[Samba] DC2: TKEY is unacceptable, Failed DNS update?

Jo j.o.l at live.com
Tue May 24 19:57:26 UTC 2016

Hi Mathias,
thanks for the hint. My interpretation so far was that complex involves managing any data in addition to what the AD is supposed to manage anyway. Anyway, I tried to follow your advice, but not to success so far. On Ubuntu 16.04, bind is running under the user bind instead of root, and app armor is active. I figured out how to change both and bind starts successfully and answers questions, but when I try another domain join, the 2nd system complains there is no writeable DC. Any idea how to fix that or what to check?
Thanks,  Joachim

-----Urspr√ľngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von mathias dufresne
Gesendet: Montag, 23. Mai 2016 15:19
An: Jo L <j.o.l at live.com>
Cc: samba at lists.samba.org
Betreff: Re: [Samba] DC2: TKEY is unacceptable, Failed DNS update?


Are you using Samba's internal DNS or Bind?

If you are using Bind9_DLZ as dns-backend it should be a right issue on files used by Bind itself (ie private/dns.keytab, private/named.conf, private/dns or private/dns/* and of course private itself).

If you are running internal DNS as backend, you can change that parameter into smb.conf:
from: allow dns updates = secure only (default, not necessarily written into smb.conf)
to: allow dns updates = unsecure
And after restarting samba the command "samba_dnsupdate" should work without error.

The Samba wiki told for some time you should use BIND9_DLZ backend for DNS if you have a complex DNS configuration. Two DC could be a complex configuration... especially if you want them to be on different network.

Another issue with internal DNS: when AD DNS is supposed to be multi-master (each DNS server reply "I am SOA" for every DNS server is able to receive DNS updates and push them into AD DB) with internal DNS the only one DNS server replying "I am SOA" is the one declared as SOA into AD DB.
Here the issue is simple: if the DC declared as SOA into AD is down, no DNS server would handle DNS updates as they are not SOA...

In short: if you want to get rid of DNS issues stop using internal DNS which is not yet ready. Replace it by BIND9_DLZ which is really easy and you will start to love DNS management : )

Cheers, and sorry to have again misspoken about internal DNS backend...


2016-05-15 22:36 GMT+02:00 Jo L <j.o.l at live.com>:

> I installed
> two virtual machines with Samba as domain controllers for the same domain.
> I
> was struggling with network and DNS configuration initially, maybe my 
> problem is related.
> DC1 starts
> up ok, the last line of the log reads
> STATUS=daemon
> 'samba' finished starting up and ready to serve connections
> DC2 starts
> with plenty of lines
>  [2016/05/15 22:00:32.744910,  0]
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>   /usr/sbin/samba_dnsupdate:
> dns_tkey_negotiategss: TKEY is unacceptable
> and also
> [2016/05/15
> 22:00:34.232460,  0]
> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
>   ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - 
> NT_STATUS_UNSUCCESSFULBoth use bridge network configuration, static IP 
> addresses, /etc/resolv.conf points to themselves (and the other), they 
> can ping each other, but DC1 cannot resolve the name of DC2. I was 
> assuming that the name information is part of the replicated 
> information?When DC2 joined DC1, resolv.conf was pointing to DC1. I 
> changed that later on as I want to be able to continue to operate DC2 
> while DC1 is down. Ultimately I want to run the DCs in two different 
> networks that may occasionally become disconnected.
> What am I doing
> wrong?
> Thx -
> Joachim
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list