[Samba] DNS Updates fail with dns_tkey_gssnegotiate: TKEY is unacceptable

Thu Mar 15 12:57:18 UTC 2018

Hi,
I have a test system with two DCs based on samba v 4.8.0 with BIND9_DLZ as the
dns backend running on a fresh install of Gentoo.   I can't get DNS Updates to
work on both DCs.   If I issue the command: samba_dnsupdate --verbose after the
2nd DC has joined the domain I get the errors (just showing the last entry):

update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com
gentoo-dc2.samba4p8.example.com 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com
gentoo-dc2.samba4p8.example.com 389 (add)
Successfully obtained Kerberos ticket to DNS/gentoo-dc1.samba4p8.example.com as
GENTOO-DC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com.
900 IN SRV 0 100 389 gentoo-dc2.samba4p8.example.com.

dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 26 entries

I have following the Wiki for troubleshooting this error and all seems OK:

gentoo-dc2 ~ # ktutil -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal
Aliases
  2  des-cbc-crc
DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM  
  2  des-cbc-crc              dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM

  2  des-cbc-md5
DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM  
  2  des-cbc-md5              dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM

  2  arcfour-hmac-md5
DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM  
  2  arcfour-hmac-md5         dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM

  2  aes128-cts-hmac-sha1-96
DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM  
  2  aes128-cts-hmac-sha1-96  dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM

  2  aes256-cts-hmac-sha1-96
DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM  
  2  aes256-cts-hmac-sha1-96  dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM

gentoo-dc2 ~ # ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=dns-gentoo-dc2'
dn
# record 1
dn: CN=dns-GENTOO-DC2,CN=Users,DC=samba4p8,DC=example,DC=com

# Referral
ref: ldap://samba4p8.example.com/CN=Configuration,DC=samba4p8,DC=example,DC=com

# Referral
ref: ldap://samba4p8.example.com/DC=DomainDnsZones,DC=samba4p8,DC=example,DC=com

# Referral
ref: ldap://samba4p8.example.com/DC=ForestDnsZones,DC=samba4p8,DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals

named -V produces the relevant build options: '--with-dlopen' and
'--with-gssapi'

I ran named with the debug option "-d 7" and it produced this log output:

15-Mar-2018 12:29:13.562 starting BIND 9.11.2-P1 <id:2c2bc60>
15-Mar-2018 12:29:13.563 running on Linux x86_64 4.9.76-gentoo-r1 #1 SMP Wed Mar
14 23:34:12 GMT 2018
15-Mar-2018 12:29:13.563 built with '--prefix=/usr'
'--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share'
'--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool'
'--enable-full-report' '--without-readline' '--enable-linux-caps'
'--enable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6'
'--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp'
'--enable-threads' '--without-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem'
'--with-dlz-stub' '--without-gost' '--with-gssapi' '--without-idn'
'--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql'
'--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--with-python'
'--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib'
'--with-randomdev=/dev/urandom' '--with-geoip' 'build_alias=x86_64-pc-linux-gnu'
'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe'
'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
15-Mar-2018 12:29:13.563 running as: named -u named -f -g
15-Mar-2018 12:29:13.563 ----------------------------------------------------
15-Mar-2018 12:29:13.563 BIND 9 is maintained by Internet Systems Consortium,
15-Mar-2018 12:29:13.563 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
15-Mar-2018 12:29:13.563 corporation.  Support and training for BIND 9 are 
15-Mar-2018 12:29:13.563 available at https://www.isc.org/support
15-Mar-2018 12:29:13.563 ----------------------------------------------------
15-Mar-2018 12:29:13.563 adjusted limit on open files from 4096 to 1048576
15-Mar-2018 12:29:13.563 found 1 CPU, using 1 worker thread
15-Mar-2018 12:29:13.563 using 1 UDP listener per interface
15-Mar-2018 12:29:13.563 using up to 4096 sockets
15-Mar-2018 12:29:13.565 ./config.c: option 'lmdb-mapsize' was not enabled at
compile time (ignored)
15-Mar-2018 12:29:13.565 loading configuration from '/etc/bind/named.conf'
15-Mar-2018 12:29:13.566 reading built-in trusted keys from file
'/etc/bind/bind.keys'
15-Mar-2018 12:29:13.566 GeoIP Country (IPv4) (type 1) DB not available
15-Mar-2018 12:29:13.566 GeoIP Country (IPv6) (type 12) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 2) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 6) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 30) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 31) DB not available
15-Mar-2018 12:29:13.566 GeoIP Region (type 3) DB not available
15-Mar-2018 12:29:13.566 GeoIP Region (type 7) DB not available
15-Mar-2018 12:29:13.566 GeoIP ISP (type 4) DB not available
15-Mar-2018 12:29:13.566 GeoIP Org (type 5) DB not available
15-Mar-2018 12:29:13.566 GeoIP AS (type 9) DB not available
15-Mar-2018 12:29:13.566 GeoIP Domain (type 11) DB not available
15-Mar-2018 12:29:13.566 GeoIP NetSpeed (type 10) DB not available
15-Mar-2018 12:29:13.566 using default UDP/IPv4 port range: [32768, 60999]
15-Mar-2018 12:29:13.566 using default UDP/IPv6 port range: [32768, 60999]
15-Mar-2018 12:29:13.566 listening on IPv4 interface lo, 127.0.0.1#53
15-Mar-2018 12:29:13.567 listening on IPv4 interface enp0s3, 192.168.2.16#53
15-Mar-2018 12:29:13.567 generating session key for dynamic DNS
15-Mar-2018 12:29:13.567 sizing zone task pool based on 3 zones
15-Mar-2018 12:29:13.568 zone 'localhost' allows unsigned updates from remote
hosts, which is insecure
15-Mar-2018 12:29:13.568 zone '0.0.127.in-addr.arpa' allows unsigned updates
from remote hosts, which is insecure
15-Mar-2018 12:29:13.568 Loading 'AD DNS Zone' using driver dlopen
15-Mar-2018 12:29:13.580 samba_dlz: INFO: Current debug levels:
15-Mar-2018 12:29:13.580 samba_dlz:   all: 7
15-Mar-2018 12:29:13.580 samba_dlz:   tdb: 7
15-Mar-2018 12:29:13.580 samba_dlz:   printdrivers: 7
15-Mar-2018 12:29:13.580 samba_dlz:   lanman: 7
15-Mar-2018 12:29:13.580 samba_dlz:   smb: 7
15-Mar-2018 12:29:13.580 samba_dlz:   rpc_parse: 7
15-Mar-2018 12:29:13.580 samba_dlz:   rpc_srv: 7
15-Mar-2018 12:29:13.580 samba_dlz:   rpc_cli: 7
15-Mar-2018 12:29:13.581 samba_dlz:   passdb: 7
15-Mar-2018 12:29:13.581 samba_dlz:   sam: 7
15-Mar-2018 12:29:13.581 samba_dlz:   auth: 7
15-Mar-2018 12:29:13.581 samba_dlz:   winbind: 7
15-Mar-2018 12:29:13.581 samba_dlz:   vfs: 7
15-Mar-2018 12:29:13.581 samba_dlz:   idmap: 7
15-Mar-2018 12:29:13.581 samba_dlz:   quota: 7
15-Mar-2018 12:29:13.581 samba_dlz:   acls: 7
15-Mar-2018 12:29:13.581 samba_dlz:   locking: 7
15-Mar-2018 12:29:13.581 samba_dlz:   msdfs: 7
15-Mar-2018 12:29:13.581 samba_dlz:   dmapi: 7
15-Mar-2018 12:29:13.581 samba_dlz:   registry: 7
15-Mar-2018 12:29:13.582 samba_dlz:   scavenger: 7
15-Mar-2018 12:29:13.582 samba_dlz:   dns: 7
15-Mar-2018 12:29:13.582 samba_dlz:   ldb: 7
15-Mar-2018 12:29:13.582 samba_dlz:   tevent: 7
15-Mar-2018 12:29:13.582 samba_dlz:   auth_audit: 7
15-Mar-2018 12:29:13.582 samba_dlz:   auth_json_audit: 7
15-Mar-2018 12:29:13.582 samba_dlz:   kerberos: 7
15-Mar-2018 12:29:13.582 samba_dlz:   drs_repl: 7
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_spnego' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'spnego' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'schannel' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'naclrpc_as_system'
registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp_resume_ccache'
registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_basic' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_ntlm' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_negotiate' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'krb5' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
15-Mar-2018 12:29:13.616 samba_dlz: ldb: No encrypted secrets key file. Secret
attributes will not be encrypted or decrypted
15-Mar-2018 12:29:13.616 samba_dlz: 
15-Mar-2018 12:29:13.653 samba_dlz: schema_fsmo_init: we are master[no] updates
allowed[no]
15-Mar-2018 12:29:13.669 samba_dlz: started for DN DC=samba4p8,DC=example,DC=com
15-Mar-2018 12:29:13.669 samba_dlz: starting configure
15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone
'samba4p8.example.com'
15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone
'2.168.192.in-addr.arpa'
15-Mar-2018 12:29:13.672 samba_dlz: configured writeable zone
'_msdcs.samba4p8.example.com'
15-Mar-2018 12:29:13.672 none:103: 'max-cache-size 90%' - setting to 893MB (out
of 992MB)
15-Mar-2018 12:29:13.673 obtaining root key for view _default from
'/etc/bind/bind.keys'
15-Mar-2018 12:29:13.673 set up managed keys zone for view _default, file
'managed-keys.bind'
15-Mar-2018 12:29:13.673 zone 'version.bind' allows unsigned updates from remote
hosts, which is insecure
15-Mar-2018 12:29:13.673 zone 'hostname.bind' allows unsigned updates from
remote hosts, which is insecure
15-Mar-2018 12:29:13.673 zone 'authors.bind' allows unsigned updates from remote
hosts, which is insecure
15-Mar-2018 12:29:13.674 zone 'id.server' allows unsigned updates from remote
hosts, which is insecure
15-Mar-2018 12:29:13.674 none:103: 'max-cache-size 90%' - setting to 893MB (out
of 992MB)
15-Mar-2018 12:29:13.675 command channel listening on 127.0.0.1#953
15-Mar-2018 12:29:13.675 not using config file logging statement for logging due
to -g option
15-Mar-2018 12:29:13.675 managed-keys-zone: loaded serial 3
15-Mar-2018 12:29:13.676 zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101
15-Mar-2018 12:29:13.676 zone localhost/IN: loaded serial 2008122601
15-Mar-2018 12:29:13.676 all zones loaded
15-Mar-2018 12:29:13.676 running

Can anyone spot what I am missing or what I've done wrong?   Appreciate any
help.

Many thanks,

Roy