[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
Rowland penny
rpenny at samba.org
Fri Jul 3 14:50:56 UTC 2020
On 03/07/2020 15:40, Robert E. Wooden via samba wrote:
> On 7/3/2020 9:31 AM, Rowland penny via samba wrote:
>> Does 'sudo rm -f /var/lib/samba/private/dns.keytab' give you any hint
>> to which is the correct keytab ?
>>
>> Rowland
>>
> While waiting for your reply, I began checking my BIND9 setup.
>
> Having used many of Louis' "sed" strings instructions, one those
> strings direct "tkey-gssapi-keytab" to use
> "/var/lib/samba/_private_/dns.keytab".
>
> Changed it to: "/var/lib/samba/_bind-dns_/dns.keytab" and the DC, a
> few minutes ago, just finished updating properly.
>
> Thanks, our decision here pointed my to the correction needed.
>
> Now, I'll ask the obvious question. Why are there two "dsn.keytab"
> files? It is confusing.
>
I thought I explained that, but lets try again ;-)
Originally, Samba used /var/lib/samba/private for the dns.keytab and
other dns files. This was then found to be possibly insecure, so it was
decided to use /var/lib/samba/bind-dns instead. When you upgrade the
Samba packages, the old files are not removed, but the new ones are
created. You just need to make Bind9 etc use them.
Rowland
More information about the samba
mailing list