Debugging "configuring TKEY: failure" (w/samba4)
Nicholas F Miller
Nicholas.Miller at Colorado.EDU
Fri Nov 12 14:54:39 UTC 2010
I recently went through this and have it working. Look through the archives for 'GSS-TSIG and Active Directory'.
https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearch&restrict=&exclude=&method=and&format=short&sort=score&words=GSS-TSIG+and+Active+Directory
Things to check:
1) You are running the newest version of Bind.
2) You might try compiling Bind with --with-gssap=/usr
3) Double check your krb5.conf and make sure you have arcfour-hmac-md5 listed first in default_tgs_enctypes and default_tkt_enctypes.
4) When you create your keytab don't define crypto it will default to RC4-HMAC-NT. (ktpass -out foo.keytab -princ DNS/foo.example.org at EXAMPLE.ORG -pass * -mapuser foo at example.org)
5) FWIW, I am not using any of the Samba settings. The DNS server isn't joined to the AD it just has the krb5.conf setup and a keytab for DNS/dnserver.domain.
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder
On Nov 10, 2010, at 6:48 AM, Adam Tauno Williams wrote:
> I'm attempting to get Bind 9.7.2 (built on openSUSE 11.3) running in
> relation to Samba4; this uses GSSAPI authentication to update the Bind
> zones. Everything works except this part. I've build bind with
> --with-gssapi, verified krb5 is linked in, and verified [at least with
> kinit and other trivial krb5 tools] that Kerberos/GSSAPI is working.
> But when I add:
>
> options {
>
> tkey-gssapi-credential "DNS/ad.mormail.com";
> tkey-domain "AD.MORMAIL.COM";
> ...
> }
>
> - to my bind configuration bind fails to start with -
>
> Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: D.F.IP6.ARPA
> Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> 8.E.F.IP6.ARPA
> Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> 9.E.F.IP6.ARPA
> Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> A.E.F.IP6.ARPA
> Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> B.E.F.IP6.ARPA
> Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> 8.B.D.0.1.0.0.2.IP6.ARPA
> Nov 10 08:43:32 opensuse named[3021]: configuring TKEY: failure
> Nov 10 08:43:32 opensuse named[3021]: loading configuration: failure
> Nov 10 08:43:32 opensuse named[3021]: exiting (due to fatal error)
>
> I've tried playing with log levels, etc... and I just can seem to dig
> any more information out of it. Are there any procedures / tips for
> debugging a "configuring TKEY: failure" message?
> --
> Adam Tauno Williams <awilliam at whitemice.org>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list