samba - Aug 2015 - 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED

L.P.H. van Belle writes:
> check the rights on :
> /var/lib/samba/private/dns.keytab 640 root:bind
> /var/lib/samba/private/dns 750 root:bind
> /var/lib/samba/private/sam.ldb.d 750 root:bind
I'm using the internal DNS on both DC's, so I guess bind access rights  
aren't the issue.

Thanks for your answer though :)

Regards,

Roel

> >-----Oorspronkelijk bericht-----
> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van
Meer
> >Verzonden: donderdag 6 augustus 2015 8:55
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] 2nd DC, internal DNS:
> >dns_tkey_negotiategss: TKEY is unacceptable
> >
> >Hi everyone,
> >
> >I'm testing with a Samba4 AD network, and I have some problems
> >with DNS on
> >the second DC, with which I could use a bit of your help.
> >
> >I have an AD with two DC's, both Samba 4.2.3.  On the first DC,
> >samba_dnsupdate works fine.  With stock 4.2.3 I get the error
> >
> >  "TSIG error with server: tsig verify failure"
> >
> >but the DNS updates succeed anyway, and after applying Gunther
> >Kukkukk's patch from
> >https://lists.samba.org/archive/samba-technical/2013-February/0
> 90408.html
> >the error is gone.  So no problems there.
> >
> >However, on the second DC samba_dnsupdate does not work.  I
> >get the error
> >
> >  "dns_tkey_negotiategss: TKEY is unacceptable"
> >
> >Problem is: I don't really know where to look.  On the first
> >DC (dev), the
> >ticket cache used by samba_dnsupdate contains:
> >
> >  root at dev:~# klist -c /tmp/tmpoFYYga
> >  Ticket cache: FILE:/tmp/tmpoFYYga
> >  Default principal: DEV$@EXAM.CORP
> >
> >  Valid starting       Expires              Service principal
> >  08/06/2015 08:17:43  08/06/2015 18:17:43  krbtgt/EXAM.CORP at
EXAM.CORP
> >  08/06/2015 08:17:43  08/06/2015 18:17:43  DNS/dev.exam.corp at
EXAM.CORP
> >
> >On the second DC (dc2) the ticket cache looks like:
> >
> >  root at dc2:~# klist -c /tmp/tmpzCc55h
> >  Ticket cache: FILE:/tmp/tmpzCc55h
> >  Default principal: DC2$@EXAM.CORP
> >
> >  Valid starting       Expires              Service principal
> >  08/06/2015 08:18:29  08/06/2015 18:18:29  krbtgt/EXAM.CORP at
EXAM.CORP
> >  08/06/2015 08:18:29  08/06/2015 18:18:29  DNS/dev.exam.corp at
EXAM.CORP
> >
> >which smells incorrect, because it has a service principal for
> >dev.exam.corp
> >instead of dc2.exam.corp?
> >
> >The file /etc/krb5.conf looks like this on both servers:
> >
> >  [libdefaults]
> >        default_realm = EXAM.CORP
> >        dns_lookup_realm = false
> >        dns_lookup_kdc = false
> >
> >
> >Could anyone please give me a hint on where to look further,
> >or which docs
> >to read to get this working?
> >
> >Thanks a lot,
> >
> >Roel
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

is the time in sync on your servers ? 
 
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer
>Verzonden: donderdag 6 augustus 2015 9:28
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] 2nd DC, internal DNS: 
>dns_tkey_negotiategss: TKEY is unacceptable
>
>L.P.H. van Belle writes:
>
>> check the rights on :
>> /var/lib/samba/private/dns.keytab 640 root:bind
>> /var/lib/samba/private/dns 750 root:bind
>> /var/lib/samba/private/sam.ldb.d 750 root:bind
>
>I'm using the internal DNS on both DC's, so I guess bind 
>access rights  
>aren't the issue.
>
>Thanks for your answer though :)
>
>Regards,
>
>Roel
>
>
>> >-----Oorspronkelijk bericht-----
>> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>Roel van Meer
>> >Verzonden: donderdag 6 augustus 2015 8:55
>> >Aan: samba at lists.samba.org
>> >Onderwerp: [Samba] 2nd DC, internal DNS:
>> >dns_tkey_negotiategss: TKEY is unacceptable
>> >
>> >Hi everyone,
>> >
>> >I'm testing with a Samba4 AD network, and I have some problems
>> >with DNS on
>> >the second DC, with which I could use a bit of your help.
>> >
>> >I have an AD with two DC's, both Samba 4.2.3.  On the first DC,
>> >samba_dnsupdate works fine.  With stock 4.2.3 I get the error
>> >
>> >  "TSIG error with server: tsig verify failure"
>> >
>> >but the DNS updates succeed anyway, and after applying Gunther
>> >Kukkukk's patch from
>> >https://lists.samba.org/archive/samba-technical/2013-February/0
>> 90408.html
>> >the error is gone.  So no problems there.
>> >
>> >However, on the second DC samba_dnsupdate does not work.  I
>> >get the error
>> >
>> >  "dns_tkey_negotiategss: TKEY is unacceptable"
>> >
>> >Problem is: I don't really know where to look.  On the first
>> >DC (dev), the
>> >ticket cache used by samba_dnsupdate contains:
>> >
>> >  root at dev:~# klist -c /tmp/tmpoFYYga
>> >  Ticket cache: FILE:/tmp/tmpoFYYga
>> >  Default principal: DEV$@EXAM.CORP
>> >
>> >  Valid starting       Expires              Service principal
>> >  08/06/2015 08:17:43  08/06/2015 18:17:43  
>krbtgt/EXAM.CORP at EXAM.CORP
>> >  08/06/2015 08:17:43  08/06/2015 18:17:43  
>DNS/dev.exam.corp at EXAM.CORP
>> >
>> >On the second DC (dc2) the ticket cache looks like:
>> >
>> >  root at dc2:~# klist -c /tmp/tmpzCc55h
>> >  Ticket cache: FILE:/tmp/tmpzCc55h
>> >  Default principal: DC2$@EXAM.CORP
>> >
>> >  Valid starting       Expires              Service principal
>> >  08/06/2015 08:18:29  08/06/2015 18:18:29  
>krbtgt/EXAM.CORP at EXAM.CORP
>> >  08/06/2015 08:18:29  08/06/2015 18:18:29  
>DNS/dev.exam.corp at EXAM.CORP
>> >
>> >which smells incorrect, because it has a service principal for
>> >dev.exam.corp
>> >instead of dc2.exam.corp?
>> >
>> >The file /etc/krb5.conf looks like this on both servers:
>> >
>> >  [libdefaults]
>> >        default_realm = EXAM.CORP
>> >        dns_lookup_realm = false
>> >        dns_lookup_kdc = false
>> >
>> >
>> >Could anyone please give me a hint on where to look further,
>> >or which docs
>> >to read to get this working?
>> >
>> >Thanks a lot,
>> >
>> >Roel
>> >
>> >--
>> >To unsubscribe from this list go to the following URL and read the
>> >instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

L.P.H. van Belle writes:
> is the time in sync on your servers ?
Yes it is.

I managed to make it work by specifying the primary DC as nameserver in  
/etc/resolv.conf of the secondary DC. As soon as I do that, samba_dnsupdate  
works on the secondary. When I change it back to use the local Samba as  
resolver, it no longer works.

So it is a DNS issue (possibly related to replication problems? I don't
know.)

Anyway, this works. On to the next step.

Thanks a lot!

Roel

> >-----Oorspronkelijk bericht-----
> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van
Meer
> >Verzonden: donderdag 6 augustus 2015 9:28
> >Aan: samba at lists.samba.org
> >Onderwerp: Re: [Samba] 2nd DC, internal DNS:
> >dns_tkey_negotiategss: TKEY is unacceptable
> >
> >L.P.H. van Belle writes:
> >
> >> check the rights on :
> >> /var/lib/samba/private/dns.keytab 640 root:bind
> >> /var/lib/samba/private/dns 750 root:bind
> >> /var/lib/samba/private/sam.ldb.d 750 root:bind
> >
> >I'm using the internal DNS on both DC's, so I guess bind
> >access rights
> >aren't the issue.
> >
> >Thanks for your answer though :)
> >
> >Regards,
> >
> >Roel
> >
> >
> >> >-----Oorspronkelijk bericht-----
> >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >Roel van Meer
> >> >Verzonden: donderdag 6 augustus 2015 8:55
> >> >Aan: samba at lists.samba.org
> >> >Onderwerp: [Samba] 2nd DC, internal DNS:
> >> >dns_tkey_negotiategss: TKEY is unacceptable
> >> >
> >> >Hi everyone,
> >> >
> >> >I'm testing with a Samba4 AD network, and I have some
problems
> >> >with DNS on
> >> >the second DC, with which I could use a bit of your help.
> >> >
> >> >I have an AD with two DC's, both Samba 4.2.3.  On the
first DC,
> >> >samba_dnsupdate works fine.  With stock 4.2.3 I get the error
> >> >
> >> >  "TSIG error with server: tsig verify failure"
> >> >
> >> >but the DNS updates succeed anyway, and after applying Gunther
> >> >Kukkukk's patch from
> >>
>https://lists.samba.org/archive/samba-technical/2013-February/0
> >> 90408.html
> >> >the error is gone.  So no problems there.
> >> >
> >> >However, on the second DC samba_dnsupdate does not work.  I
> >> >get the error
> >> >
> >> >  "dns_tkey_negotiategss: TKEY is unacceptable"
> >> >
> >> >Problem is: I don't really know where to look.  On the
first
> >> >DC (dev), the
> >> >ticket cache used by samba_dnsupdate contains:
> >> >
> >> >  root at dev:~# klist -c /tmp/tmpoFYYga
> >> >  Ticket cache: FILE:/tmp/tmpoFYYga
> >> >  Default principal: DEV$@EXAM.CORP
> >> >
> >> >  Valid starting       Expires              Service principal
> >> >  08/06/2015 08:17:43  08/06/2015 18:17:43
> >krbtgt/EXAM.CORP at EXAM.CORP
> >> >  08/06/2015 08:17:43  08/06/2015 18:17:43
> >DNS/dev.exam.corp at EXAM.CORP
> >> >
> >> >On the second DC (dc2) the ticket cache looks like:
> >> >
> >> >  root at dc2:~# klist -c /tmp/tmpzCc55h
> >> >  Ticket cache: FILE:/tmp/tmpzCc55h
> >> >  Default principal: DC2$@EXAM.CORP
> >> >
> >> >  Valid starting       Expires              Service principal
> >> >  08/06/2015 08:18:29  08/06/2015 18:18:29
> >krbtgt/EXAM.CORP at EXAM.CORP
> >> >  08/06/2015 08:18:29  08/06/2015 18:18:29
> >DNS/dev.exam.corp at EXAM.CORP
> >> >
> >> >which smells incorrect, because it has a service principal for
> >> >dev.exam.corp
> >> >instead of dc2.exam.corp?
> >> >
> >> >The file /etc/krb5.conf looks like this on both servers:
> >> >
> >> >  [libdefaults]
> >> >        default_realm = EXAM.CORP
> >> >        dns_lookup_realm = false
> >> >        dns_lookup_kdc = false
> >> >
> >> >
> >> >Could anyone please give me a hint on where to look further,
> >> >or which docs
> >> >to read to get this working?
> >> >
> >> >Thanks a lot,
> >> >
> >> >Roel
> >> >
> >> >--
> >> >To unsubscribe from this list go to the following URL and read
the
> >> >instructions:  https://lists.samba.org/mailman/options/samba
> >> >
> >> >
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba