[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable

Rowland penny rpenny at samba.org
Fri Jul 3 14:50:56 UTC 2020

On 03/07/2020 15:40, Robert E. Wooden via samba wrote:
> On 7/3/2020 9:31 AM, Rowland penny via samba wrote:
>> Does 'sudo rm -f /var/lib/samba/private/dns.keytab' give you any hint 
>> to which is the correct keytab ?
>> Rowland
> While waiting for your reply, I began checking my BIND9 setup.
> Having used many of Louis' "sed" strings instructions, one those 
> strings direct "tkey-gssapi-keytab" to use 
> "/var/lib/samba/_private_/dns.keytab".
> Changed it to: "/var/lib/samba/_bind-dns_/dns.keytab" and the DC, a 
> few minutes ago, just finished updating properly.
> Thanks, our decision here pointed my to the correction needed.
> Now, I'll ask the obvious question. Why are there two "dsn.keytab" 
> files? It is confusing.
I thought I explained that, but lets try again ;-)

Originally, Samba used /var/lib/samba/private for the dns.keytab and 
other dns files. This was then found to be possibly insecure, so it was 
decided to use /var/lib/samba/bind-dns instead. When you upgrade the 
Samba packages, the old files are not removed, but the new ones are 
created. You just need to make Bind9 etc use them.


More information about the samba mailing list