Re: [Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
Probably the way you do revers dns lookups, but I couldn't say for sure Krb is very dependent on DNS both forward and reverse. On Wed, Dec 12, 2012 at 9:16 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Thanks for the reply Andrew. I had made sure the keytab was accessible to bind but it still failed. Looked like it was an SPN issue. samba_dnsupdate tried to use DNS/host@DOMAIN.LOCAL (not DNS/host.domain.local@DOMAIN.LOCAL). Using samba-tool, when I added an spn for DNS/host to the dns-host user and exported the keytab to dns.keytab, then bind accepted the TKEY. I am wondering what caused samba_dnsupdate to use DNS/host instead of DNS/host.domain.local spn. Regards, Tushar On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq dumar...@gmail.com wrote: This probably means that bind can't read your dns keytab file make sure you have tkey-gssapi-keytab /path to/dns.keytab; in the options section of your bind config Then make sure it's readable by the bind user you might start making the file 666 and then sort it out later, in my case I set it chmod 600 and chown it to the user bind, which is way more secure. also your dns.keytab file should have a lot of entries in it: klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal -- 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do samba_dnsupdate --all-names it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY Default principal: DB-SERVER$@BOM.MH.IN Service principal krbtgt/BOM.MH.IN DNS/db-ser...@bom.mh.in Whereas the dns.keytab shows following principals (repeated for multiple encryption algorithms) klist -k private/dns.keytab: DNS/db-server.bom.mh...@bom.mh.in dns-db-ser...@bom.mh.in Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ db-ser...@bom.mh.in I retried this thing with samba's internal DNS and there samba_dnsupdate requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal server the ticket cache shows up like: Service principal krbtgt/BOM.MH.IN DNS/db-server.bom.mh...@bom.mh.in As the principal being used by samba_dnsupdate in case of Bind doesn't contain domain name at its end, can this be the reason for Tkey failure? Why is there a difference in the principal names requested by samba_dnsupdate in case of Bind and Internal DNS? PS: I couldn't go ahead with samba's internal DNS because there I got Tsig verify failure as already posted here: http://permalink.gmane.org/gmane.network.samba.general/127722 Thank you folks for the awesome work! Regards, Tushar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
Thanks for the reply Andrew. I had made sure the keytab was accessible to bind but it still failed. Looked like it was an SPN issue. samba_dnsupdate tried to use DNS/host@DOMAIN.LOCAL (not DNS/host.domain.local@DOMAIN.LOCAL). Using samba-tool, when I added an spn for DNS/host to the dns-host user and exported the keytab to dns.keytab, then bind accepted the TKEY. I am wondering what caused samba_dnsupdate to use DNS/host instead of DNS/host.domain.local spn. Regards, Tushar On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq dumar...@gmail.com wrote: This probably means that bind can't read your dns keytab file make sure you have tkey-gssapi-keytab /path to/dns.keytab; in the options section of your bind config Then make sure it's readable by the bind user you might start making the file 666 and then sort it out later, in my case I set it chmod 600 and chown it to the user bind, which is way more secure. also your dns.keytab file should have a lot of entries in it: klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal -- 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do samba_dnsupdate --all-names it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY Default principal: DB-SERVER$@BOM.MH.IN Service principal krbtgt/BOM.MH.IN DNS/db-ser...@bom.mh.in Whereas the dns.keytab shows following principals (repeated for multiple encryption algorithms) klist -k private/dns.keytab: DNS/db-server.bom.mh...@bom.mh.in dns-db-ser...@bom.mh.in Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ db-ser...@bom.mh.in I retried this thing with samba's internal DNS and there samba_dnsupdate requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal server the ticket cache shows up like: Service principal krbtgt/BOM.MH.IN DNS/db-server.bom.mh...@bom.mh.in As the principal being used by samba_dnsupdate in case of Bind doesn't contain domain name at its end, can this be the reason for Tkey failure? Why is there a difference in the principal names requested by samba_dnsupdate in case of Bind and Internal DNS? PS: I couldn't go ahead with samba's internal DNS because there I got Tsig verify failure as already posted here: http://permalink.gmane.org/gmane.network.samba.general/127722 Thank you folks for the awesome work! Regards, Tushar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
This probably means that bind can't read your dns keytab file make sure you have tkey-gssapi-keytab /path to/dns.keytab; in the options section of your bind config Then make sure it's readable by the bind user you might start making the file 666 and then sort it out later, in my case I set it chmod 600 and chown it to the user bind, which is way more secure. also your dns.keytab file should have a lot of entries in it: klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal -- 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do samba_dnsupdate --all-names it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY Default principal: DB-SERVER$@BOM.MH.IN Service principal krbtgt/BOM.MH.IN DNS/db-ser...@bom.mh.in Whereas the dns.keytab shows following principals (repeated for multiple encryption algorithms) klist -k private/dns.keytab: DNS/db-server.bom.mh...@bom.mh.in dns-db-ser...@bom.mh.in Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ db-ser...@bom.mh.in I retried this thing with samba's internal DNS and there samba_dnsupdate requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal server the ticket cache shows up like: Service principal krbtgt/BOM.MH.IN DNS/db-server.bom.mh...@bom.mh.in As the principal being used by samba_dnsupdate in case of Bind doesn't contain domain name at its end, can this be the reason for Tkey failure? Why is there a difference in the principal names requested by samba_dnsupdate in case of Bind and Internal DNS? PS: I couldn't go ahead with samba's internal DNS because there I got Tsig verify failure as already posted here: http://permalink.gmane.org/gmane.network.samba.general/127722 Thank you folks for the awesome work! Regards, Tushar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do samba_dnsupdate --all-names it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY Default principal: DB-SERVER$@BOM.MH.IN Service principal krbtgt/BOM.MH.IN DNS/db-ser...@bom.mh.in Whereas the dns.keytab shows following principals (repeated for multiple encryption algorithms) klist -k private/dns.keytab: DNS/db-server.bom.mh...@bom.mh.in dns-db-ser...@bom.mh.in Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ db-ser...@bom.mh.in I retried this thing with samba's internal DNS and there samba_dnsupdate requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal server the ticket cache shows up like: Service principal krbtgt/BOM.MH.IN DNS/db-server.bom.mh...@bom.mh.in As the principal being used by samba_dnsupdate in case of Bind doesn't contain domain name at its end, can this be the reason for Tkey failure? Why is there a difference in the principal names requested by samba_dnsupdate in case of Bind and Internal DNS? PS: I couldn't go ahead with samba's internal DNS because there I got Tsig verify failure as already posted here: http://permalink.gmane.org/gmane.network.samba.general/127722 Thank you folks for the awesome work! Regards, Tushar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
