From: Andrew Dumaresq on

I've used samba3 for years, and it mostly did exactly what I wanted, In
the last few weeks I decided to install Samba4. I got it installed and
everything seems to be working as expected. I have one small issue, and
I'm not really sure if the problem is Samba4, bind, my client PC or
something else I haven't considered.

I've got one Linux server, which acts as a Samba
(4.0.0alpha9-GIT-27087e6) server and a DNS (BIND 9.6.1-P2) server, it is
also my PDC. I've got a number of windows clients two of which are
currently in the Domain. One PC which is windows XP can update its DNS
entries with no issues:

17-Jan-2010 15:51:18.042 gss cred: "DNS/dumaresq.local(a)DUMARESQ.LOCAL",
GSS_C_ACCEPT, 4294965265
17-Jan-2010 15:51:18.113 gss-api source name (accept) is
17-Jan-2010 15:51:18.113 process_gsstkey(): dns_tsigerror_noerror

I have another PC that is windows VISTA which cannot update its DNS entries:

17-Jan-2010 15:54:25.875 gss cred: "DNS/dumaresq.local(a)DUMARESQ.LOCAL",
GSS_C_ACCEPT, 4294965078
17-Jan-2010 15:54:25.876 failed gss_accept_sec_context: GSSAPI error:
Major = Unspecified GSS failure. Minor code may provide more
information, Minor = Wrong principal in request.
17-Jan-2010 15:54:25.876 process_gsstkey(): dns_tsigerror_badkey

I believe I've got BIND setup correctly since it works for the Windows
XP PC but here's the relevant configs:

options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-credential "DNS/dumaresq.local";
tkey-domain "DUMARESQ.LOCAL";

zone "dumaresq.local" {
type master;
file "/etc/bind/dumaresq/db.dumaresq";
update-policy {
grant localhost subdomain * A AAAA;
grant DUMARESQ.LOCAL ms-self * A AAAA;


zone "" {
type master;
file "/etc/bind/dumaresq/db.192";
update-policy {
grant *.LOCAL wildcard * PTR;


Here's my smb.conf file:

netbios name = morannon
workgroup = dumaresq
realm = dumaresq.local
server role = domain controller
log file = /var/log/samba/log.%m
log level = 2
debug level = 2
interfaces = eth1 lo
bind interfaces only = yes

Is this a problem with Windows vista? I'm assuming that either vista
can't get the correct credentials from the KDC (which is Samba) or that
Samba is delivering the wrong credentials.

I see the following entry in the samba logs for the computer that fails:

[Sun Jan 17 15:09:43 2010 EST, 2
Kerberos: TGS-REQ aragorn$@DUMARESQ.LOCAL from for
DNS/dumaresq.local(a)DUMARESQ.LOCAL [canonicalize, renewable, forwardable]

So I think samba is doing what it should. I'm lost here, anybody have
any thoughts?
To unsubscribe from this list go to the following URL and read the