samba - Jul 2014 - TKEY is unacceptible [SEC=UNOFFICIAL]

UNOFFICIAL
Hi,

I have a SAMBA4 box (CentOS 6.5, SAMBA 4.1.7) that joined a 2003 domain and I
have transferred (not seized) all FSMO roles to the samba box. I demoted the
2003 DC (had to forceremoval). The Samba box now is the sole DC and DNS server
on the network.


I followed the instructions in
https://lists.samba.org/archive/samba-technical/2014-February/097703.html for
repairing the domain after the forced demotion.

Everything is working well except for dns dynamic updates.

I've been struggling with the dreaded "dns_key_negotiategss: TKEY is
unacceptable" for several days.

Using strace, I've convinced myself that named can access all the necessary
files. So it seems that the only alternative is that dns.keytab itself is the
problem.

My dns.keytab had 5 pairs of keys of the form

DNS/sambabox.mydomain.local at
MYDOMAIN.LOCAL<mailto:DNS/sambabox.mydomain.local at MYDOMAIN.LOCAL>
dns-SAMBABOX.MyDomain.local at
MYDOMAIN.LOCAL<mailto:dns-SAMBABOX.MyDomain.local at MYDOMAIN.LOCAL>

with the types (des-cbc-crc, des-cdc-md5, arcfour-hmac, aes128-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96)

When I searched the web on how to regenerate the keytab file, there seem to be
several incompatible answers.

After reading

https://lists.samba.org/archive/samba-technical/2011-December/080879.html

I concluded  that the dns account should be dns-sambabox and not the current
dns-sambabox.MyDomain.local

samba-tool spn list dns-sambabox.mydomain.local returns a spn of
      DNS/SAMBABOX.MyDomain.local.mydomain.local.

Stupidly  I tried:

samba-tool user create dns-sambabox -random-password
samba-tool user setexpiry -noexpiry dns-sambabox
samba-tool spn add DNS/sambabox.mydomain.local  dns-sambabox
samba-tool domain exportkeytab newdns.keytab --principal=dns-sambabox
samba-tool domain exportkeytab newdns.keytab
--principal=DNS/sambabox.mydomain.local
mv dns.keytab dns.keytab.old
mv new.keytab dns.keytab
chgrp named dns.keytab
chmod 640 dns.keytab

and restarted bind.

Not only has this not fixed the problem, it has completely broken internal DNS.
When I switch back to internal, samba won't even start.

Could not find DNS/sambabox.mydomain.local in secrets database.

I guess that the spn I added above is responsible. The old account name is still
in the secrets database with the spn mentioned in the error message.

Clearly I have no idea how to repair this and I expect that if I try, I will
just break it worse. So I'd be grateful for advise on fixing the secrets
database.

I'd also be grateful for any hints on debugging the TKEY error.








IMPORTANT: This email remains the property of the Department of Defence and is
subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have
received this email in error, you are requested to contact the sender and delete
the email.

On Mon, 2014-07-21 at 03:16 +0000, Thamm, Russell wrote:
> 
> I concluded  that the dns account should be dns-sambabox and not the
current dns-sambabox.MyDomain.local
> 
> samba-tool spn list dns-sambabox.mydomain.local returns a spn of
>       DNS/SAMBABOX.MyDomain.local.mydomain.local.
Hi
Kerberos appends the domain name to the hostname, so you have
either /etc/hostname, /etc/hosts or /etc/resolv.conf wrong. Or, maybe
all three. In your case, hostname is returning fqdn which is why you
have the wrong keys. 
hostname 
hostname -f
hostname -s
and
hostname -d
must be perfect before you provision or join.

But in any case, you cannot use a .local domain.
Cheers,
Steve