[Samba] BIND9_DLZ: TKEY is unacceptable - depending on the name server
Harry Jede
walk2sun at arcor.de
Sat Jun 30 20:21:55 UTC 2018
Am Samstag, 30. Juni 2018, 16:01:10 CEST schrieb Peter Serbe via samba:
> Dear Samba experts,
>
> Since a couple of days I am trying to fix my domain.
> I have each two ADDCs on raspis on two sites. One is running on
> Raspian and works fine. The other three are on Gentoo and something
> is broken there. When I point the name resolution in resolv.conf to
> the Raspian machine the dynamic updates are just working fine:
>
>
> # horus /srv/samba/demoshare # samba_dnsupdate --verbose --all-
names
> # IPs: ['192.168.41.25']
> # force update: A horus.samdom.com 192.168.41.25
> # force update: NS samdom.com horus.samdom.com
> # force update: NS _msdcs.samdom.com horus.samdom.com
> # force update: A samdom.com 192.168.41.25
> # .....
> # 29 DNS updates and 0 DNS deletes needed
> # Successfully obtained Kerberos ticket to DNS/charon.samdom.com as
> HORUS$ # update(nsupdate): A horus.samdom.com 192.168.41.25
> # Calling nsupdate for A horus.samdom.com 192.168.41.25 (add)
> # Successfully obtained Kerberos ticket to DNS/charon.samdom.com as
> HORUS$ # Outgoing update query:
> # ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> # ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> # ;; UPDATE SECTION:
> # horus.samdom.com. 900 IN A 192.168.41.25
> #
> # update(nsupdate): NS samdom.com horus.samdom.com
> # .....
>
>
> Now I edit resolv.conf to point to the ADDC charon at 192.168.11.205,
> and the Kerberos ticket is now obtained by DNS/horus.samdom.com,
which
> is actually on of the Gentoo machines, and even though it states the
> Ticket was granted successfully, the update fails.
>
>
> # horus ~ # samba_dnsupdate --verbose --all-names
> # IPs: ['192.168.41.25']
> # force update: A horus.samdom.com 192.168.41.25
> # .....
> # 29 DNS updates and 0 DNS deletes needed
> # Successfully obtained Kerberos ticket to DNS/horus.samdom.com as
> HORUS$ # update(nsupdate): A horus.samdom.com 192.168.41.25
> # Calling nsupdate for A horus.samdom.com 192.168.41.25 (add)
> # Successfully obtained Kerberos ticket to DNS/horus.samdom.com as
> HORUS$ # Outgoing update query:
> # ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> # ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> # ;; UPDATE SECTION:
> # horus.samdom.com. 900 IN A 192.168.41.25
> #
> # dns_tkey_gssnegotiate: TKEY is unacceptable
> # Failed nsupdate: 1
> # update(nsupdate): NS samdom.com horus.samdom.com
> # .....
>
>
> Needless to say, that tried to generate new keytabs. I demoted
> machines and re-joined them, but the issue persists. Actually there
> is samba-4.8.3 on all machines, and the ldb/tdb/tevent/talloc in the
> same version as bundled with samba-4.8.3. Raspbian has a pretty old
> Bind 9.10.3-P4. On Gentoo I tried 9.11.3 and 9.11.2_p1.
>
> What I need first is a tip for an efficient setting for debugging it.
> Is there a way to have a look on the granted tickets? There must be
> some difference.
>
> I examined the output from named, but I could not see something fishy
> there.
>
> This one works OK:
> > root at charon:/usr/local/samba/private# named -V
> > BIND 9.10.3-P4-Raspbian <id:ebd72b3>
> > built by make with '--prefix=/usr' '--mandir=/usr/share/man'
> > '--libdir=/usr/lib/arm-linux-gnueabihf' '--infodir=/usr/share/info'
> > '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
> > '--enable-threads' '--enable-largefile' '--with-libtool'
> > '--enable-shared' '--enable-static' '--with-gost=no'
> > '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
> > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
> > '--enable-filter-aaaa' '--enable-native-pkcs11'
> > '--with-pkcs11=/usr/lib/arm-linux-gnueabihf/softhsm/libsofthsm2.so'
> > '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
> > -fdebug-prefix-map=/build/bind9-6GG44j/bind9-9.10.3.dfsg.P4=.
> > -fstack-protector-strong -Wformat -Werror=format-security
> > -fno-strict-aliasing -fno-delete-null-pointer-checks
> > -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
> > 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Maybe --with-dlz-ldap is the default
> And this is not working (on the Gentoo machine):
> > horus /etc/portage # named -V
> > BIND 9.11.3 (Extended Support Version) <id:a375815>
> > running on Linux armv7l
4.4.136-695e41116993e0a4f080354e72f13d91-0
> > #1
> > SMP Thu Jun 14 14:09:46 CEST 2018
> > built by make with '--prefix=/usr'
> > '--build=armv7a-hardfloat-linux-gnueabi'
> > '--host=armv7a-hardfloat-linux-gnueabi' '--mandir=/usr/share/man'
> > '--infodir=/usr/share/info' '--datadir=/usr/share'
> > '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib'
> > '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool'
> > '--enable-full-report' '--without-readline' '--enable-linux-caps'
> > '--disable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6'
> > '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp'
> > '--enable-threads'
> > '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem'
> > '--with-dlz-stub' '--with-gost' '--with-gssapi' '--without-idn'
> > '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql'
> > '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb'
> > '--with-python' '--with-ecdsa' '--with-openssl=/usr'
> > '--without-libxml2' '--with-zlib'
> > '--with-randomdev=/dev/random'
> > 'build_alias=armv7a-hardfloat-linux-gnueabi'
> > 'host_alias=armv7a-hardfloat-linux-gnueabi' 'CFLAGS=-O2 -pipe
> > -march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard
> > -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
> > compiled by GCC 6.4.0
> > compiled with OpenSSL version: OpenSSL 1.0.2o 27 Mar 2018
> > linked to OpenSSL version: OpenSSL 1.0.2o 27 Mar 2018
> > compiled with zlib version: 1.2.11
> > linked to zlib version: 1.2.11
> > threads support is enabled
--with-dlz-ldap is diabled
> Thank You in advance and best regards
> Peter
--
Gruss
Harry Jede
More information about the samba
mailing list