Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] TKEY is unacceptable
68 views
Skip to first unread message
Steve Thompson
Feb 12, 2014, 3:50:01 PM2/12/14
to
Samba 4.1.1 using BIND_DLZ (bind-9.9.1-0.1.P2) on CentOS 6.5 x86_64.
I have two domain controllers, dc-1 and dc-2, which each have three
network interfaces. Selinux is in permissive mode, and iptables is off.
One interface on each dc is to be shut down. So, on dc-1, I do:
# nsupdate -g
update delete europa.icse.cornell.edu A 192.168.3.250
update delete europa.icse.cornell.edu A 192.168.3.251
send
and this works, as confirmed by "nslookup europa.icse.cornell.edu". The
same nsupdate operation on dc-2 fails with:
dns_tkey_negotiategss: TKEY is unacceptable
I have verified that named.conf is the same on both nodes; I am using
tkey-gssapi-keytab "/usr/local/samba/europa/private/dns.keytab";
and the named user can read the keytabs with no issue (permissions and
ownerships are correct). The keytabs themselves appear fine:
dc-1 # klist -k dns.keytab
1 DNS/dc-1.europa.ic...@EUROPA.ICSE.CORNELL.EDU
1 dns-...@EUROPA.ICSE.CORNELL.EDU
...
dc-2 # klist -k dns.keytab
1 DNS/dc-2.europa.ic...@EUROPA.ICSE.CORNELL.EDU
1 dns-...@EUROPA.ICSE.CORNELL.EDU
...
which are similar except for the uppercase DC-2 in the second sample.
This was originally set up with Samba 4.0.3, when nsupdate worked on both
nodes, but since the upgrade to 4.1.1, nsupdate (and also samba_dnsupdate)
work on dc-1 but not on dc-2. Everything else samba-related seems to work
fine.
I've compared the setup on both nodes until I am blue in the face, and
they appear equivalent. I've also read many articles with a similar
problem, but have found no solutions.
Could use a clue! TIA,
Steve
--
----------------------------------------------------------------------------
Steve Thompson E-mail: smt AT vgersoft DOT com
Voyager Software LLC Web: http://www DOT vgersoft DOT com
39 Smugglers Path VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
"186,282 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have two domain controllers, dc-1 and dc-2, which each have three
network interfaces. Selinux is in permissive mode, and iptables is off.
One interface on each dc is to be shut down. So, on dc-1, I do:
# nsupdate -g
update delete europa.icse.cornell.edu A 192.168.3.250
update delete europa.icse.cornell.edu A 192.168.3.251
send
and this works, as confirmed by "nslookup europa.icse.cornell.edu". The
same nsupdate operation on dc-2 fails with:
dns_tkey_negotiategss: TKEY is unacceptable
I have verified that named.conf is the same on both nodes; I am using
tkey-gssapi-keytab "/usr/local/samba/europa/private/dns.keytab";
and the named user can read the keytabs with no issue (permissions and
ownerships are correct). The keytabs themselves appear fine:
dc-1 # klist -k dns.keytab
1 DNS/dc-1.europa.ic...@EUROPA.ICSE.CORNELL.EDU
1 dns-...@EUROPA.ICSE.CORNELL.EDU
...
dc-2 # klist -k dns.keytab
1 DNS/dc-2.europa.ic...@EUROPA.ICSE.CORNELL.EDU
1 dns-...@EUROPA.ICSE.CORNELL.EDU
...
which are similar except for the uppercase DC-2 in the second sample.
This was originally set up with Samba 4.0.3, when nsupdate worked on both
nodes, but since the upgrade to 4.1.1, nsupdate (and also samba_dnsupdate)
work on dc-1 but not on dc-2. Everything else samba-related seems to work
fine.
I've compared the setup on both nodes until I am blue in the face, and
they appear equivalent. I've also read many articles with a similar
problem, but have found no solutions.
Could use a clue! TIA,
Steve
--
----------------------------------------------------------------------------
Steve Thompson E-mail: smt AT vgersoft DOT com
Voyager Software LLC Web: http://www DOT vgersoft DOT com
39 Smugglers Path VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
"186,282 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Feb 12, 2014, 8:00:02 PM2/12/14
to
On Wed, 2014-02-12 at 14:43 -0500, Steve Thompson wrote:
> Could use a clue! TIA,
Hi
> Could use a clue! TIA,
Yes. If you're certain that your bind user can get at his own files
(there are several of them) then I think that maybe the update has
trashed the dns record. The only way we know is to use a big hammer to
remove it and then let nsupdate recreate it on the next attempt:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
At least it's something to try.
Steve
Steve Thompson
Feb 13, 2014, 9:30:02 AM2/13/14
to
On Thu, 13 Feb 2014, steve wrote:
> Yes. If you're certain that your bind user can get at his own files
> (there are several of them) then I think that maybe the update has
> trashed the dns record. The only way we know is to use a big hammer to
> remove it and then let nsupdate recreate it on the next attempt:
I have solved the problem, although this wasn't quite the solution. It
> Yes. If you're certain that your bind user can get at his own files
> (there are several of them) then I think that maybe the update has
> trashed the dns record. The only way we know is to use a big hammer to
> remove it and then let nsupdate recreate it on the next attempt:
turned out that there was a DNS service account in the database only for
dc-1; the corresponding account for dc-2 was missing. I have created the
missing account, and from that generated a new dns.keytab using ktpass.sh,
and now nsupdate works properly on both dc's.
For more details, see the post in this list from Adam Thorn on 1st July
2011 (thanks Adam!).
0 new messages