Samba 4.1.1 using BIND_DLZ (bind-9.9.1-0.1.P2) on CentOS 6.5 x86_64.
I have two domain controllers, dc-1 and dc-2, which each have three
network interfaces. Selinux is in permissive mode, and iptables is off.
One interface on each dc is to be shut down. So, on dc-1, I do:
# nsupdate -g
update delete europa.icse.cornell.edu A 192.168.3.250
update delete europa.icse.cornell.edu A 192.168.3.251
send
and this works, as confirmed by "nslookup europa.icse.cornell.edu".
The
same nsupdate operation on dc-2 fails with:
dns_tkey_negotiategss: TKEY is unacceptable
I have verified that named.conf is the same on both nodes; I am using
tkey-gssapi-keytab "/usr/local/samba/europa/private/dns.keytab";
and the named user can read the keytabs with no issue (permissions and
ownerships are correct). The keytabs themselves appear fine:
dc-1 # klist -k dns.keytab
1 DNS/dc-1.europa.icse.cornell.edu at EUROPA.ICSE.CORNELL.EDU
1 dns-dc-1 at EUROPA.ICSE.CORNELL.EDU
...
dc-2 # klist -k dns.keytab
1 DNS/dc-2.europa.icse.cornell.edu at EUROPA.ICSE.CORNELL.EDU
1 dns-DC-2 at EUROPA.ICSE.CORNELL.EDU
...
which are similar except for the uppercase DC-2 in the second sample.
This was originally set up with Samba 4.0.3, when nsupdate worked on both
nodes, but since the upgrade to 4.1.1, nsupdate (and also samba_dnsupdate)
work on dc-1 but not on dc-2. Everything else samba-related seems to work
fine.
I've compared the setup on both nodes until I am blue in the face, and
they appear equivalent. I've also read many articles with a similar
problem, but have found no solutions.
Could use a clue! TIA,
Steve
--
----------------------------------------------------------------------------
Steve Thompson E-mail: smt AT vgersoft DOT com
Voyager Software LLC Web: http://www DOT vgersoft DOT com
39 Smugglers Path VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
"186,282 miles per second: it's not just a good idea, it's the
law"
----------------------------------------------------------------------------