[Samba] DDNS Error

Rowland Penny rpenny at samba.org
Wed May 16 10:45:58 UTC 2018 

On Wed, 16 May 2018 12:32:52 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:

> It's me again :-)
> Now we have DDNS with DHCP running but we have a problem on one of our
> two DCs. Btw we used the setup and the script from wiki.
> Doing a "dhclient" on a host we are getting the following messages:
> -------------
> Mai 16 12:13:28 samba41 dhcpd[3961]: Commit: IP: 192.168.0.249 DHCID:
> 1:50:5b:5d:1c:ab:aa Name: horst
> Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[0] =
> /etc/dhcp/bin/dhcp-dyndns.sh
> Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[1] = add
> Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[2] =
> 192.168.0.249
> Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[3] =
> 1:50:5b:5d:1c:ab:aa
> Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[4] = horst
> Mai 16 12:13:28 samba41 root[7505]: DHCP-DNS Update failed: 11
> Mai 16 12:13:28 samba41 dhcpd[3961]: execute:
> /etc/dhcp/bin/dhcp-dyndns.sh exit status 2816
> -------------
> 
> We then tried to create the entry with the script:
> ----------------
> /etc/dhcp/bin/dhcp-dyndns.sh "add" 192.168.225.60 1:50:5b:5d:1c:ab:aa
> horst .
> .
> .
> 3160958102.sig-samba41.example.net. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY
> 0  0
> 
> dns_tkey_negotiategss: TKEY is unacceptable
> ----------------
> 
> Then we checked with:
> -----------
> samba_dnsupdate --verbose
> -----------
> Everything is fine, no error about the unacceptable TKEY
> 
> We did everything from:
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
> 
> - deleted the dns.keytab
> - deleted the dns-samba41 user
> - run "samba_upgradedns --dns-backend=BIND9_DLZ"
> 
> We checked the permissions of all files. We checked the bind9 config
> for the TKEY line. Everything is ok.
> The update works on the second DC without any error about the key.
> It's only one ADDC that makes the problem.
> The only differences we found was that the username on the working
> ADDC is in capital letters (CN=dns-SAMBA42) and on the non working
> ADDC in small letter (CN=dns-samba41). But on both systems it's the
> same inside the dns.keytab. (small =non working | capital = working).
> 
> Any help?
> 
> Stefan
> 

Have you set up 'failover' ?
The records belong to whoever creates them, so if one DC creates them,
then the other cannot.

Rowland

More information about the samba mailing list