Robert E. Wooden
2020-Jul-03 14:07 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
On 7/3/2020 8:58 AM, Rowland penny via samba wrote:> Please do not use '127.0.0.1' as a nameserver, use the DC's ipaddress > instead.I have corrected this as you have suggested.> > You might be looking at the wrong keytab, do you have: > > /var/lib/samba/bind-dns/dns.keytab > > Rowland >Yes, I do (why two dns.keytab . . . a question for later) have /var/lib/samba/bind-dns/dns.keytab. Delete and re-generate that one? -- Bob Wooden
On 03/07/2020 15:07, Robert E. Wooden via samba wrote:> On 7/3/2020 8:58 AM, Rowland penny via samba wrote: >> Please do not use '127.0.0.1' as a nameserver, use the DC's ipaddress >> instead. > > I have corrected this as you have suggested. > >> >> You might be looking at the wrong keytab, do you have: >> >> /var/lib/samba/bind-dns/dns.keytab >> >> Rowland >> > Yes, I do (why two dns.keytab . . . a question for later) have > /var/lib/samba/bind-dns/dns.keytab.No, might as well tell you now, it's relevant. Samba moved the keytab to the 'bind-dns' directory sometime ago, so you should be using the keytab in the bind-dns directory, which will mean altering the named.conf files if you are using Bind9> > Delete and re-generate that one?Depends, are you actually using the correct keytab ? Rowland
Robert E. Wooden
2020-Jul-03 14:24 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
On 7/3/2020 9:15 AM, Rowland penny via samba wrote:> No, might as well tell you now, it's relevant. Samba moved the keytab > to the 'bind-dns' directory sometime ago, so you should be using the > keytab in the bind-dns directory, which will mean altering the > named.conf files if you are using Bind9Yes, I saw that during setup. I had to "think thru" Louis' instructions, to test, locate and make sure I was using the correct "dns.keytab" for the BIND9_DLZ setup.> > Depends, are you actually using the correct keytab ? > > Rowland >Apparently, I missed this. So, I am not sure what to change to correct? Any explanation you could provide would clarify this for me? (FYI, Debian 10 with Samba 4.12.3) -- Bob Wooden
L.P.H. van Belle
2020-Jul-03 14:38 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
Stop samba Move the bind content to the bind-dns folder /var/lib/samba/bind-dns# ls -al total 28 drwxrwx--- 3 root bind 4096 May 25 14:16 . drwxr-xr-x 10 root root 4096 Jun 29 07:47 .. drwxrwx--- 3 root bind 4096 Aug 7 2019 dns -rw-r----- 2 root bind 877 Aug 7 2019 dns.keytab -rw-r--r-- 1 root root 883 Aug 7 2019 named.conf -r--r--r-- 1 root root 312 Aug 7 2019 named.conf.update -rw-r--r-- 1 root root 2092 Aug 7 2019 named.txt Adjust : named.conf.local / adding the dlopen ( Bind DLZ ) module for samba. include "/var/lib/samba/bind-dns/named.conf"; I think that was it. Verify rights on files and folders but if you move it should be the same. Start samba, check again, ow wait.. .. /etc/resolv.conf nameserver 127.0.0.1 < and change that one to the server its OWN ip , not localhost. nameserver 192.168.16.52 search ad.samdom.example.com Clear logs, Reboot, check again. Did that work? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert E. Wooden via samba > Verzonden: vrijdag 3 juli 2020 16:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] dns_tkey_gssnegotiate: TKEY is unacceptable > Urgentie: Hoog > > On 7/3/2020 9:15 AM, Rowland penny via samba wrote: > > No, might as well tell you now, it's relevant. Samba moved > the keytab > > to the 'bind-dns' directory sometime ago, so you should be > using the > > keytab in the bind-dns directory, which will mean altering the > > named.conf files if you are using Bind9 > > Yes, I saw that during setup. I had to "think thru" Louis' > instructions, > to test, locate and make sure I was using the correct > "dns.keytab" for > the BIND9_DLZ setup. > > > > > Depends, are you actually using the correct keytab ? > > > > Rowland > > > Apparently, I missed this. So, I am not sure what to change > to correct? > > Any explanation you could provide would clarify this for me? > > (FYI, Debian 10 with Samba 4.12.3) > > -- > > Bob Wooden > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >