[Samba] samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
Rowland Penny
rpenny at samba.org
Wed May 2 12:27:37 UTC 2018
On Wed, 2 May 2018 13:54:01 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hello,
> we have the following problem with a ADDC Sernet 4.7.6-11 on CentOS
> 7.4. We have two DCs, replication is working fine. We use bind9 as
> dns-backend. When we do a "samba_dnsupdate --all-names" we get the
> following messages:
> -------------------
> [root at dc1 ~]# samba_dnsupdate --all-names
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed update of 29 entries
> -------------------
>
> We checked all the filesystem permissions the user "named". He can
> read the dns.keytab and can write to all DNS-files.
> We checked for the dns-dc1 and dns-dc2 user. We removed the
> dns.keyfile and the users and recreated both new with
> "samba_upgradedns --dns-backend=BIND9_DLZ"
> We even even did the change to the internal DNS and back to bind9. We
> checked the entry for the dns.keytab in /etc/named.conf. We checked
> the dns.keytab-file and all needed entries are there.
>
> Here is our smb.conf file:
> ------------------
> # Global parameters
> [global]
> netbios name = DC1
> realm = TRIVIUM.S1.EXAMPLE.NET
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = TRIVIUM
> idmap_ldb:use rfc2307 = yes
> [netlogon]
> path = /var/lib/samba/sysvol/trivium.s1.example.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
Try adding 'dns update command = /usr/sbin/samba_dnsupdate
--use-samba-tool' to smb.conf
and run 'samba_dnsupdate --all-names --use-samba-tool'
Rowland
More information about the samba
mailing list