[Samba] BIND9_DLZ: TKEY is unacceptable - depending on the name server
Peter Serbe
peter at serbe.ch
Sat Jun 30 14:01:10 UTC 2018
Dear Samba experts,
Since a couple of days I am trying to fix my domain.
I have each two ADDCs on raspis on two sites. One is running on Raspian and works fine. The other three are on Gentoo and something is broken there.
When I point the name resolution in resolv.conf to the Raspian machine the dynamic updates are just working fine:
# horus /srv/samba/demoshare # samba_dnsupdate --verbose --all-names
# IPs: ['192.168.41.25']
# force update: A horus.samdom.com 192.168.41.25
# force update: NS samdom.com horus.samdom.com
# force update: NS _msdcs.samdom.com horus.samdom.com
# force update: A samdom.com 192.168.41.25
# .....
# 29 DNS updates and 0 DNS deletes needed
# Successfully obtained Kerberos ticket to DNS/charon.samdom.com as HORUS$
# update(nsupdate): A horus.samdom.com 192.168.41.25
# Calling nsupdate for A horus.samdom.com 192.168.41.25 (add)
# Successfully obtained Kerberos ticket to DNS/charon.samdom.com as HORUS$
# Outgoing update query:
# ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
# ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
# ;; UPDATE SECTION:
# horus.samdom.com. 900 IN A 192.168.41.25
#
# update(nsupdate): NS samdom.com horus.samdom.com
# .....
Now I edit resolv.conf to point to the ADDC charon at 192.168.11.205,
and the Kerberos ticket is now obtained by DNS/horus.samdom.com, which
is actually on of the Gentoo machines, and even though it states the
Ticket was granted successfully, the update fails.
# horus ~ # samba_dnsupdate --verbose --all-names
# IPs: ['192.168.41.25']
# force update: A horus.samdom.com 192.168.41.25
# .....
# 29 DNS updates and 0 DNS deletes needed
# Successfully obtained Kerberos ticket to DNS/horus.samdom.com as HORUS$
# update(nsupdate): A horus.samdom.com 192.168.41.25
# Calling nsupdate for A horus.samdom.com 192.168.41.25 (add)
# Successfully obtained Kerberos ticket to DNS/horus.samdom.com as HORUS$
# Outgoing update query:
# ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
# ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
# ;; UPDATE SECTION:
# horus.samdom.com. 900 IN A 192.168.41.25
#
# dns_tkey_gssnegotiate: TKEY is unacceptable
# Failed nsupdate: 1
# update(nsupdate): NS samdom.com horus.samdom.com
# .....
Needless to say, that tried to generate new keytabs. I demoted machines
and re-joined them, but the issue persists. Actually there is samba-4.8.3
on all machines, and the ldb/tdb/tevent/talloc in the same version as
bundled with samba-4.8.3. Raspbian has a pretty old Bind 9.10.3-P4.
On Gentoo I tried 9.11.3 and 9.11.2_p1.
What I need first is a tip for an efficient setting for debugging it.
Is there a way to have a look on the granted tickets? There must be
some difference.
I examined the output from named, but I could not see something fishy
there.
This one works OK:
> root at charon:/usr/local/samba/private# named -V
> BIND 9.10.3-P4-Raspbian <id:ebd72b3>
> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
> '--libdir=/usr/lib/arm-linux-gnueabihf' '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
> '--enable-threads' '--enable-largefile' '--with-libtool'
> '--enable-shared' '--enable-static' '--with-gost=no'
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
> '--enable-filter-aaaa' '--enable-native-pkcs11'
> '--with-pkcs11=/usr/lib/arm-linux-gnueabihf/softhsm/libsofthsm2.so'
> '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
> -fdebug-prefix-map=/build/bind9-6GG44j/bind9-9.10.3.dfsg.P4=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -fno-strict-aliasing -fno-delete-null-pointer-checks
> -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
And this is not working (on the Gentoo machine):
> horus /etc/portage # named -V
> BIND 9.11.3 (Extended Support Version) <id:a375815>
> running on Linux armv7l 4.4.136-695e41116993e0a4f080354e72f13d91-0 #1
> SMP Thu Jun 14 14:09:46 CEST 2018
> built by make with '--prefix=/usr' '--build=armv7a-hardfloat-linux-gnueabi'
> '--host=armv7a-hardfloat-linux-gnueabi' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc'
> '--localstatedir=/var/lib' '--libdir=/usr/lib' '--sysconfdir=/etc/bind'
> '--localstatedir=/var' '--with-libtool' '--enable-full-report'
> '--without-readline' '--enable-linux-caps' '--disable-filter-aaaa'
> '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname'
> '--disable-rpz-nsip' '--disable-seccomp' '--enable-threads'
> '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub'
> '--with-gost' '--with-gssapi' '--without-idn' '--without-libjson'
> '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc'
> '--without-dlz-postgres' '--without-lmdb' '--with-python' '--with-ecdsa'
> '--with-openssl=/usr' '--without-libxml2' '--with-zlib'
> '--with-randomdev=/dev/random' 'build_alias=armv7a-hardfloat-linux-gnueabi'
> 'host_alias=armv7a-hardfloat-linux-gnueabi' 'CFLAGS=-O2 -pipe
> -march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard -I/usr/include/db5.3'
> 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
> compiled by GCC 6.4.0
> compiled with OpenSSL version: OpenSSL 1.0.2o 27 Mar 2018
> linked to OpenSSL version: OpenSSL 1.0.2o 27 Mar 2018
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> threads support is enabled
Thank You in advance and best regards
Peter
More information about the samba
mailing list