Thanks for the reply Andrew.
I had made sure the keytab was accessible to bind but it still failed.
Looked like it was an SPN issue.
samba_dnsupdate tried to use DNS/host@DOMAIN.LOCAL (not
DNS/host.domain.local@DOMAIN.LOCAL).
Using samba-tool, when I added an spn for DNS/host to the dns-host user and
exported the keytab to dns.keytab, then bind accepted the TKEY.
I am wondering what caused samba_dnsupdate to use DNS/host instead of
DNS/host.domain.local spn.
Regards,
Tushar
On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq dumar...@gmail.com wrote:
This probably means that bind can't read your dns keytab file
make sure you have
tkey-gssapi-keytab /path to/dns.keytab; in the options section of
your bind config
Then make sure it's readable by the bind user you might start making
the file 666 and then sort it out later, in my case I set it chmod 600
and chown it to the user bind, which is way more secure.
also your dns.keytab file should have a lot of entries in it:
klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
--
1 DNS/host.domain.local@DOMAIN.LOCAL
1 dns-host@DOMAIN.LOCAL
1 DNS/host.domain.local@DOMAIN.LOCAL
1 dns-host@DOMAIN.LOCAL
1 DNS/host.domain.local@DOMAIN.LOCAL
1 dns-host@DOMAIN.LOCAL
1 DNS/host.domain.local@DOMAIN.LOCAL
1 dns-host@DOMAIN.LOCAL
1 DNS/host.domain.local@DOMAIN.LOCAL
1 dns-host@DOMAIN.LOCAL
On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi
tushar.dalvi.sa...@gmail.com wrote:
Hi,
I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed
network. I have configured the setup as per Samba4 Howto.
But when I try to do samba_dnsupdate --all-names it fails with error:
dns_tkey_negotiategss: TKEY is unacceptable
The kerberos ticket being used by samba_dnsupdate shows follwoing
principals:
klist -c /tmp/tmp6cxfgY
Ticket cache: FILE:/tmp/tmp6cxfgY
Default principal: DB-SERVER$@BOM.MH.IN
Service principal
krbtgt/BOM.MH.IN
DNS/db-ser...@bom.mh.in
Whereas the dns.keytab shows following principals (repeated for multiple
encryption algorithms)
klist -k private/dns.keytab:
DNS/db-server.bom.mh...@bom.mh.in
dns-db-ser...@bom.mh.in
Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/
db-ser...@bom.mh.in
I retried this thing with samba's internal DNS and there samba_dnsupdate
requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal
server
the ticket cache shows up like:
Service principal
krbtgt/BOM.MH.IN
DNS/db-server.bom.mh...@bom.mh.in
As the principal being used by samba_dnsupdate in case of Bind doesn't
contain domain name at its end, can this be the reason for Tkey failure?
Why is there a difference in the principal names requested by
samba_dnsupdate in case of Bind and Internal DNS?
PS: I couldn't go ahead with samba's internal DNS because there I got
Tsig
verify failure as already posted here:
http://permalink.gmane.org/gmane.network.samba.general/127722
Thank you folks for the awesome work!
Regards,
Tushar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba