[Samba] DC2: TKEY is unacceptable, Failed DNS update?

mathias dufresne infractory at gmail.com
Mon May 23 13:19:05 UTC 2016 

Hi,

Are you using Samba's internal DNS or Bind?

If you are using Bind9_DLZ as dns-backend it should be a right issue on
files used by Bind itself (ie private/dns.keytab, private/named.conf,
private/dns or private/dns/* and of course private itself).

If you are running internal DNS as backend, you can change that parameter
into smb.conf:
from: allow dns updates = secure only (default, not necessarily written
into smb.conf)
to: allow dns updates = unsecure
And after restarting samba the command "samba_dnsupdate" should work
without error.

The Samba wiki told for some time you should use BIND9_DLZ backend for DNS
if you have a complex DNS configuration. Two DC could be a complex
configuration... especially if you want them to be on different network.

Another issue with internal DNS: when AD DNS is supposed to be multi-master
(each DNS server reply "I am SOA" for every DNS server is able to receive
DNS updates and push them into AD DB) with internal DNS the only one DNS
server replying "I am SOA" is the one declared as SOA into AD DB.
Here the issue is simple: if the DC declared as SOA into AD is down, no DNS
server would handle DNS updates as they are not SOA...

In short: if you want to get rid of DNS issues stop using internal DNS
which is not yet ready. Replace it by BIND9_DLZ which is really easy and
you will start to love DNS management : )

Cheers, and sorry to have again misspoken about internal DNS backend...

mathias

2016-05-15 22:36 GMT+02:00 Jo L <j.o.l at live.com>:

> I installed
> two virtual machines with Samba as domain controllers for the same domain.
> I
> was struggling with network and DNS configuration initially, maybe my
> problem
> is related.
>
> DC1 starts
> up ok, the last line of the log reads
>
> STATUS=daemon
> 'samba' finished starting up and ready to serve connections
>
> DC2 starts
> with plenty of lines
>
>  [2016/05/15 22:00:32.744910,  0]
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>
>   /usr/sbin/samba_dnsupdate:
> dns_tkey_negotiategss: TKEY is unacceptable
>
> and also
>
> [2016/05/15
> 22:00:34.232460,  0]
> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
>
>   ../source4/dsdb/dns/dns_update.c:294: Failed
> DNS update - NT_STATUS_UNSUCCESSFULBoth use bridge network configuration,
> static IP addresses, /etc/resolv.conf points to themselves (and the other),
> they can ping each other, but DC1 cannot resolve the name of DC2. I was
> assuming that the name information is part of the replicated
> information?When DC2 joined
> DC1, resolv.conf was pointing to DC1. I changed that later on as I want to
> be
> able to continue to operate DC2 while DC1 is down. Ultimately I want to
> run the
> DCs in two different networks that may occasionally become disconnected.
>
> What am I doing
> wrong?
>
> Thx -
> Joachim
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list