>>
>> Anyway, this works. On to the next step.
>>
>> Thanks a lot!
>>
>> Roel
>>
>>
>>> >-----Oorspronkelijk bericht-----
>>> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer
>>> >Verzonden: donderdag 6 augustus 2015 9:28
>>> >Aan: samba at lists.samba.org
>>> >Onderwerp: Re: [Samba] 2nd DC, internal DNS:
>>> >dns_tkey_negotiategss: TKEY is unacceptable
>>> >
>>> >L.P.H. van Belle writes:
>>> >
>>> >> check the rights on :
>>> >> /var/lib/samba/private/dns.keytab 640 root:bind
>>> >> /var/lib/samba/private/dns 750 root:bind
>>> >> /var/lib/samba/private/sam.ldb.d 750 root:bind
>>> >
>>> >I'm using the internal DNS on both DC's, so I guess bind
>>> >access rights
>>> >aren't the issue.
>>> >
>>> >Thanks for your answer though :)
>>> >
>>> >Regards,
>>> >
>>> >Roel
>>> >
>>> >
>>> >> >-----Oorspronkelijk bericht-----
>>> >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> >Roel van Meer
>>> >> >Verzonden: donderdag 6 augustus 2015 8:55
>>> >> >Aan: samba at lists.samba.org
>>> >> >Onderwerp: [Samba] 2nd DC, internal DNS:
>>> >> >dns_tkey_negotiategss: TKEY is unacceptable
>>> >> >
>>> >> >Hi everyone,
>>> >> >
>>> >> >I'm testing with a Samba4 AD network, and I have some problems
>>> >> >with DNS on
>>> >> >the second DC, with which I could use a bit of your help.
>>> >> >
>>> >> >I have an AD with two DC's, both Samba 4.2.3.  On the first DC,
>>> >> >samba_dnsupdate works fine.  With stock 4.2.3 I get the error
>>> >> >
>>> >> >  "TSIG error with server: tsig verify failure"
>>> >> >
>>> >> >but the DNS updates succeed anyway, and after applying Gunther
>>> >> >Kukkukk's patch from
>>> >> >https://lists.samba.org/archive/samba-technical/2013-February/0
>>> >> 90408.html
>>> >> >the error is gone.  So no problems there.
>>> >> >
>>> >> >However, on the second DC samba_dnsupdate does not work.  I
>>> >> >get the error
>>> >> >
>>> >> >  "dns_tkey_negotiategss: TKEY is unacceptable"
>>> >> >
>>> >> >Problem is: I don't really know where to look.  On the first
>>> >> >DC (dev), the
>>> >> >ticket cache used by samba_dnsupdate contains:
>>> >> >
>>> >> >  root at dev:~# klist -c /tmp/tmpoFYYga
>>> >> >  Ticket cache: FILE:/tmp/tmpoFYYga
>>> >> >  Default principal: DEV$@EXAM.CORP
>>> >> >
>>> >> >  Valid starting       Expires              Service principal
>>> >> >  08/06/2015 08:17:43  08/06/2015 18:17:43
>>> >krbtgt/EXAM.CORP at EXAM.CORP
>>> >> >  08/06/2015 08:17:43  08/06/2015 18:17:43
>>> >DNS/dev.exam.corp at EXAM.CORP
>>> >> >
>>> >> >On the second DC (dc2) the ticket cache looks like:
>>> >> >
>>> >> >  root at dc2:~# klist -c /tmp/tmpzCc55h
>>> >> >  Ticket cache: FILE:/tmp/tmpzCc55h
>>> >> >  Default principal: DC2$@EXAM.CORP
>>> >> >
>>> >> >  Valid starting       Expires              Service principal
>>> >> >  08/06/2015 08:18:29  08/06/2015 18:18:29
>>> >krbtgt/EXAM.CORP at EXAM.CORP
>>> >> >  08/06/2015 08:18:29  08/06/2015 18:18:29
>>> >DNS/dev.exam.corp at EXAM.CORP
>>> >> >
>>> >> >which smells incorrect, because it has a service principal for
>>> >> >dev.exam.corp
>>> >> >instead of dc2.exam.corp?
>>> >> >
>>> >> >The file /etc/krb5.conf looks like this on both servers:
>>> >> >
>>> >> >  [libdefaults]
>>> >> >        default_realm = EXAM.CORP
>>> >> >        dns_lookup_realm = false
>>> >> >        dns_lookup_kdc = false
>>> >> >
>>> >> >
>>> >> >Could anyone please give me a hint on where to look further,
>>> >> >or which docs
>>> >> >to read to get this working?
>>> >> >
>>> >> >Thanks a lot,
>>> >> >
>>> >> >Roel
>>> >> >
>>> >> >--
>>> >> >To unsubscribe from this list go to the following URL and read the
>>> >> >instructions: https://lists.samba.org/mailman/options/samba
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >> --
>>> >> To unsubscribe from this list go to the following URL and read the
>>> >> instructions: https://lists.samba.org/mailman/options/samba
>>> >
>>> >--
>>> >To unsubscribe from this list go to the following URL and read the
>>> >instructions:  https://lists.samba.org/mailman/options/samba
>>> >
>>> >
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list