[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
Alex Wan
compumaxaw at gmail.com
Tue Mar 28 09:26:32 UTC 2023
My OS is Ubuntu 20.04, with Samba version 4.15.13. bind is 9.16
I have an existing domain controller (compumaxdc01) and joined another
(compumaxdc03) to act as a secondary/back according to the
instructions on the wiki here
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
Both are using bind-dns as the backend, so I've made sure to not use
the dns.keytab in /var/lib/samba/private.
Also, instead of /usr/local/samba, my filesystem has it in /var/lib/samba.
I have done everything on
/wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable/
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting
however no matter what I do, running "samba_dnsupdate --verbose
--all-names" on the secondary always gets me the tkey error
dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 28 entries
here are the contents of the files
--------------------
/etc/resolvconf/resolv.conf.d/base
search thecompumax.com
nameserver 192.168.2.3 (secondary)
nameserver 192.168.2.1 (primary)
nameserver 192.168.1.1
nameserver 127.0.0.53
--------------------
/etc/samba/smb.conf
[global]
netbios name = COMPUMAXDC03
realm = THECOMPUMAX.COM
server role = active directory domain controller
workgroup = THECOMPUMAX
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000000
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/thecompumax.com/scripts
read only = No
--------------------
/etc/hosts
127.0.0.1 localhost
192.168.2.3 compumaxdc03.thecompumax.com compumaxdc03
--------------------
/etc/apparmor.d/usr/sbin.named
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# Database file used by allow-new-zones
/var/cache/bind/_default.nzd-lock rwk,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# dyndb backends
/usr/lib/bind/*.so rm,
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf rw,
/var/lib/samba/bind-dns/* rw,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
owner /var/tmp/krb5_* rwk,
--------------------
/etc/bind/named.conf.options (root:bind -rw-r--r--)
options {
directory "/var/cache/bind";
dnssec-validation no;
listen-on-v6 { none; };
tkey-gssapi-keytab "var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
--------------------
/etc/bind/named.conf (root:bind -rw-r--r--)
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
logging {
channel query_logging {
syslog daemon;
severity dynamic;
print-time yes;
};
category queries {
query_logging;
};
};
--------------------
yaml file in /etc/netplan
network:
version: 2
renderer: NetworkManager
ethernets:
eno1:
dhcp4: no
addresses:
- 192.168.2.3/22
gateway4: 192.168.1.1
nameservers:
search: [thecompumax.com ]
addresses: [192.168.2.3, 192.168.2.1, 192.168.1.1]
--------------------
/etc/krb5.conf (root:named rw-r--r--)
[libdefaults]
default_realm = THECOMPUMAX.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
THECOMPUMAX.COM = {
default_domain = thecompumax.com
}
[domain_realm]
COMPUMAXDC03 = THECOMPUMAX.COM
--------------------
klist -k -K -t /var/lib/samba/bind-dns/dns.keytab
Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 03/28/2023 03:54:37
DNS/compumaxdc03.thecompumax.com at THECOMPUMAX.COM
(0x8a43b6881b1c7f5bde4fcd54b5a09f1c3652389d7cf0d8ef2f928f2588e72097)
1 03/28/2023 03:54:37 dns-compumaxdc03 at THECOMPUMAX.COM
(0x8a43b6881b1c7f5bde4fcd54b5a09f1c3652389d7cf0d8ef2f928f2588e72097)
1 03/28/2023 03:54:37
DNS/compumaxdc03.thecompumax.com at THECOMPUMAX.COM
(0x770bb6f353f9b8b4a119578d6c7c8ae1)
1 03/28/2023 03:54:37 dns-compumaxdc03 at THECOMPUMAX.COM
(0x770bb6f353f9b8b4a119578d6c7c8ae1)
1 03/28/2023 03:54:37
DNS/compumaxdc03.thecompumax.com at THECOMPUMAX.COM
(0x98fd5629817f11d06cc587745df0479a)
1 03/28/2023 03:54:37 dns-compumaxdc03 at THECOMPUMAX.COM
(0x98fd5629817f11d06cc587745df0479a)
--------------------
please let me know if I missed any other files.
ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
returns 2 records, both which verify correctly.
I'm honestly at my wits end, and any help to resolve this would be
much appreciated
More information about the samba
mailing list