[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

[Igor Sousa]

Em sex, 9 de ago de 2019 às 17:26, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> Well it shouldn't ;-)
>
> Each DC should use itself for its nameserver
>

Ok. I understand and I think I've forgotten any step when I had mounted
'king'. My bad!

I've set 'king' IP as the only namesever on resolv.conf and I've got a new
Kerberos ticket with 'kinit' command, but when I've tried to update dns
entries with 'samba_dnsupdate' I've receive "dns_tkey_negotiategss: TKEY is
unacceptable". I've checked '/usr/local/samba/private/dns.keytab' and there
is a Kerberos principal listed and I've checked if BIND AD Account exists
and it there is.

--
Igor Sousa


[root at king ~]# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB

[root at king ~]# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 2 root named 712 Apr 25 15:18 /usr/local/samba/private/dns.keytab


[root at king ~]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-KING'
dn
# record 1
dn: CN=dns-KING,CN=Users,smb

# Referral
ref: ldap://smb/CN=Configuration,smb

# Referral
ref: ldap://smb/DC=DomainDnsZones,smb

# Referral
ref: ldap://smb/DC=ForestDnsZones,smb

# returned 4 records
# 1 entries
# 3 referrals