[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision

Matthew Schumacher matt.s at aptalaska.net
Wed Aug 17 16:11:40 UTC 2022

On 8/10/22 9:29 AM, Matthew Schumacher via samba wrote:
> Appreciate the help Louis and Rowland.
> Here are a few more things I tried:
> Complete remove/cleanup/rejoin as above.
> Compiling bind with Heimdal kerberos instead of MIT kerberos (instead 
> of working, bind actually crashes with "name.c:664: require(((name1) 
> != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('d') << 
> 24 | ('n') << 16 | ('s') << 8 | ('n'))))) failed" when samba_dnsupdate 
> tries to update.)
> Moving from bind 9.16 to bind 9.18
> I guess I'll just give up and use
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> But I do think there is a bug somewhere and I'm motivated to find it.  
> I wish I could get some debugging info out of 
> /usr/lib64/bind9/dlz_bind9_18.so, maybe I'll bark up that tree for a bit.
> Matt

So, I updated the dns update command as above in smb.conf and have been 
demoting some old windows servers, but they are not cleaning up their 
DNS records when done.  Does windows use kerberos tickets to remove DNS 
records?  If so, then that is a significant con to using the command 
above as other windows machines won't be able to make DNS changes.


More information about the samba mailing list