samba - Oct 2019 - dns_tkey_negotiategss: TKEY is unacceptable

I found another reason for this error: dns_tkey_negotiategss: TKEY is
unacceptable

After much head scratching it was due to the Apparmour configuration recommended
in the WiKi at:
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration

The section for Apparmor which recommends adding lines to
/etc/apparmor.d/local/usr.sbin.named, I had to change the line:
from:
	/usr/local/samba/private/dns.keytab r,

to:

	/usr/local/samba/private/dns.keytab rk,

ie add the 'k' to allow file to be locked.

Once I did that dns updates worked correctly.

Also the above WiKi page needs to be updated to reflect the change of location
of these files for later samba versions:  ie
/usr/local/samba/bind-dns/*.* etc.

Hopefully this  will help others with this error.

Regards,
Roy

On 23/10/2019 15:29, Roy Eastwood via samba wrote:
> I found another reason for this error: dns_tkey_negotiategss: TKEY is
unacceptable
>
> After much head scratching it was due to the Apparmour configuration
recommended in the WiKi at:
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>
> The section for Apparmor which recommends adding lines to
/etc/apparmor.d/local/usr.sbin.named, I had to change the line:
> from:
> 	/usr/local/samba/private/dns.keytab r,
>
> to:
>
> 	/usr/local/samba/private/dns.keytab rk,
>
> ie add the 'k' to allow file to be locked.
>
> Once I did that dns updates worked correctly.
>
> Also the above WiKi page needs to be updated to reflect the change of
location of these files for later samba versions:  ie
> /usr/local/samba/bind-dns/*.* etc.
>
> Hopefully this  will help others with this error.
>
> Regards,
> Roy
>
>
>
>
Wiki updated, thanks for pointing this out ;-)

Rowland