[Samba] win2003 AD migration to SAMBA 4.6 - dnsupdate problem

Tomáš Havlín thavlin at spel.cz
Wed Feb 21 14:16:41 UTC 2018

Hello Denis,

1. KRB - I tried kinit from local terminal and got answer about troubles 
with encryption, so I findout win 2003 ciphers, and put to krb5.conf
2. from wiki - Verifying the DNS Entries, If you join a Samba DC that 
runs Samba 4.7 and later, samba-tool created all required DNS entries 
automatically. To manually create the records on an earlier version, see 
Verifying and Creating a DC DNS Record - 

3. yes, resolv.conf is poiting to
4. you are right, krb5.conf are not identical, I forgot move it to 

now the situation is with identical krb5.conf files not contenting 
rc4-hmac and weak cipher enabled, I got error like before, it means 
troubles with ciphers. If I put lines to both files I got a new error - 
dns_tkey_negotiategss: TKEY is unacceptable

I have tried to push dns updates, how you wrote - samba_dnsupdate 
--use-samba-tool - 18 records synchronized, 2 failed with error 
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR'), 
samba_dnsupdate ends with dns_tkey_negotiategss: TKEY is unacceptable, 
Failed nsupdate: 1, Failed update of 2 entries

I hope I wrote everything important


>>I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to 
>>2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc.,
>>etc. -
>>My problem are DNS Updates, I have kerberos working (added enctypes =
>>rc4-hmac for compatibility),
>May I ask you where did you add that? Where did you read that you had 
>to do that? Could you try to just remove it?
> > SAMBA join without errors, I have created
>>DNS records,
>how did you create the records? Could you try the following on your two 
>DCs to force the update without going through the authenticated DNS 
>samba_dnsupdate --use-samba-tool
>By the way, is your /etc/resolv.conf pointing to yourself? Is your 
>/etc/krb5.conf and /var/lib/samba/private/krb5.conf identical?
> > can move FSMO. But DNS if working only on DC1,  not on DC2,
>>I have found in logs troubles with dnsupdates. DC1 thinks it is only 
>>DC in domain.
>>_ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV 
>>100 3268 dc2.test.local.
>>tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  
>>code may provide more information, Minor = KDC has no support for
>>encryption type.
>>Failed nsupdate: 1
>>Failed update of 20 entries
>-- Denis Cardon
>Tranquil IT Systems
>Les Espaces Jules Verne, bâtiment A
>12 avenue Jules Verne
>44230 Saint Sébastien sur Loire
>tel : +33 (0)
>Samba install wiki for Frenchies : https://dev.tranquil.it
>WAPT, software deployment made easy : https://wapt.fr
>-- To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list