[Kea-users] Kea DHCP DDNS 3.0.3 + GSS TSIG hook: gss_init_sec_context fails (“No credentials”) against Microsoft DNS (AD)

Jaroslav Čihák cihak.jarda at gmail.com
Tue May 5 07:40:34 UTC 2026 

Dear all,


I’m trying to use Kea DHCP‑DDNS (D2) with the GSS‑TSIG hook
(libddns_gss_tsig.so) to perform secure DDNS updates against Microsoft DNS
(Active Directory). The GSS‑TKEY exchange fails immediately at GSS context
initialization.

I’m attaching ~30 lines of log around the first failure plus the relevant
D2 configuration excerpt and the Kerberos/systemd settings used to run D2.



*Environment*

   - OS: RHEL 9.x
   - Kea DHCP‑DDNS (D2): 3.0.3
   - GSS‑TSIG hook: /usr/lib64/kea/hooks/libddns_gss_tsig.so
   - DNS server: Microsoft DNS / AD, dc1.example.local (10.0.0.10)
   - Kerberos realm: EXAMPLE.REALM
   - DHCP/DDNS host: dhcp1.example.local



*Kerberos credentials (keytab + ccache)*

   - Keytab: /etc/kea/client.keytab
      - Principal: host/dhcp1.example.local at EXAMPLE.REALM (kvno 15)
   - We create a FILE ccache for the service user using:
      - sudo -u kea KRB5_CONFIG=/etc/kea/krb5_kea.conf   kinit -k -t
      /etc/kea/ client.keytab -c FILE:/var/lib/kea/krb5/client.ccache
      host/dhcp1.example.local at EXAMPLE.REALM
   - Kerberos config used by the service:
      - /etc/kea/krb5_kea.conf (includes default_ccache_name =
      FILE:/var/lib/kea/krb5/client.ccache)



*D2 / GSS‑TSIG configuration (relevant points)*

   - server-principal: DNS/dc1.example.local at EXAMPLE.REALM
   - DNS server definition:
      - servers: { id: "ad_dns", ip-address: "10.0.0.10", port: 53 }
   - tkey-lifetime: 3600, rekey-interval: 2700 (See attached
   kea-dhcp-ddns.conf.excerpt.json.)



*Error (from kea-dhcp-ddns log)*

During startup, the hook creates a new GSS‑TSIG key and then fails to
initialize the GSS‑TKEY exchange:

   - TKEY_EXCHANGE_FAIL_TO_INIT
   gss_init_sec_context failed
   Major: No credentials were supplied, or the credentials were unavailable
   or inaccessible (458752)
   Minor: SPNEGO cannot find mechanisms to negotiate (100001)

The exact log context is attached (kea-dhcp-ddns.log.excerpt.txt).



*How D2 is started (systemd)*

The service runs as user kea and we set the following environment:

   - KRB5_CONFIG=/etc/kea/krb5_kea.conf
   - KRB5CCNAME=FILE:/var/lib/kea/krb5/client.ccache
   - GSS_USE_PROXY=no (Full relevant excerpt attached in
   systemd-override-and-krb5.conf.excerpt.txt.)



*What we verified*

   - kinit/klist/kvno works for the keytab principal and FILE ccache when
   run as the service user.
   - The failure appears specific to the GSS‑TSIG hook’s acquisition of
   initiator credentials / context initialization inside D2.



*Questions*

   1. What is the recommended, supported way in Kea 3.0.x GSS‑TSIG hook to
   supply initiator credentials for AD DNS updates (keytab-only vs FILE ccache
   vs cache collection/KCM)?
   2. When a FILE ccache exists and KRB5CCNAME/default_ccache_name are set
   to FILE, should the hook rely on that, or does it still attempt to use
   other cache mechanisms?
   3. Is there a canonical minimal hook configuration for Microsoft AD DNS
   in Kea 3.0.x (required parameters for client identity vs server-principal)?



Thank you in advance for any guidance.



Best regards,
Jaroslav Cihak



*Attachments:*

   1. kea-dhcp-ddns.conf.excerpt.json
   2. kea-dhcp-ddns.log.excerpt.txt (~30 lines)
   3. systemd-override-and-krb5.conf.excerpt.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20260505/02b32488/attachment-0001.htm>
-------------- next part --------------
[libdefaults]
default_realm = EXAMPLE.REALM
rdns = false
dns_canonicalize_hostname = false
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = FILE:/var/lib/kea/krb5/client.ccache
forwardable = true
proxiable = true

[realms]
EXAMPLE.REALM = {
  kdc = dc1.example.local
  kdc = dc2.example.local
  kdc = dc3.example.local
  admin_server = dc1.example.local:88
  admin_server = dc2.example.local:88
  admin_server = dc3.example.local:88
  default_domain = example.local
}

[domain_realm]
.dhcp1.example.local = EXAMPLE.REALM
.dc1.example.local = EXAMPLE.REALM
.example.local = EXAMPLE.REALM


# /etc/systemd/system/kea-dhcp-ddns.service.d/override.conf
[Service]
Environment="KRB5_CONFIG=/etc/kea/krb5_kea.conf"
Environment="KRB5_KTNAME=/etc/kea/client.keytab"
Environment="KRB5CCNAME=FILE:/var/lib/kea/krb5/client.ccache"
Environment="KRB5_TRACE=/var/log/kea/krb5.trace"
Environment="GSSAPI_MECH_CONF=/etc/gss/mech.d/krb5.conf"
Environment="GSS_USE_PROXY=no"
Environment="LD_LIBRARY_PATH=/usr/lib64"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kea-dhcp-ddns.conf.excerpt.json
Type: application/json
Size: 911 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20260505/02b32488/attachment-0001.json>
-------------- next part --------------
2026-05-05 08:34:19.594 INFO  [kea-dhcp-ddns.gss-tsig-hooks/157334.140102359381888] GSS_TSIG_LOAD_OK GSS-TSIG hooks library loaded successfully.
2026-05-05 08:34:19.594 INFO  [kea-dhcp-ddns.hooks/157334.140102359381888] HOOKS_LIBRARY_LOADED hooks library /usr/lib64/kea/hooks/libddns_gss_tsig.so successfully loaded
2026-05-05 08:34:19.595 INFO  [kea-dhcp-ddns.commands/157334.140102359381888] COMMAND_ACCEPTOR_START Starting to accept connections via unix domain socket bound to /var/run/kea/kea-ddns-ctrl.sock
2026-05-05 08:34:19.595 INFO  [kea-dhcp-ddns.dctl/157334.140102359381888] DCTL_CONFIG_COMPLETE server has completed configuration: listening on 127.0.0.1, port 53001, using UDP
2026-05-05 08:34:19.595 DEBUG [kea-dhcp-ddns.callouts/157334.140102359381888] HOOKS_CALLOUTS_BEGIN begin all callouts for hook d2_srv_configured
2026-05-05 08:34:19.595 DEBUG [kea-dhcp-ddns.callouts/157334.140102359381888] HOOKS_CALLOUTS_COMPLETE completed callouts for hook d2_srv_configured (total callouts duration: 0.023 ms)
2026-05-05 08:34:19.595 DEBUG [kea-dhcp-ddns.gss-tsig-hooks/157334.140102359381888] GSS_TSIG_MANAGER_STARTED hooks library GSS-TSIG key periodic manager started.
2026-05-05 08:34:19.596 INFO  [kea-dhcp-ddns.gss-tsig-hooks/157334.140102359381888] GSS_TSIG_NEW_KEY new GSS-TSIG key '2112759240.sig-dc1.example.local.' was created.
2026-05-05 08:34:19.596 DEBUG [kea-dhcp-ddns.gss-tsig-hooks/157334.140102359381888] START_RETRY_TIMER started timer handling retry for server ad_dns in 120 seconds.
2026-05-05 08:34:19.597 ERROR [kea-dhcp-ddns.gss-tsig-hooks/157334.140102359381888] TKEY_EXCHANGE_FAIL_TO_INIT GSS-TKEY exchange failed to initialize because of the error: gss_init_sec_context failed with GSSAPI error: Major = 'No credentials were supplied, or the credentials were unavailable or inaccessible' (458752), Minor = 'SPNEGO cannot find mechanisms to negotiate' (100001)..
2026-05-05 08:34:19.597 WARN  [kea-dhcp-ddns.gss-tsig-hooks/157334.140102359381888] GSS_TSIG_NEW_KEY_SETUP_FAILED new GSS-TSIG key '2112759240.sig-dc1.example.local' setup failed: other, unclassified error.
2026-05-05 08:34:19.597 INFO  [kea-dhcp-ddns.dhcpddns/157334.140102359381888] DHCP_DDNS_STARTED Kea DHCP-DDNS server version 3.0.3 started

More information about the Kea-users mailing list