On Sun, 7 Jan 2018 23:02:20 +0100
Ronny Preiss via samba <samba at lists.samba.org> wrote:
> Hi @ all,
>
>
>
> I try to update the DNS records from my DHCP Clients to my AD DC but
> there ist an issue with the GSSAPI I don't know how to solve.
>
>
>
> For this I followed this guide.
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_B
> IND9
>
>
>
> GSSAPI Error:
>
> start_gssrequest
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = No credentials found
> with supported encryption types (filename: /tmp/dhcp-dyndns.cc).
>
>
>
> Here is my keytab file:
>
>
>
> ktutil -k /etc/dhcpduser.keytab list
>
> /etc/dhcpduser.keytab:
>
>
>
> Vno Type Principal Aliases
>
> 2 aes256-cts-hmac-sha1-96 dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT>
>
> 2 aes128-cts-hmac-sha1-96 dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT>
>
> 2 arcfour-hmac-md5 dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT>
>
> 2 des-cbc-md5 dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT>
>
> 2 des-cbc-crc dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT>
>
>
Don't you mean ' klist -e -k /etc/dhcpduser.keytab' ?
If so, it should show something like this:
Keytab name: FILE:/etc/dhcpduser.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 dhcpduser at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 dhcpduser at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 dhcpduser at SAMDOM.EXAMPLE.COM (arcfour-hmac)
1 dhcpduser at SAMDOM.EXAMPLE.COM (des-cbc-md5)
1 dhcpduser at SAMDOM.EXAMPLE.COM (des-cbc-crc)
>
> System Information
>
>
>
> - Raspberry Pi 3 Model B
>
> - Raspian Stretch
>
> - Samba Version 4.7.4
>
> - BIND Version 9.11.2
>
> - BIND9 built by
>
> make '--prefix' '/usr/local/bind9'
'--enable-shared'
>
>
>
> '--enable-static' '--with-openssl=/usr'
>
> '--with-gssapi=/usr/include/gssapi' '--with-libtool'
>
> '--with-dlopen=yes' '--enable-threads'
'--enable-largefile'
>
> '--with-gnu-ld' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing'
>
> 'CFLAGS=-DDIG_SIGCHASE' 'CFLAGS=-O2'
>
>
There is no need to build Bind on strech, just use the debian package,
also '--with-dlopen' is now built in, the setting no longer exists.
>
> bind9 named.conf https://pastebin.com/HW88rwbe
Yes, but what is in:
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones
>
>
>
> samba named.conf https://pastebin.com/zi7Fm27T
nothing wrong there.
>
>
>
> samba smb.conf https://pastebin.com/i1fmj56T
Nothing wrong there either.
>
>
>
> If more information needed, feel free and ask me, I'll do my best to
> provide them.
Post what is in /etc/hostname, etc/hosts, /etc/resolv.conf
and /etc/krb5.conf.
Rowland