Roel van Meer
2015-Aug-06 08:08 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED
L.P.H. van Belle writes:> is the time in sync on your servers ?Yes it is. I managed to make it work by specifying the primary DC as nameserver in /etc/resolv.conf of the secondary DC. As soon as I do that, samba_dnsupdate works on the secondary. When I change it back to use the local Samba as resolver, it no longer works. So it is a DNS issue (possibly related to replication problems? I don't know.) Anyway, this works. On to the next step. Thanks a lot! Roel> >-----Oorspronkelijk bericht----- > >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer > >Verzonden: donderdag 6 augustus 2015 9:28 > >Aan: samba at lists.samba.org > >Onderwerp: Re: [Samba] 2nd DC, internal DNS: > >dns_tkey_negotiategss: TKEY is unacceptable > > > >L.P.H. van Belle writes: > > > >> check the rights on : > >> /var/lib/samba/private/dns.keytab 640 root:bind > >> /var/lib/samba/private/dns 750 root:bind > >> /var/lib/samba/private/sam.ldb.d 750 root:bind > > > >I'm using the internal DNS on both DC's, so I guess bind > >access rights > >aren't the issue. > > > >Thanks for your answer though :) > > > >Regards, > > > >Roel > > > > > >> >-----Oorspronkelijk bericht----- > >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >Roel van Meer > >> >Verzonden: donderdag 6 augustus 2015 8:55 > >> >Aan: samba at lists.samba.org > >> >Onderwerp: [Samba] 2nd DC, internal DNS: > >> >dns_tkey_negotiategss: TKEY is unacceptable > >> > > >> >Hi everyone, > >> > > >> >I'm testing with a Samba4 AD network, and I have some problems > >> >with DNS on > >> >the second DC, with which I could use a bit of your help. > >> > > >> >I have an AD with two DC's, both Samba 4.2.3. On the first DC, > >> >samba_dnsupdate works fine. With stock 4.2.3 I get the error > >> > > >> > "TSIG error with server: tsig verify failure" > >> > > >> >but the DNS updates succeed anyway, and after applying Gunther > >> >Kukkukk's patch from > >> >https://lists.samba.org/archive/samba-technical/2013-February/0 > >> 90408.html > >> >the error is gone. So no problems there. > >> > > >> >However, on the second DC samba_dnsupdate does not work. I > >> >get the error > >> > > >> > "dns_tkey_negotiategss: TKEY is unacceptable" > >> > > >> >Problem is: I don't really know where to look. On the first > >> >DC (dev), the > >> >ticket cache used by samba_dnsupdate contains: > >> > > >> > root at dev:~# klist -c /tmp/tmpoFYYga > >> > Ticket cache: FILE:/tmp/tmpoFYYga > >> > Default principal: DEV$@EXAM.CORP > >> > > >> > Valid starting Expires Service principal > >> > 08/06/2015 08:17:43 08/06/2015 18:17:43 > >krbtgt/EXAM.CORP at EXAM.CORP > >> > 08/06/2015 08:17:43 08/06/2015 18:17:43 > >DNS/dev.exam.corp at EXAM.CORP > >> > > >> >On the second DC (dc2) the ticket cache looks like: > >> > > >> > root at dc2:~# klist -c /tmp/tmpzCc55h > >> > Ticket cache: FILE:/tmp/tmpzCc55h > >> > Default principal: DC2$@EXAM.CORP > >> > > >> > Valid starting Expires Service principal > >> > 08/06/2015 08:18:29 08/06/2015 18:18:29 > >krbtgt/EXAM.CORP at EXAM.CORP > >> > 08/06/2015 08:18:29 08/06/2015 18:18:29 > >DNS/dev.exam.corp at EXAM.CORP > >> > > >> >which smells incorrect, because it has a service principal for > >> >dev.exam.corp > >> >instead of dc2.exam.corp? > >> > > >> >The file /etc/krb5.conf looks like this on both servers: > >> > > >> > [libdefaults] > >> > default_realm = EXAM.CORP > >> > dns_lookup_realm = false > >> > dns_lookup_kdc = false > >> > > >> > > >> >Could anyone please give me a hint on where to look further, > >> >or which docs > >> >to read to get this working? > >> > > >> >Thanks a lot, > >> > > >> >Roel > >> > > >> >-- > >> >To unsubscribe from this list go to the following URL and read the > >> >instructions: https://lists.samba.org/mailman/options/samba > >> > > >> > > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Aug-06 08:16 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED
On 06/08/15 09:08, Roel van Meer wrote:> L.P.H. van Belle writes: > >> is the time in sync on your servers ? > > Yes it is. > > I managed to make it work by specifying the primary DC as nameserver > in /etc/resolv.conf of the secondary DC. As soon as I do that, > samba_dnsupdate works on the secondary. When I change it back to use > the local Samba as resolver, it no longer works.As you have 2 DCs, /etc/resolv.conf on both machines should contain this: search <your dns domain> nameserver <your other DC> nameserver <this DC> i.e. each DC should use the other for DNS resolving. Rowland> > So it is a DNS issue (possibly related to replication problems? I > don't know.) > > Anyway, this works. On to the next step. > > Thanks a lot! > > Roel > > >> >-----Oorspronkelijk bericht----- >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer >> >Verzonden: donderdag 6 augustus 2015 9:28 >> >Aan: samba at lists.samba.org >> >Onderwerp: Re: [Samba] 2nd DC, internal DNS: >> >dns_tkey_negotiategss: TKEY is unacceptable >> > >> >L.P.H. van Belle writes: >> > >> >> check the rights on : >> >> /var/lib/samba/private/dns.keytab 640 root:bind >> >> /var/lib/samba/private/dns 750 root:bind >> >> /var/lib/samba/private/sam.ldb.d 750 root:bind >> > >> >I'm using the internal DNS on both DC's, so I guess bind >> >access rights >> >aren't the issue. >> > >> >Thanks for your answer though :) >> > >> >Regards, >> > >> >Roel >> > >> > >> >> >-----Oorspronkelijk bericht----- >> >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> >Roel van Meer >> >> >Verzonden: donderdag 6 augustus 2015 8:55 >> >> >Aan: samba at lists.samba.org >> >> >Onderwerp: [Samba] 2nd DC, internal DNS: >> >> >dns_tkey_negotiategss: TKEY is unacceptable >> >> > >> >> >Hi everyone, >> >> > >> >> >I'm testing with a Samba4 AD network, and I have some problems >> >> >with DNS on >> >> >the second DC, with which I could use a bit of your help. >> >> > >> >> >I have an AD with two DC's, both Samba 4.2.3. On the first DC, >> >> >samba_dnsupdate works fine. With stock 4.2.3 I get the error >> >> > >> >> > "TSIG error with server: tsig verify failure" >> >> > >> >> >but the DNS updates succeed anyway, and after applying Gunther >> >> >Kukkukk's patch from >> >> >https://lists.samba.org/archive/samba-technical/2013-February/0 >> >> 90408.html >> >> >the error is gone. So no problems there. >> >> > >> >> >However, on the second DC samba_dnsupdate does not work. I >> >> >get the error >> >> > >> >> > "dns_tkey_negotiategss: TKEY is unacceptable" >> >> > >> >> >Problem is: I don't really know where to look. On the first >> >> >DC (dev), the >> >> >ticket cache used by samba_dnsupdate contains: >> >> > >> >> > root at dev:~# klist -c /tmp/tmpoFYYga >> >> > Ticket cache: FILE:/tmp/tmpoFYYga >> >> > Default principal: DEV$@EXAM.CORP >> >> > >> >> > Valid starting Expires Service principal >> >> > 08/06/2015 08:17:43 08/06/2015 18:17:43 >> >krbtgt/EXAM.CORP at EXAM.CORP >> >> > 08/06/2015 08:17:43 08/06/2015 18:17:43 >> >DNS/dev.exam.corp at EXAM.CORP >> >> > >> >> >On the second DC (dc2) the ticket cache looks like: >> >> > >> >> > root at dc2:~# klist -c /tmp/tmpzCc55h >> >> > Ticket cache: FILE:/tmp/tmpzCc55h >> >> > Default principal: DC2$@EXAM.CORP >> >> > >> >> > Valid starting Expires Service principal >> >> > 08/06/2015 08:18:29 08/06/2015 18:18:29 >> >krbtgt/EXAM.CORP at EXAM.CORP >> >> > 08/06/2015 08:18:29 08/06/2015 18:18:29 >> >DNS/dev.exam.corp at EXAM.CORP >> >> > >> >> >which smells incorrect, because it has a service principal for >> >> >dev.exam.corp >> >> >instead of dc2.exam.corp? >> >> > >> >> >The file /etc/krb5.conf looks like this on both servers: >> >> > >> >> > [libdefaults] >> >> > default_realm = EXAM.CORP >> >> > dns_lookup_realm = false >> >> > dns_lookup_kdc = false >> >> > >> >> > >> >> >Could anyone please give me a hint on where to look further, >> >> >or which docs >> >> >to read to get this working? >> >> > >> >> >Thanks a lot, >> >> > >> >> >Roel >> >> > >> >> >-- >> >> >To unsubscribe from this list go to the following URL and read the >> >> >instructions: https://lists.samba.org/mailman/options/samba >> >> > >> >> > >> >> >> >> >> >> -- >> >> To unsubscribe from this list go to the following URL and read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> > >> >-- >> >To unsubscribe from this list go to the following URL and read the >> >instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >
Roel van Meer
2015-Aug-06 08:36 UTC
[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED
Rowland Penny writes:> As you have 2 DCs, /etc/resolv.conf on both machines should contain this: > > search <your dns domain> > nameserver <your other DC> > nameserver <this DC> > > i.e. each DC should use the other for DNS resolving.Maybe I should say that my DC's are in different locations, so this is not true in my case. If I would resolve DNS via a DC that's in a different location, this would only introduce unnecessary delays. So currently I'm always using the local Samba DC for DNS resolving. Samba replication will ensure all DC's have the same DNS records to hand out for local domains. (Although I still don't know why samba_dnsupdate fails if I use the local Samba as DNS server on the second DC. Everything I've checked so far resolves identically on both DC's. But I'm not giving up yet..) Regards, Roel> Rowland > >> >> So it is a DNS issue (possibly related to replication problems? I don't >> know.) >> >> Anyway, this works. On to the next step. >> >> Thanks a lot! >> >> Roel >> >> >>> >-----Oorspronkelijk bericht----- >>> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer >>> >Verzonden: donderdag 6 augustus 2015 9:28 >>> >Aan: samba at lists.samba.org >>> >Onderwerp: Re: [Samba] 2nd DC, internal DNS: >>> >dns_tkey_negotiategss: TKEY is unacceptable >>> > >>> >L.P.H. van Belle writes: >>> > >>> >> check the rights on : >>> >> /var/lib/samba/private/dns.keytab 640 root:bind >>> >> /var/lib/samba/private/dns 750 root:bind >>> >> /var/lib/samba/private/sam.ldb.d 750 root:bind >>> > >>> >I'm using the internal DNS on both DC's, so I guess bind >>> >access rights >>> >aren't the issue. >>> > >>> >Thanks for your answer though :) >>> > >>> >Regards, >>> > >>> >Roel >>> > >>> > >>> >> >-----Oorspronkelijk bericht----- >>> >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> >Roel van Meer >>> >> >Verzonden: donderdag 6 augustus 2015 8:55 >>> >> >Aan: samba at lists.samba.org >>> >> >Onderwerp: [Samba] 2nd DC, internal DNS: >>> >> >dns_tkey_negotiategss: TKEY is unacceptable >>> >> > >>> >> >Hi everyone, >>> >> > >>> >> >I'm testing with a Samba4 AD network, and I have some problems >>> >> >with DNS on >>> >> >the second DC, with which I could use a bit of your help. >>> >> > >>> >> >I have an AD with two DC's, both Samba 4.2.3. On the first DC, >>> >> >samba_dnsupdate works fine. With stock 4.2.3 I get the error >>> >> > >>> >> > "TSIG error with server: tsig verify failure" >>> >> > >>> >> >but the DNS updates succeed anyway, and after applying Gunther >>> >> >Kukkukk's patch from >>> >> >https://lists.samba.org/archive/samba-technical/2013-February/0 >>> >> 90408.html >>> >> >the error is gone. So no problems there. >>> >> > >>> >> >However, on the second DC samba_dnsupdate does not work. I >>> >> >get the error >>> >> > >>> >> > "dns_tkey_negotiategss: TKEY is unacceptable" >>> >> > >>> >> >Problem is: I don't really know where to look. On the first >>> >> >DC (dev), the >>> >> >ticket cache used by samba_dnsupdate contains: >>> >> > >>> >> > root at dev:~# klist -c /tmp/tmpoFYYga >>> >> > Ticket cache: FILE:/tmp/tmpoFYYga >>> >> > Default principal: DEV$@EXAM.CORP >>> >> > >>> >> > Valid starting Expires Service principal >>> >> > 08/06/2015 08:17:43 08/06/2015 18:17:43 >>> >krbtgt/EXAM.CORP at EXAM.CORP >>> >> > 08/06/2015 08:17:43 08/06/2015 18:17:43 >>> >DNS/dev.exam.corp at EXAM.CORP >>> >> > >>> >> >On the second DC (dc2) the ticket cache looks like: >>> >> > >>> >> > root at dc2:~# klist -c /tmp/tmpzCc55h >>> >> > Ticket cache: FILE:/tmp/tmpzCc55h >>> >> > Default principal: DC2$@EXAM.CORP >>> >> > >>> >> > Valid starting Expires Service principal >>> >> > 08/06/2015 08:18:29 08/06/2015 18:18:29 >>> >krbtgt/EXAM.CORP at EXAM.CORP >>> >> > 08/06/2015 08:18:29 08/06/2015 18:18:29 >>> >DNS/dev.exam.corp at EXAM.CORP >>> >> > >>> >> >which smells incorrect, because it has a service principal for >>> >> >dev.exam.corp >>> >> >instead of dc2.exam.corp? >>> >> > >>> >> >The file /etc/krb5.conf looks like this on both servers: >>> >> > >>> >> > [libdefaults] >>> >> > default_realm = EXAM.CORP >>> >> > dns_lookup_realm = false >>> >> > dns_lookup_kdc = false >>> >> > >>> >> > >>> >> >Could anyone please give me a hint on where to look further, >>> >> >or which docs >>> >> >to read to get this working? >>> >> > >>> >> >Thanks a lot, >>> >> > >>> >> >Roel >>> >> > >>> >> >-- >>> >> >To unsubscribe from this list go to the following URL and read the >>> >> >instructions: https://lists.samba.org/mailman/options/samba >>> >> > >>> >> > >>> >> >>> >> >>> >> -- >>> >> To unsubscribe from this list go to the following URL and read the >>> >> instructions: https://lists.samba.org/mailman/options/samba >>> > >>> >-- >>> >To unsubscribe from this list go to the following URL and read the >>> >instructions: https://lists.samba.org/mailman/options/samba >>> > >>> > >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED