Probably the way you do revers dns lookups, but I couldn't say for sure....
Krb is very dependent on DNS both forward and reverse. On Wed, Dec 12, 2012 at 9:16 PM, Tushar Dalvi <[email protected]> wrote: > Thanks for the reply Andrew. > I had made sure the keytab was accessible to bind but it still failed. > Looked like it was an SPN issue. > > samba_dnsupdate tried to use DNS/[email protected] (not > DNS/[email protected]). > Using samba-tool, when I added an spn for DNS/host to the dns-host user and > exported the keytab to dns.keytab, then bind accepted the TKEY. > I am wondering what caused samba_dnsupdate to use DNS/host instead of > DNS/host.domain.local spn. > > Regards, > Tushar > > > On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq <[email protected]> wrote: >> >> This probably means that bind can't read your dns keytab file >> >> make sure you have >> tkey-gssapi-keytab "/path to/dns.keytab"; in the options section of >> your bind config >> >> Then make sure it's readable by the bind user you might start making >> the file 666 and then sort it out later, in my case I set it chmod 600 >> and chown it to the user bind, which is way more secure. >> >> also your dns.keytab file should have a lot of entries in it: >> >> klist -k /usr/local/samba/private/dns.keytab >> Keytab name: FILE:/usr/local/samba/private/dns.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 DNS/[email protected] >> 1 [email protected] >> 1 DNS/[email protected] >> 1 [email protected] >> 1 DNS/[email protected] >> 1 [email protected] >> 1 DNS/[email protected] >> 1 [email protected] >> 1 DNS/[email protected] >> 1 [email protected] >> >> >> >> On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi >> <[email protected]> wrote: >> > Hi, >> > >> > I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a >> > multi-homed >> > network. I have configured the setup as per Samba4 Howto. >> > But when I try to do "samba_dnsupdate --all-names" it fails with error: >> > dns_tkey_negotiategss: TKEY is unacceptable >> > >> > The kerberos ticket being used by samba_dnsupdate shows follwoing >> > principals: >> > klist -c /tmp/tmp6cxfgY >> > Ticket cache: FILE:/tmp/tmp6cxfgY >> > Default principal: [email protected] >> > Service principal >> > krbtgt/BOM.MH.IN >> > DNS/[email protected] >> > >> > Whereas the dns.keytab shows following principals (repeated for multiple >> > encryption algorithms) >> > klist -k private/dns.keytab: >> > DNS/[email protected] >> > [email protected] >> > >> > Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ >> > [email protected] >> > >> > I retried this thing with samba's internal DNS and there samba_dnsupdate >> > requests for DNS/[email protected]. In case of internal >> > server >> > the ticket cache shows up like: >> > Service principal >> > krbtgt/BOM.MH.IN >> > DNS/[email protected] >> > >> > As the principal being used by samba_dnsupdate in case of Bind doesn't >> > contain domain name at its end, can this be the reason for Tkey failure? >> > Why is there a difference in the principal names requested by >> > samba_dnsupdate in case of Bind and Internal DNS? >> > >> > PS: I couldn't go ahead with samba's internal DNS because there I got >> > Tsig >> > verify failure as already posted here: >> > http://permalink.gmane.org/gmane.network.samba.general/127722 >> > >> > Thank you folks for the awesome work! >> > >> > Regards, >> > Tushar >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
