Roel van Meer
2015-Aug-06 06:55 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
Hi everyone, I'm testing with a Samba4 AD network, and I have some problems with DNS on the second DC, with which I could use a bit of your help. I have an AD with two DC's, both Samba 4.2.3. On the first DC, samba_dnsupdate works fine. With stock 4.2.3 I get the error "TSIG error with server: tsig verify failure" but the DNS updates succeed anyway, and after applying Gunther Kukkukk's patch from https://lists.samba.org/archive/samba-technical/2013-February/090408.html the error is gone. So no problems there. However, on the second DC samba_dnsupdate does not work. I get the error "dns_tkey_negotiategss: TKEY is unacceptable" Problem is: I don't really know where to look. On the first DC (dev), the ticket cache used by samba_dnsupdate contains: root at dev:~# klist -c /tmp/tmpoFYYga Ticket cache: FILE:/tmp/tmpoFYYga Default principal: DEV$@EXAM.CORP Valid starting Expires Service principal 08/06/2015 08:17:43 08/06/2015 18:17:43 krbtgt/EXAM.CORP at EXAM.CORP 08/06/2015 08:17:43 08/06/2015 18:17:43 DNS/dev.exam.corp at EXAM.CORP On the second DC (dc2) the ticket cache looks like: root at dc2:~# klist -c /tmp/tmpzCc55h Ticket cache: FILE:/tmp/tmpzCc55h Default principal: DC2$@EXAM.CORP Valid starting Expires Service principal 08/06/2015 08:18:29 08/06/2015 18:18:29 krbtgt/EXAM.CORP at EXAM.CORP 08/06/2015 08:18:29 08/06/2015 18:18:29 DNS/dev.exam.corp at EXAM.CORP which smells incorrect, because it has a service principal for dev.exam.corp instead of dc2.exam.corp? The file /etc/krb5.conf looks like this on both servers: [libdefaults] default_realm = EXAM.CORP dns_lookup_realm = false dns_lookup_kdc = false Could anyone please give me a hint on where to look further, or which docs to read to get this working? Thanks a lot, Roel
L.P.H. van Belle
2015-Aug-06 07:23 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
check the rights on : /var/lib/samba/private/dns.keytab 640 root:bind /var/lib/samba/private/dns 750 root:bind /var/lib/samba/private/sam.ldb.d 750 root:bind Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer >Verzonden: donderdag 6 augustus 2015 8:55 >Aan: samba at lists.samba.org >Onderwerp: [Samba] 2nd DC, internal DNS: >dns_tkey_negotiategss: TKEY is unacceptable > >Hi everyone, > >I'm testing with a Samba4 AD network, and I have some problems >with DNS on >the second DC, with which I could use a bit of your help. > >I have an AD with two DC's, both Samba 4.2.3. On the first DC, >samba_dnsupdate works fine. With stock 4.2.3 I get the error > > "TSIG error with server: tsig verify failure" > >but the DNS updates succeed anyway, and after applying Gunther >Kukkukk's patch from >https://lists.samba.org/archive/samba-technical/2013-February/090408.html>the error is gone. So no problems there. > >However, on the second DC samba_dnsupdate does not work. I >get the error > > "dns_tkey_negotiategss: TKEY is unacceptable" > >Problem is: I don't really know where to look. On the first >DC (dev), the >ticket cache used by samba_dnsupdate contains: > > root at dev:~# klist -c /tmp/tmpoFYYga > Ticket cache: FILE:/tmp/tmpoFYYga > Default principal: DEV$@EXAM.CORP > > Valid starting Expires Service principal > 08/06/2015 08:17:43 08/06/2015 18:17:43 krbtgt/EXAM.CORP at EXAM.CORP > 08/06/2015 08:17:43 08/06/2015 18:17:43 DNS/dev.exam.corp at EXAM.CORP > >On the second DC (dc2) the ticket cache looks like: > > root at dc2:~# klist -c /tmp/tmpzCc55h > Ticket cache: FILE:/tmp/tmpzCc55h > Default principal: DC2$@EXAM.CORP > > Valid starting Expires Service principal > 08/06/2015 08:18:29 08/06/2015 18:18:29 krbtgt/EXAM.CORP at EXAM.CORP > 08/06/2015 08:18:29 08/06/2015 18:18:29 DNS/dev.exam.corp at EXAM.CORP > >which smells incorrect, because it has a service principal for >dev.exam.corp >instead of dc2.exam.corp? > >The file /etc/krb5.conf looks like this on both servers: > > [libdefaults] > default_realm = EXAM.CORP > dns_lookup_realm = false > dns_lookup_kdc = false > > >Could anyone please give me a hint on where to look further, >or which docs >to read to get this working? > >Thanks a lot, > >Roel > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Roel van Meer
2015-Aug-06 07:27 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
L.P.H. van Belle writes:> check the rights on : > /var/lib/samba/private/dns.keytab 640 root:bind > /var/lib/samba/private/dns 750 root:bind > /var/lib/samba/private/sam.ldb.d 750 root:bindI'm using the internal DNS on both DC's, so I guess bind access rights aren't the issue. Thanks for your answer though :) Regards, Roel> >-----Oorspronkelijk bericht----- > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer > >Verzonden: donderdag 6 augustus 2015 8:55 > >Aan: samba at lists.samba.org > >Onderwerp: [Samba] 2nd DC, internal DNS: > >dns_tkey_negotiategss: TKEY is unacceptable > > > >Hi everyone, > > > >I'm testing with a Samba4 AD network, and I have some problems > >with DNS on > >the second DC, with which I could use a bit of your help. > > > >I have an AD with two DC's, both Samba 4.2.3. On the first DC, > >samba_dnsupdate works fine. With stock 4.2.3 I get the error > > > > "TSIG error with server: tsig verify failure" > > > >but the DNS updates succeed anyway, and after applying Gunther > >Kukkukk's patch from > >https://lists.samba.org/archive/samba-technical/2013-February/0 > 90408.html > >the error is gone. So no problems there. > > > >However, on the second DC samba_dnsupdate does not work. I > >get the error > > > > "dns_tkey_negotiategss: TKEY is unacceptable" > > > >Problem is: I don't really know where to look. On the first > >DC (dev), the > >ticket cache used by samba_dnsupdate contains: > > > > root at dev:~# klist -c /tmp/tmpoFYYga > > Ticket cache: FILE:/tmp/tmpoFYYga > > Default principal: DEV$@EXAM.CORP > > > > Valid starting Expires Service principal > > 08/06/2015 08:17:43 08/06/2015 18:17:43 krbtgt/EXAM.CORP at EXAM.CORP > > 08/06/2015 08:17:43 08/06/2015 18:17:43 DNS/dev.exam.corp at EXAM.CORP > > > >On the second DC (dc2) the ticket cache looks like: > > > > root at dc2:~# klist -c /tmp/tmpzCc55h > > Ticket cache: FILE:/tmp/tmpzCc55h > > Default principal: DC2$@EXAM.CORP > > > > Valid starting Expires Service principal > > 08/06/2015 08:18:29 08/06/2015 18:18:29 krbtgt/EXAM.CORP at EXAM.CORP > > 08/06/2015 08:18:29 08/06/2015 18:18:29 DNS/dev.exam.corp at EXAM.CORP > > > >which smells incorrect, because it has a service principal for > >dev.exam.corp > >instead of dc2.exam.corp? > > > >The file /etc/krb5.conf looks like this on both servers: > > > > [libdefaults] > > default_realm = EXAM.CORP > > dns_lookup_realm = false > > dns_lookup_kdc = false > > > > > >Could anyone please give me a hint on where to look further, > >or which docs > >to read to get this working? > > > >Thanks a lot, > > > >Roel > > > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Brady, Mike
2015-Aug-06 08:16 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
On 2015-08-06 18:55, Roel van Meer wrote:> Hi everyone, > > I'm testing with a Samba4 AD network, and I have some problems with > DNS on the second DC, with which I could use a bit of your help. > > I have an AD with two DC's, both Samba 4.2.3. On the first DC, > samba_dnsupdate works fine. With stock 4.2.3 I get the error > > "TSIG error with server: tsig verify failure" > > but the DNS updates succeed anyway, and after applying Gunther > Kukkukk's patch from > https://lists.samba.org/archive/samba-technical/2013-February/090408.html > the error is gone. So no problems there. > > However, on the second DC samba_dnsupdate does not work. I get the > error > > "dns_tkey_negotiategss: TKEY is unacceptable" > > Problem is: I don't really know where to look. On the first DC (dev), > the ticket cache used by samba_dnsupdate contains: > > root at dev:~# klist -c /tmp/tmpoFYYga > Ticket cache: FILE:/tmp/tmpoFYYga > Default principal: DEV$@EXAM.CORP > > Valid starting Expires Service principal > 08/06/2015 08:17:43 08/06/2015 18:17:43 krbtgt/EXAM.CORP at EXAM.CORP > 08/06/2015 08:17:43 08/06/2015 18:17:43 DNS/dev.exam.corp at EXAM.CORP > > On the second DC (dc2) the ticket cache looks like: > > root at dc2:~# klist -c /tmp/tmpzCc55h > Ticket cache: FILE:/tmp/tmpzCc55h > Default principal: DC2$@EXAM.CORP > > Valid starting Expires Service principal > 08/06/2015 08:18:29 08/06/2015 18:18:29 krbtgt/EXAM.CORP at EXAM.CORP > 08/06/2015 08:18:29 08/06/2015 18:18:29 DNS/dev.exam.corp at EXAM.CORP > > which smells incorrect, because it has a service principal for > dev.exam.corp instead of dc2.exam.corp? > > The file /etc/krb5.conf looks like this on both servers: > > [libdefaults] > default_realm = EXAM.CORP > dns_lookup_realm = false > dns_lookup_kdc = false > > > Could anyone please give me a hint on where to look further, or which > docs to read to get this working? > > Thanks a lot, > > Roelhttps://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
Roel van Meer
2015-Aug-06 08:38 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
Brady, Mike writes:> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptableWhich describes a setup with Bind, while I'm using the Internal DNS server. I'd seen it. But thanks :) Regards, Roel
Reasonably Related Threads
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED