[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED
Roel van Meer
roel at 1afa.com
Thu Aug 6 08:36:21 UTC 2015
Rowland Penny writes:
> As you have 2 DCs, /etc/resolv.conf on both machines should contain this:
>
> search <your dns domain>
> nameserver <your other DC>
> nameserver <this DC>
>
> i.e. each DC should use the other for DNS resolving.
Maybe I should say that my DC's are in different locations, so this is not
true in my case. If I would resolve DNS via a DC that's in a different
location, this would only introduce unnecessary delays.
So currently I'm always using the local Samba DC for DNS resolving. Samba
replication will ensure all DC's have the same DNS records to hand out for
local domains.
(Although I still don't know why samba_dnsupdate fails if I use the local
Samba as DNS server on the second DC. Everything I've checked so far
resolves identically on both DC's. But I'm not giving up yet..)
Regards,
Roel
> Rowland
>
>>
>> So it is a DNS issue (possibly related to replication problems? I don't
>> know.)
>>
>> Anyway, this works. On to the next step.
>>
>> Thanks a lot!
>>
>> Roel
>>
>>
>>> >-----Oorspronkelijk bericht-----
>>> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer
>>> >Verzonden: donderdag 6 augustus 2015 9:28
>>> >Aan: samba at lists.samba.org
>>> >Onderwerp: Re: [Samba] 2nd DC, internal DNS:
>>> >dns_tkey_negotiategss: TKEY is unacceptable
>>> >
>>> >L.P.H. van Belle writes:
>>> >
>>> >> check the rights on :
>>> >> /var/lib/samba/private/dns.keytab 640 root:bind
>>> >> /var/lib/samba/private/dns 750 root:bind
>>> >> /var/lib/samba/private/sam.ldb.d 750 root:bind
>>> >
>>> >I'm using the internal DNS on both DC's, so I guess bind
>>> >access rights
>>> >aren't the issue.
>>> >
>>> >Thanks for your answer though :)
>>> >
>>> >Regards,
>>> >
>>> >Roel
>>> >
>>> >
>>> >> >-----Oorspronkelijk bericht-----
>>> >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> >Roel van Meer
>>> >> >Verzonden: donderdag 6 augustus 2015 8:55
>>> >> >Aan: samba at lists.samba.org
>>> >> >Onderwerp: [Samba] 2nd DC, internal DNS:
>>> >> >dns_tkey_negotiategss: TKEY is unacceptable
>>> >> >
>>> >> >Hi everyone,
>>> >> >
>>> >> >I'm testing with a Samba4 AD network, and I have some problems
>>> >> >with DNS on
>>> >> >the second DC, with which I could use a bit of your help.
>>> >> >
>>> >> >I have an AD with two DC's, both Samba 4.2.3. On the first DC,
>>> >> >samba_dnsupdate works fine. With stock 4.2.3 I get the error
>>> >> >
>>> >> > "TSIG error with server: tsig verify failure"
>>> >> >
>>> >> >but the DNS updates succeed anyway, and after applying Gunther
>>> >> >Kukkukk's patch from
>>> >> >https://lists.samba.org/archive/samba-technical/2013-February/0
>>> >> 90408.html
>>> >> >the error is gone. So no problems there.
>>> >> >
>>> >> >However, on the second DC samba_dnsupdate does not work. I
>>> >> >get the error
>>> >> >
>>> >> > "dns_tkey_negotiategss: TKEY is unacceptable"
>>> >> >
>>> >> >Problem is: I don't really know where to look. On the first
>>> >> >DC (dev), the
>>> >> >ticket cache used by samba_dnsupdate contains:
>>> >> >
>>> >> > root at dev:~# klist -c /tmp/tmpoFYYga
>>> >> > Ticket cache: FILE:/tmp/tmpoFYYga
>>> >> > Default principal: DEV$@EXAM.CORP
>>> >> >
>>> >> > Valid starting Expires Service principal
>>> >> > 08/06/2015 08:17:43 08/06/2015 18:17:43
>>> >krbtgt/EXAM.CORP at EXAM.CORP
>>> >> > 08/06/2015 08:17:43 08/06/2015 18:17:43
>>> >DNS/dev.exam.corp at EXAM.CORP
>>> >> >
>>> >> >On the second DC (dc2) the ticket cache looks like:
>>> >> >
>>> >> > root at dc2:~# klist -c /tmp/tmpzCc55h
>>> >> > Ticket cache: FILE:/tmp/tmpzCc55h
>>> >> > Default principal: DC2$@EXAM.CORP
>>> >> >
>>> >> > Valid starting Expires Service principal
>>> >> > 08/06/2015 08:18:29 08/06/2015 18:18:29
>>> >krbtgt/EXAM.CORP at EXAM.CORP
>>> >> > 08/06/2015 08:18:29 08/06/2015 18:18:29
>>> >DNS/dev.exam.corp at EXAM.CORP
>>> >> >
>>> >> >which smells incorrect, because it has a service principal for
>>> >> >dev.exam.corp
>>> >> >instead of dc2.exam.corp?
>>> >> >
>>> >> >The file /etc/krb5.conf looks like this on both servers:
>>> >> >
>>> >> > [libdefaults]
>>> >> > default_realm = EXAM.CORP
>>> >> > dns_lookup_realm = false
>>> >> > dns_lookup_kdc = false
>>> >> >
>>> >> >
>>> >> >Could anyone please give me a hint on where to look further,
>>> >> >or which docs
>>> >> >to read to get this working?
>>> >> >
>>> >> >Thanks a lot,
>>> >> >
>>> >> >Roel
>>> >> >
>>> >> >--
>>> >> >To unsubscribe from this list go to the following URL and read the
>>> >> >instructions: https://lists.samba.org/mailman/options/samba
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >> --
>>> >> To unsubscribe from this list go to the following URL and read the
>>> >> instructions: https://lists.samba.org/mailman/options/samba
>>> >
>>> >--
>>> >To unsubscribe from this list go to the following URL and read the
>>> >instructions: https://lists.samba.org/mailman/options/samba
>>> >
>>> >
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list