Problem: Check kerberos authenticated DNS updates


In the System Diagnosis you see a critical warning saying



First check the situation a bit further.

check if the keytab and password match

kinit --keytab=/var/lib/samba/private/dns.keytab "dns-$(hostname)" && klist; kdestroy

if this fails with a line like

kinit: krb5_init_creds_set_keytab: Failed to find dns-master@DOMAIN.TLD in keytab FILE:/var/lib/samba/private/dns.keytab (unknown enctype)

Check the current password manually

# Passwort auslesen
root@ucs:~# ldbsearch -H /var/lib/samba/private/secrets.ldb samaccountname="dns-$(hostname)" secret
secret: 7h35ecr3tP4s5w0rd

# kinit ausführen
root@ucs:~# kinit "dns-$(hostname)" && klist; kdestroy
dns-master.domain.tld@DOMAIN.TLD's Password: 7h35ecr3tP4s5w0rd
kinit: Password incorrect

It may happen that the password is accepted manually, however the keytab must also be recreated then.

Check the Principals

Also a common problem may be a wrong Principal. The two default principals must be

dn: samAccountName=dns-master,CN=Principals
objectClass: kerberosSecret
privateKeytab: dns.keytab
sAMAccountName: dns-master
> servicePrincipalName: DNS/master.domain.tld
objectGUID: 514efcc0-8c65-412b-9d81-2e9960a0b8a5
whenCreated: 20141027163301.0Z
uSNCreated: 10
name: dns-master
secret: 7h35ecr3tP4s5w0rd
> saltPrincipal: dns-master@DOMAIN.TLD
msDS-KeyVersionNumber: 2
whenChanged: 20190808153141.0Z
uSNChanged: 99
distinguishedName: samAccountName=dns-master,CN=Principals

change them if they differ!

root@ucs:~# ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOR
dn: samAccountName=dns-$(hostname),CN=Principals
changetype: modify
replace: saltPrincipal
saltPrincipal: dns-$(hostname)@$(ucr get kerberos/realm)
replace: servicePrincipalName
servicePrincipalName: DNS/$(hostname -f)


Recreate a new Keytab

# move existing keytab aside
root@ucs:~#  tar -cjvf /var/lib/samba/private/dns.keytab.tar.bz2 /var/lib/samba/private/dns.keytab --remove-files

# recreate keytab
root@ucs:~# ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOR
dn: samAccountName=dns-$(hostname),CN=Principals
changetype: modify
replace: secret
secret: $(ldbsearch -H /var/lib/samba/private/secrets.ldb sAMAccountName=dns-$(hostname) secret | sed -ne 's/^secret: //p')
Modified 1 records successfully

see also: