[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision

[Matthew Schumacher]

Hello all,

When trying to run samba_dnsupdate I get "dns_tkey_gssnegotiate: TKEY is 
unacceptable"  I see the webpage about this at 
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable 
and when verifying my keytab file I get a number of accounts:

klist -k /var/lib/samba/bind-dns/dns.keytab
Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
    1 dns-dc-2-wsll at AD.DOMAIN.NET
    1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
    1 dns-dc-2-wsll at AD.DOMAIN.NET
    1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
    1 dns-dc-2-wsll at AD.DOMAIN.NET

I decided I would cleanup and try again so I:

rm /usr/local/samba/private/dns.keytab
then
samba-tool user delete dns-dc-2-wsll

Which seems to work, as I get

Deleted user dns-dc-2-wsll

But then when I reset the dns settings with:

samba_upgradedns --dns-backend=BIND9_DLZ

I see:

Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/AD.DOMAIN.NET.zone (normal)
DNS partitions already exist
Adding dns-dc-2-wsll account
check_spn_alias_collision: trying to add SPN 
'DNS/dc-2-wsll.ad.domain.net' on 
'CN=dns-dc-2-wsll,CN=Users,DC=ad,DC=domain,DC=net' when 
'host/dc-2-wsll.ad.domain.net' is on 'CN=dc-2-wsll,OU=Domain 
Controllers,DC=ad,DC=domain,DC=net'
See /var/lib/samba/bind-dns/named.conf for an example configuration 
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required 
for secure DNS updates
Finished upgrading DNS

I'm trying to figure out how to clean this up and reset DNS so I can get 
it work.  Any ideas?

Matt