[Samba] AD-DC Bind: TKEY is unacceptable

Kevin White samba-kevin at kevbo.org
Tue Feb 26 14:19:46 UTC 2019


I'm having trouble with nsupdates.  I'm getting TKEY is unacceptable.

I'm using Fedora 29, with its packages:

[root at dc2 kwhite]# rpm -qa | grep samba
samba-4.9.4-1.fc29.x86_64
samba-dc-bind-dlz-4.9.4-1.fc29.x86_64
samba-common-4.9.4-1.fc29.noarch
samba-libs-4.9.4-1.fc29.x86_64
samba-dc-libs-4.9.4-1.fc29.x86_64
samba-winbind-4.9.4-1.fc29.x86_64
samba-common-libs-4.9.4-1.fc29.x86_64
python2-samba-4.9.4-1.fc29.x86_64
samba-winbind-modules-4.9.4-1.fc29.x86_64
samba-client-libs-4.9.4-1.fc29.x86_64
python2-samba-dc-4.9.4-1.fc29.x86_64
samba-common-tools-4.9.4-1.fc29.x86_64
samba-dc-4.9.4-1.fc29.x86_64

This is "dc2".  There is no "dc1".  A bit of local history: there was a
dc1.  It was made back when AD-DC was first released, using packages I
compiled myself to enable Heimdal.  When MIT Kerberos was supported, I
attempted to change that dc to use MIT and had trouble with the
conversion, so I created a new dc (dc2) from scratch and replicated dc1
to it, transferred the FSMO roles and shut dc1 down.  This may be relevant.

I'm trying to use the Bind back end:

[root at dc2 kwhite]# rpm -qa | grep bind|grep -v samba | sort
bind-9.11.5-2.P1.fc29.x86_64
[...]

For testing/ease of use, selinux is _disabled_ and the firewall is
_turned off_:

[root at dc2 kwhite]# getenforce
Disabled
[root at dc2 kwhite]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Running samba_dnsupdate gets TKEY is unacceptable.  I've followed the
steps on the wiki:

https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

Here is what I've done:

[root at dc2 kwhite]# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG

[root at dc2 kwhite]# rm /var/lib/samba/private/dns.keytab
rm: remove regular file '/var/lib/samba/private/dns.keytab'? y

[root at dc2 kwhite]# samba-tool user delete dns-DC2
Deleted user dns-DC2

[root at dc2 kwhite]# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/KEVBOLAND.KEVBO.ORG.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you
still have samba starting looking for a BIND backend. Please remove the
-dns from your server services line.

Note: Isn't that output message wrong?  If I don't have "dns" in
smb.conf, and bind isn't running (but samba is), nothing is listening on
port 53.  I was under the impression that "dns" on "server services" in
smb.conf enables the internal DNS server.

[root at dc2 kwhite]# emacs /etc/samba/smb.conf

[root at dc2 kwhite]# grep "server services" /etc/samba/smb.conf
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dns

[root at dc2 kwhite]# systemctl stop named
[root at dc2 kwhite]# systemctl stop samba
[root at dc2 kwhite]# systemctl start samba

So, now I'm running with internal DNS.  Good.  Switch back.

[root at dc2 kwhite]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/KEVBOLAND.KEVBO.ORG.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-dc2 account
See /var/lib/samba/bind-dns/named.conf for an example configuration
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required
for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have
the internal dns starting. Please make sure you add '-dns' to your
server services line in your smb.conf.
[root at dc2 kwhite]# emacs /etc/samba/smb.conf
[root at dc2 kwhite]# grep "server services" /etc/samba/smb.conf
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc
[root at dc2 kwhite]# systemctl stop samba
[root at dc2 kwhite]# systemctl start named
[root at dc2 kwhite]# systemctl start samba

[root at dc2 kwhite]# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG
   1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
   1 dns-dc2 at KEVBOLAND.KEVBO.ORG

[root at dc2 kwhite]# cat /etc/resolv.conf
search kevboland.kevbo.org kevbo.org
nameserver 127.0.0.1
[root at dc2 kwhite]# samba_dnsupdate  --verbose --all-names
IPs: ['2605:xxxx:xxxx:xxxx::185', ..., '192.168.10.91']
force update: A dc2.kevboland.kevbo.org 192.168.10.91
force update: AAAA dc2.kevboland.kevbo.org 2605:xxxx:xxxx:xxxx::185

[...]

54 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org as DC2$
update(nsupdate): A dc2.kevboland.kevbo.org 192.168.10.91
Calling nsupdate for A dc2.kevboland.kevbo.org 192.168.10.91 (add)
Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org as DC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.kevboland.kevbo.org. 900    IN      A       192.168.10.91

dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): AAAA dc2.kevboland.kevbo.org 2605:xxxx:xxxx:xxxx::185
Calling nsupdate for AAAA dc2.kevboland.kevbo.org
2605:xxxx:xxxx:xxxx::185 (add)
Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org as DC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.kevboland.kevbo.org. 900    IN      AAAA    2605:xxxx:xxxx:xxxx::185

I had this problem before I enabled ipv6.  I've had the problem for a
while now, and I just kept hoping that it would fix itself with updates,
but it hasn't.

When IP addresses on the servers change (like they tend to with ipv6), I
do this manual switch to get updated addresses into bind.

Is there anything else I can try?

Thank you,


Kevin





More information about the samba mailing list