[Samba] samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable

Stefan Kania stefan at kania-online.de
Wed May 2 11:54:01 UTC 2018 

Hello,
we have the following problem with a ADDC Sernet 4.7.6-11 on CentOS 7.4.
We have two DCs, replication is working fine. We use bind9 as
dns-backend. When we do a "samba_dnsupdate --all-names" we get the
following messages:
-------------------
[root at dc1 ~]# samba_dnsupdate --all-names
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
dns_tkey_negotiategss: TKEY is unacceptable
Failed update of 29 entries
-------------------

We checked all the filesystem permissions the user "named". He can read
the dns.keytab and can write to all DNS-files.
We checked for the dns-dc1 and dns-dc2 user. We removed the dns.keyfile
and the users and recreated both new with "samba_upgradedns
--dns-backend=BIND9_DLZ"
We even even did the change to the internal DNS and back to bind9. We
checked the entry for the dns.keytab in /etc/named.conf. We checked the
dns.keytab-file and all needed entries are there.

Here is our smb.conf file:
------------------
# Global parameters
[global]
        netbios name = DC1
        realm = TRIVIUM.S1.EXAMPLE.NET
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TRIVIUM
        idmap_ldb:use rfc2307 = yes
[netlogon]
        path = /var/lib/samba/sysvol/trivium.s1.example.net/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
------------------

Here is the result from samba_dnsupdate --all-names -d 9
------------------
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
  auth_audit: 9
  auth_json_audit: 9
  kerberos: 9
  drs_repl: 9
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface ens160 ip=192.168.226.101 bcast=192.168.226.255
netmask=255.255.255.0
lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[yes] updates allowed[no]
schema_fsmo_init: we are master[yes] updates allowed[no]
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 313
Received smb_krb5 packet of length 177
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism gssapi_krb5_sasl
Ticket in credentials cache for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire
in 36000 secs
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 36000 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999
secsdns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs
dns_tkey_negotiategss: TKEY is unacceptable
------------------
It's also not possible to join a samba-fs to the domain and doing the
dns-update. Join works, the machine is domain-member but no dns-update
is running and we get the errormessage "ERROR_DNS_UPDATE_FAILED"

Can it be, that the problem comes from the long REALM
TRIVIUM.S1.EXAMPLE.NET? Is it maybe one level to long?

We tried everything from the wiki burt nothing works for us. So maybe
one of you has a solution.

Thanks

Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180502/f42b4213/signature.sig>

More information about the samba mailing list