[Samba] AD-DC Bind: TKEY is unacceptable
Kevin White
samba-kevin at kevbo.org
Tue Feb 26 14:19:46 UTC 2019
I'm having trouble with nsupdates. I'm getting TKEY is unacceptable.
I'm using Fedora 29, with its packages:
[root at dc2 kwhite]# rpm -qa | grep samba
samba-4.9.4-1.fc29.x86_64
samba-dc-bind-dlz-4.9.4-1.fc29.x86_64
samba-common-4.9.4-1.fc29.noarch
samba-libs-4.9.4-1.fc29.x86_64
samba-dc-libs-4.9.4-1.fc29.x86_64
samba-winbind-4.9.4-1.fc29.x86_64
samba-common-libs-4.9.4-1.fc29.x86_64
python2-samba-4.9.4-1.fc29.x86_64
samba-winbind-modules-4.9.4-1.fc29.x86_64
samba-client-libs-4.9.4-1.fc29.x86_64
python2-samba-dc-4.9.4-1.fc29.x86_64
samba-common-tools-4.9.4-1.fc29.x86_64
samba-dc-4.9.4-1.fc29.x86_64
This is "dc2". There is no "dc1". A bit of local history: there was a
dc1. It was made back when AD-DC was first released, using packages I
compiled myself to enable Heimdal. When MIT Kerberos was supported, I
attempted to change that dc to use MIT and had trouble with the
conversion, so I created a new dc (dc2) from scratch and replicated dc1
to it, transferred the FSMO roles and shut dc1 down. This may be relevant.
I'm trying to use the Bind back end:
[root at dc2 kwhite]# rpm -qa | grep bind|grep -v samba | sort
bind-9.11.5-2.P1.fc29.x86_64
[...]
For testing/ease of use, selinux is _disabled_ and the firewall is
_turned off_:
[root at dc2 kwhite]# getenforce
Disabled
[root at dc2 kwhite]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Running samba_dnsupdate gets TKEY is unacceptable. I've followed the
steps on the wiki:
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
Here is what I've done:
[root at dc2 kwhite]# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
[root at dc2 kwhite]# rm /var/lib/samba/private/dns.keytab
rm: remove regular file '/var/lib/samba/private/dns.keytab'? y
[root at dc2 kwhite]# samba-tool user delete dns-DC2
Deleted user dns-DC2
[root at dc2 kwhite]# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/KEVBOLAND.KEVBO.ORG.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you
still have samba starting looking for a BIND backend. Please remove the
-dns from your server services line.
Note: Isn't that output message wrong? If I don't have "dns" in
smb.conf, and bind isn't running (but samba is), nothing is listening on
port 53. I was under the impression that "dns" on "server services" in
smb.conf enables the internal DNS server.
[root at dc2 kwhite]# emacs /etc/samba/smb.conf
[root at dc2 kwhite]# grep "server services" /etc/samba/smb.conf
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dns
[root at dc2 kwhite]# systemctl stop named
[root at dc2 kwhite]# systemctl stop samba
[root at dc2 kwhite]# systemctl start samba
So, now I'm running with internal DNS. Good. Switch back.
[root at dc2 kwhite]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/KEVBOLAND.KEVBO.ORG.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-dc2 account
See /var/lib/samba/bind-dns/named.conf for an example configuration
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required
for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have
the internal dns starting. Please make sure you add '-dns' to your
server services line in your smb.conf.
[root at dc2 kwhite]# emacs /etc/samba/smb.conf
[root at dc2 kwhite]# grep "server services" /etc/samba/smb.conf
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc
[root at dc2 kwhite]# systemctl stop samba
[root at dc2 kwhite]# systemctl start named
[root at dc2 kwhite]# systemctl start samba
[root at dc2 kwhite]# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
1 dns-dc2 at KEVBOLAND.KEVBO.ORG
[root at dc2 kwhite]# cat /etc/resolv.conf
search kevboland.kevbo.org kevbo.org
nameserver 127.0.0.1
[root at dc2 kwhite]# samba_dnsupdate --verbose --all-names
IPs: ['2605:xxxx:xxxx:xxxx::185', ..., '192.168.10.91']
force update: A dc2.kevboland.kevbo.org 192.168.10.91
force update: AAAA dc2.kevboland.kevbo.org 2605:xxxx:xxxx:xxxx::185
[...]
54 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org as DC2$
update(nsupdate): A dc2.kevboland.kevbo.org 192.168.10.91
Calling nsupdate for A dc2.kevboland.kevbo.org 192.168.10.91 (add)
Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org as DC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.kevboland.kevbo.org. 900 IN A 192.168.10.91
dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): AAAA dc2.kevboland.kevbo.org 2605:xxxx:xxxx:xxxx::185
Calling nsupdate for AAAA dc2.kevboland.kevbo.org
2605:xxxx:xxxx:xxxx::185 (add)
Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org as DC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.kevboland.kevbo.org. 900 IN AAAA 2605:xxxx:xxxx:xxxx::185
I had this problem before I enabled ipv6. I've had the problem for a
while now, and I just kept hoping that it would fix itself with updates,
but it hasn't.
When IP addresses on the servers change (like they tend to with ipv6), I
do this manual switch to get updated addresses into bind.
Is there anything else I can try?
Thank you,
Kevin
More information about the samba
mailing list