Debugging "configuring TKEY: failure" (w/samba4)

Thu Nov 18 21:27:50 UTC 2010

On Thu, 2010-11-18 at 16:20 -0500, Adam Tauno Williams wrote: 
> On Fri, 2010-11-12 at 07:54 -0700, Nicholas F Miller wrote:
> > I recently went through this and have it working. Look through the
> > archives for 'GSS-TSIG and Active Directory'.
> > https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearch&restrict=&exclude=&method=and&format=short&sort=score&words=GSS-TSIG+and+Active+Directory
> > Things to check:
> > 1) You are running the newest version of Bind.
> Done.
> BIND 9.7.2 built with '--prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var'
> '--libdir=/usr/lib64' '--includedir=/usr/include/bind'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl'
> '--enable-threads' '--with-gssapi' '--with-libtool' '--with-libxml2'
> '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-O2 -g -m64
> -fmessage-length=0 -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
> -fasynchronous-unwind-tables -fno-strict-aliasing'
> 'LDFLAGS=-L/usr/lib64'
> I built an RPM of 9.7.2 on openSUSE
> > 2) You might try compiling Bind with --with-gssap=/usr
> > 3) Double check your krb5.conf and make sure you have arcfour-hmac-md5
> > listed first in default_tgs_enctypes and default_tkt_enctypes.
> I added that and retried, to no avail.
> > 4) When you create your keytab don't define crypto it will default to
> > RC4-HMAC-NT. (ktpass -out foo.keytab -princ DNS/foo.example.org at
> > EXAMPLE.ORG -pass * -mapuser foo at example.org)
> samba:/opt/ad/samba4/private # klist  -k dns.keytab -e
> Keytab name: WRFILE:dns.keytab
> KVNO Principal
> ---- 
> 1 DNS/ad.mormail.com at AD.MORMAIL.COM (DES cbc mode with RSA-MD5) 
> 1 DNS/ad.mormail.com at AD.MORMAIL.COM (AES-256 CTS mode with 96-bit SHA-1
> HMAC) 
> 1 DNS/ad.mormail.com at AD.MORMAIL.COM (Triple DES cbc mode with
> HMAC/sha1) 
> 1 DNS/ad.mormail.com at AD.MORMAIL.COM (ArcFour with HMAC/md5)
> > 5) FWIW, I am not using any of the Samba settings. The DNS server isn't joined to 
> > the AD it just has the krb5.conf setup and a keytab for DNS/dnserver.domain.
> Yes, I believe that is generally the setup; Samba just uses KRB5 to
> authorize to bind to perform the update.
> I'm baffled there is seemingly no way to get bind to cough up more error
> information such as what file it can't access or some KRB5/GSSAPI error
> message.

Ok, I got this -

dispatch 0x7f68968b6120: created task 0x7f688fdce850
res 0x7f689631b198: create
dns_requestmgr_create
dns_requestmgr_create: 0x7f688fdcf1c8
dns_requestmgr_whenshutdown
dispatch 0x7f68968b6120: detach: refcount 2
acquiring credentials for DNS/ad.mormail.com
failed to acquire accept credentials for DNS/ad.mormail.com: GSSAPI
error: Major = Unspecified GSS failure.  Minor code may provide more
information, Minor = Resource temporarily unavailable.
configuring TKEY: failure
client @0x7f68965ea090: udprecv

- by running "named -4 -c /etc/named.conf -g -u named -d  65535" with
both $KEYTAB_FILE and $KRB5_KTNAME indicating the location of the
keytab.

> > On Nov 10, 2010, at 6:48 AM, Adam Tauno Williams wrote:
> > > I'm attempting to get Bind 9.7.2 (built on openSUSE 11.3) running in
> > > relation to Samba4; this uses GSSAPI authentication to update the Bind
> > > zones.  Everything works except this part.  I've build bind with
> > > --with-gssapi, verified krb5 is linked in, and verified [at least with
> > > kinit and other trivial krb5 tools] that Kerberos/GSSAPI is working.
> > > But when I add:
> > > options {
> > > tkey-gssapi-credential "DNS/ad.mormail.com";
> > > tkey-domain "AD.MORMAIL.COM";
> > > ...
> > > }
> > > - to my bind configuration bind fails to start with -
> > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: D.F.IP6.ARPA
> > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > > 8.E.F.IP6.ARPA
> > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > > 9.E.F.IP6.ARPA
> > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > > A.E.F.IP6.ARPA
> > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > > B.E.F.IP6.ARPA
> > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone:
> > > 8.B.D.0.1.0.0.2.IP6.ARPA
> > > Nov 10 08:43:32 opensuse named[3021]: configuring TKEY: failure
> > > Nov 10 08:43:32 opensuse named[3021]: loading configuration: failure
> > > Nov 10 08:43:32 opensuse named[3021]: exiting (due to fatal error)
> > > I've tried playing with log levels, etc... and I just can seem to dig
> > > any more information out of it.  Are there any procedures / tips for
> > > debugging a "configuring TKEY: failure" message?