Debugging "configuring TKEY: failure" (w/samba4)

Thu Nov 18 21:20:20 UTC 2010

On Fri, 2010-11-12 at 07:54 -0700, Nicholas F Miller wrote:
> I recently went through this and have it working. Look through the
> archives for 'GSS-TSIG and Active Directory'.
> https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearch&restrict=&exclude=&method=and&format=short&sort=score&words=GSS-TSIG+and+Active+Directory
> Things to check:
> 1) You are running the newest version of Bind.

Done.

BIND 9.7.2 built with '--prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var'
'--libdir=/usr/lib64' '--includedir=/usr/include/bind'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl'
'--enable-threads' '--with-gssapi' '--with-libtool' '--with-libxml2'
'--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-O2 -g -m64
-fmessage-length=0 -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -fno-strict-aliasing'
'LDFLAGS=-L/usr/lib64'

I built an RPM of 9.7.2 on openSUSE

> 2) You might try compiling Bind with --with-gssap=/usr
> 3) Double check your krb5.conf and make sure you have arcfour-hmac-md5
> listed first in default_tgs_enctypes and default_tkt_enctypes.

I added that and retried, to no avail.

> 4) When you create your keytab don't define crypto it will default to
> RC4-HMAC-NT. (ktpass -out foo.keytab -princ DNS/foo.example.org at
> EXAMPLE.ORG -pass * -mapuser foo at example.org)

samba:/opt/ad/samba4/private # klist  -k dns.keytab -e
Keytab name: WRFILE:dns.keytab
KVNO Principal
---- 
1 DNS/ad.mormail.com at AD.MORMAIL.COM (DES cbc mode with RSA-MD5) 
1 DNS/ad.mormail.com at AD.MORMAIL.COM (AES-256 CTS mode with 96-bit SHA-1
HMAC) 
1 DNS/ad.mormail.com at AD.MORMAIL.COM (Triple DES cbc mode with
HMAC/sha1) 
1 DNS/ad.mormail.com at AD.MORMAIL.COM (ArcFour with HMAC/md5)

> 5) FWIW, I am not using any of the Samba settings. The DNS server isn't joined to 
> the AD it just has the krb5.conf setup and a keytab for DNS/dnserver.domain.

Yes, I believe that is generally the setup; Samba just uses KRB5 to
authorize to bind to perform the update.

I'm baffled there is seemingly no way to get bind to cough up more error
information such as what file it can't access or some KRB5/GSSAPI error
message.

> On Nov 10, 2010, at 6:48 AM, Adam Tauno Williams wrote:
> > I'm attempting to get Bind 9.7.2 (built on openSUSE 11.3) running in
> > relation to Samba4; this uses GSSAPI authentication to update the Bind
> > zones.  Everything works except this part.  I've build bind with
> > --with-gssapi, verified krb5 is linked in, and verified [at least with
> > kinit and other trivial krb5 tools] that Kerberos/GSSAPI is working.
> > But when I add:
> > options {
> > tkey-gssapi-credential "DNS/ad.mormail.com";
> > tkey-domain "AD.MORMAIL.COM";
> > ...
> > }
> > - to my bind configuration bind fails to start with -
> > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: D.F.IP6.ARPA
> > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > 8.E.F.IP6.ARPA
> > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > 9.E.F.IP6.ARPA
> > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > A.E.F.IP6.ARPA
> > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > B.E.F.IP6.ARPA
> > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > 8.B.D.0.1.0.0.2.IP6.ARPA
> > Nov 10 08:43:32 opensuse named[3021]: configuring TKEY: failure
> > Nov 10 08:43:32 opensuse named[3021]: loading configuration: failure
> > Nov 10 08:43:32 opensuse named[3021]: exiting (due to fatal error)
> > I've tried playing with log levels, etc... and I just can seem to dig
> > any more information out of it.  Are there any procedures / tips for
> > debugging a "configuring TKEY: failure" message?