[Samba] samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable

Rowland Penny rpenny at samba.org
Wed May 2 12:27:37 UTC 2018 

On Wed, 2 May 2018 13:54:01 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:

> Hello,
> we have the following problem with a ADDC Sernet 4.7.6-11 on CentOS
> 7.4. We have two DCs, replication is working fine. We use bind9 as
> dns-backend. When we do a "samba_dnsupdate --all-names" we get the
> following messages:
> -------------------
> [root at dc1 ~]# samba_dnsupdate --all-names
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed update of 29 entries
> -------------------
> 
> We checked all the filesystem permissions the user "named". He can
> read the dns.keytab and can write to all DNS-files.
> We checked for the dns-dc1 and dns-dc2 user. We removed the
> dns.keyfile and the users and recreated both new with
> "samba_upgradedns --dns-backend=BIND9_DLZ"
> We even even did the change to the internal DNS and back to bind9. We
> checked the entry for the dns.keytab in /etc/named.conf. We checked
> the dns.keytab-file and all needed entries are there.
> 
> Here is our smb.conf file:
> ------------------
> # Global parameters
> [global]
>         netbios name = DC1
>         realm = TRIVIUM.S1.EXAMPLE.NET
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = TRIVIUM
>         idmap_ldb:use rfc2307 = yes
> [netlogon]
>         path = /var/lib/samba/sysvol/trivium.s1.example.net/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

Try adding 'dns update command = /usr/sbin/samba_dnsupdate
--use-samba-tool' to smb.conf

and run 'samba_dnsupdate --all-names --use-samba-tool'

Rowland

More information about the samba mailing list