Matthew Schumacher
2022-Aug-05 19:51 UTC
[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision
Hello all, When trying to run samba_dnsupdate I get "dns_tkey_gssnegotiate: TKEY is unacceptable"? I see the webpage about this at https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable and when verifying my keytab file I get a number of accounts: klist -k /var/lib/samba/bind-dns/dns.keytab Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- ?? 1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET ?? 1 dns-dc-2-wsll at AD.DOMAIN.NET ?? 1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET ?? 1 dns-dc-2-wsll at AD.DOMAIN.NET ?? 1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET ?? 1 dns-dc-2-wsll at AD.DOMAIN.NET I decided I would cleanup and try again so I: rm /usr/local/samba/private/dns.keytab then samba-tool user delete dns-dc-2-wsll Which seems to work, as I get Deleted user dns-dc-2-wsll But then when I reset the dns settings with: samba_upgradedns --dns-backend=BIND9_DLZ I see: Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/AD.DOMAIN.NET.zone (normal) DNS partitions already exist Adding dns-dc-2-wsll account check_spn_alias_collision: trying to add SPN 'DNS/dc-2-wsll.ad.domain.net' on 'CN=dns-dc-2-wsll,CN=Users,DC=ad,DC=domain,DC=net' when 'host/dc-2-wsll.ad.domain.net' is on 'CN=dc-2-wsll,OU=Domain Controllers,DC=ad,DC=domain,DC=net' See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS I'm trying to figure out how to clean this up and reset DNS so I can get it work.? Any ideas? Matt
L. van Belle
2022-Aug-08 12:00 UTC
[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision
Can you run this script.. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh and post the content. Thanks, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens Matthew > Schumacher via samba > Verzonden: vrijdag 5 augustus 2022 21:52 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but > stuck on check_spn_alias_collision > > Hello all, > > When trying to run samba_dnsupdate I get "dns_tkey_gssnegotiate: TKEY is > unacceptable" I see the webpage about this at > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacce > ptable > and when verifying my keytab file I get a number of accounts: > > klist -k /var/lib/samba/bind-dns/dns.keytab > Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET > 1 dns-dc-2-wsll at AD.DOMAIN.NET > 1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET > 1 dns-dc-2-wsll at AD.DOMAIN.NET > 1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET > 1 dns-dc-2-wsll at AD.DOMAIN.NET > > I decided I would cleanup and try again so I: > > rm /usr/local/samba/private/dns.keytab > then > samba-tool user delete dns-dc-2-wsll > > Which seems to work, as I get > > Deleted user dns-dc-2-wsll > > But then when I reset the dns settings with: > > samba_upgradedns --dns-backend=BIND9_DLZ > > I see: > > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/AD.DOMAIN.NET.zone (normal) > DNS partitions already exist Adding dns-dc-2-wsll account > check_spn_alias_collision: trying to add SPN 'DNS/dc-2-wsll.ad.domain.net' > on 'CN=dns-dc-2-wsll,CN=Users,DC=ad,DC=domain,DC=net' when 'host/dc- > 2-wsll.ad.domain.net' is on 'CN=dc-2-wsll,OU=Domain > Controllers,DC=ad,DC=domain,DC=net' > See /var/lib/samba/bind-dns/named.conf for an example configuration > include file for BIND and /var/lib/samba/bind-dns/named.txt for further > documentation required for secure DNS updates Finished upgrading DNS > > I'm trying to figure out how to clean this up and reset DNS so I can get it > work. Any ideas? > > Matt > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba