Thanks for the reply Andrew. I had made sure the keytab was accessible to bind but it still failed. Looked like it was an SPN issue.
samba_dnsupdate tried to use DNS/[email protected] (not DNS/[email protected]). Using samba-tool, when I added an spn for DNS/host to the dns-host user and exported the keytab to dns.keytab, then bind accepted the TKEY. I am wondering what caused samba_dnsupdate to use DNS/host instead of DNS/host.domain.local spn. Regards, Tushar On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq <[email protected]> wrote: > This probably means that bind can't read your dns keytab file > > make sure you have > tkey-gssapi-keytab "/path to/dns.keytab"; in the options section of > your bind config > > Then make sure it's readable by the bind user you might start making > the file 666 and then sort it out later, in my case I set it chmod 600 > and chown it to the user bind, which is way more secure. > > also your dns.keytab file should have a lot of entries in it: > > klist -k /usr/local/samba/private/dns.keytab > Keytab name: FILE:/usr/local/samba/private/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 DNS/[email protected] > 1 [email protected] > 1 DNS/[email protected] > 1 [email protected] > 1 DNS/[email protected] > 1 [email protected] > 1 DNS/[email protected] > 1 [email protected] > 1 DNS/[email protected] > 1 [email protected] > > > > On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi > <[email protected]> wrote: > > Hi, > > > > I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed > > network. I have configured the setup as per Samba4 Howto. > > But when I try to do "samba_dnsupdate --all-names" it fails with error: > > dns_tkey_negotiategss: TKEY is unacceptable > > > > The kerberos ticket being used by samba_dnsupdate shows follwoing > > principals: > > klist -c /tmp/tmp6cxfgY > > Ticket cache: FILE:/tmp/tmp6cxfgY > > Default principal: [email protected] > > Service principal > > krbtgt/BOM.MH.IN > > DNS/[email protected] > > > > Whereas the dns.keytab shows following principals (repeated for multiple > > encryption algorithms) > > klist -k private/dns.keytab: > > DNS/[email protected] > > [email protected] > > > > Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ > > [email protected] > > > > I retried this thing with samba's internal DNS and there samba_dnsupdate > > requests for DNS/[email protected]. In case of internal > server > > the ticket cache shows up like: > > Service principal > > krbtgt/BOM.MH.IN > > DNS/[email protected] > > > > As the principal being used by samba_dnsupdate in case of Bind doesn't > > contain domain name at its end, can this be the reason for Tkey failure? > > Why is there a difference in the principal names requested by > > samba_dnsupdate in case of Bind and Internal DNS? > > > > PS: I couldn't go ahead with samba's internal DNS because there I got > Tsig > > verify failure as already posted here: > > http://permalink.gmane.org/gmane.network.samba.general/127722 > > > > Thank you folks for the awesome work! > > > > Regards, > > Tushar > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
