Robert E. Wooden
2020-Jul-03 14:40 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
On 7/3/2020 9:31 AM, Rowland penny via samba wrote:> Does 'sudo rm -f /var/lib/samba/private/dns.keytab' give you any hint > to which is the correct keytab ? > > Rowland >While waiting for your reply, I began checking my BIND9 setup. Having used many of Louis' "sed" strings instructions, one those strings direct "tkey-gssapi-keytab" to use "/var/lib/samba/_private_/dns.keytab". Changed it to: "/var/lib/samba/_bind-dns_/dns.keytab" and the DC, a few minutes ago, just finished updating properly. Thanks, our decision here pointed my to the correction needed. Now, I'll ask the obvious question. Why are there two "dsn.keytab" files? It is confusing. -- Bob Wooden
On 03/07/2020 15:40, Robert E. Wooden via samba wrote:> On 7/3/2020 9:31 AM, Rowland penny via samba wrote: >> Does 'sudo rm -f /var/lib/samba/private/dns.keytab' give you any hint >> to which is the correct keytab ? >> >> Rowland >> > While waiting for your reply, I began checking my BIND9 setup. > > Having used many of Louis' "sed" strings instructions, one those > strings direct "tkey-gssapi-keytab" to use > "/var/lib/samba/_private_/dns.keytab". > > Changed it to: "/var/lib/samba/_bind-dns_/dns.keytab" and the DC, a > few minutes ago, just finished updating properly. > > Thanks, our decision here pointed my to the correction needed. > > Now, I'll ask the obvious question. Why are there two "dsn.keytab" > files? It is confusing. >I thought I explained that, but lets try again ;-) Originally, Samba used /var/lib/samba/private for the dns.keytab and other dns files. This was then found to be possibly insecure, so it was decided to use /var/lib/samba/bind-dns instead. When you upgrade the Samba packages, the old files are not removed, but the new ones are created. You just need to make Bind9 etc use them. Rowland
Robert E. Wooden
2020-Jul-03 15:01 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
On 7/3/2020 9:50 AM, Rowland penny via samba wrote:> I thought I explained that, but lets try again ;-) > > Originally, Samba used /var/lib/samba/private for the dns.keytab and > other dns files. This was then found to be possibly insecure, so it > was decided to use /var/lib/samba/bind-dns instead. When you upgrade > the Samba packages, the old files are not removed, but the new ones > are created. You just need to make Bind9 etc use them. > > Rowland >Thanks for your help. (Time to make another donation to Samba!) -- Bob Wooden
Reasonably Related Threads
- dns_tkey_gssnegotiate: TKEY is unacceptable
- dns_tkey_gssnegotiate: TKEY is unacceptable
- dns_tkey_gssnegotiate: TKEY is unacceptable
- dns_tkey_gssnegotiate: TKEY is unacceptable
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates