[Samba] AD-DC Bind: TKEY is unacceptable
Rowland Penny
rpenny at samba.org
Tue Feb 26 15:14:40 UTC 2019
On Tue, 26 Feb 2019 09:19:46 -0500
Kevin White via samba <samba at lists.samba.org> wrote:
> I'm having trouble with nsupdates. I'm getting TKEY is unacceptable.
>
> I'm using Fedora 29, with its packages:
>
> [root at dc2 kwhite]# rpm -qa | grep samba
> samba-4.9.4-1.fc29.x86_64
> samba-dc-bind-dlz-4.9.4-1.fc29.x86_64
> samba-common-4.9.4-1.fc29.noarch
> samba-libs-4.9.4-1.fc29.x86_64
> samba-dc-libs-4.9.4-1.fc29.x86_64
> samba-winbind-4.9.4-1.fc29.x86_64
> samba-common-libs-4.9.4-1.fc29.x86_64
> python2-samba-4.9.4-1.fc29.x86_64
> samba-winbind-modules-4.9.4-1.fc29.x86_64
> samba-client-libs-4.9.4-1.fc29.x86_64
> python2-samba-dc-4.9.4-1.fc29.x86_64
> samba-common-tools-4.9.4-1.fc29.x86_64
> samba-dc-4.9.4-1.fc29.x86_64
>
> This is "dc2". There is no "dc1". A bit of local history: there was
> a dc1. It was made back when AD-DC was first released, using
> packages I compiled myself to enable Heimdal. When MIT Kerberos was
> supported, I attempted to change that dc to use MIT and had trouble
> with the conversion, so I created a new dc (dc2) from scratch and
> replicated dc1 to it, transferred the FSMO roles and shut dc1 down.
> This may be relevant.
If you are using the standard FC packages, you are back to using MIT
and this is classed as experimental.
>
> I'm trying to use the Bind back end:
>
> [root at dc2 kwhite]# rpm -qa | grep bind|grep -v samba | sort
> bind-9.11.5-2.P1.fc29.x86_64
> [...]
>
> For testing/ease of use, selinux is _disabled_ and the firewall is
> _turned off_:
>
> [root at dc2 kwhite]# getenforce
> Disabled
> [root at dc2 kwhite]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Running samba_dnsupdate gets TKEY is unacceptable. I've followed the
> steps on the wiki:
>
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
>
> Here is what I've done:
>
> [root at dc2 kwhite]# klist -k /var/lib/samba/private/dns.keytab
> Keytab name: FILE:/var/lib/samba/private/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
>
> [root at dc2 kwhite]# rm /var/lib/samba/private/dns.keytab
> rm: remove regular file '/var/lib/samba/private/dns.keytab'? y
>
> [root at dc2 kwhite]# samba-tool user delete dns-DC2
> Deleted user dns-DC2
You didn't need to do that.
>
> [root at dc2 kwhite]# samba_upgradedns --dns-backend=SAMBA_INTERNAL
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/KEVBOLAND.KEVBO.ORG.zone
> DNS records will be automatically created
> DNS partitions already exist
> Finished upgrading DNS
> You have switched to using SAMBA_INTERNAL as your dns backend, but you
> still have samba starting looking for a BIND backend. Please remove
> the -dns from your server services line.
>
> Note: Isn't that output message wrong? If I don't have "dns" in
> smb.conf, and bind isn't running (but samba is), nothing is listening
> on port 53. I was under the impression that "dns" on "server
> services" in smb.conf enables the internal DNS server.
Yes, the message is a bit wrong, if you have a server services line and
it doesn't list 'dns', or it has '-dns', then Samba expects Bind9. Just
remove the 'server services' line.
>
> [root at dc2 kwhite]# emacs /etc/samba/smb.conf
>
> [root at dc2 kwhite]# grep "server services" /etc/samba/smb.conf
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dns
Having that line is just like not having that line ;-)
>
> [root at dc2 kwhite]# systemctl stop named
> [root at dc2 kwhite]# systemctl stop samba
> [root at dc2 kwhite]# systemctl start samba
>
> So, now I'm running with internal DNS. Good. Switch back.
>
> [root at dc2 kwhite]# samba_upgradedns --dns-backend=BIND9_DLZ
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/KEVBOLAND.KEVBO.ORG.zone
> DNS records will be automatically created
> DNS partitions already exist
> Adding dns-dc2 account
> See /var/lib/samba/bind-dns/named.conf for an example configuration
> include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further documentation
> required for secure DNS updates
> Finished upgrading DNS
> You have switched to using BIND9_DLZ as your dns backend, but still
> have the internal dns starting. Please make sure you add '-dns' to
> your server services line in your smb.conf.
Again, that is a bit wrong, either remove 'dns' from an existing
'server services' line or add 'server services -dns'
> [root at dc2 kwhite]# emacs /etc/samba/smb.conf
> [root at dc2 kwhite]# grep "server services" /etc/samba/smb.conf
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc
> [root at dc2 kwhite]# systemctl stop samba
> [root at dc2 kwhite]# systemctl start named
> [root at dc2 kwhite]# systemctl start samba
>
> [root at dc2 kwhite]# klist -k /var/lib/samba/private/dns.keytab
> Keytab name: FILE:/var/lib/samba/private/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
> 1 DNS/dc2.kevboland.kevbo.org at KEVBOLAND.KEVBO.ORG
> 1 dns-dc2 at KEVBOLAND.KEVBO.ORG
>
> [root at dc2 kwhite]# cat /etc/resolv.conf
> search kevboland.kevbo.org kevbo.org
> nameserver 127.0.0.1
> [root at dc2 kwhite]# samba_dnsupdate --verbose --all-names
> IPs: ['2605:xxxx:xxxx:xxxx::185', ..., '192.168.10.91']
> force update: A dc2.kevboland.kevbo.org 192.168.10.91
> force update: AAAA dc2.kevboland.kevbo.org 2605:xxxx:xxxx:xxxx::185
>
> [...]
>
> 54 DNS updates and 0 DNS deletes needed
> Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org
> as DC2$ update(nsupdate): A dc2.kevboland.kevbo.org 192.168.10.91
> Calling nsupdate for A dc2.kevboland.kevbo.org 192.168.10.91 (add)
> Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org
> as DC2$ Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc2.kevboland.kevbo.org. 900 IN A 192.168.10.91
>
> dns_tkey_gssnegotiate: TKEY is unacceptable
> Failed nsupdate: 1
> update(nsupdate): AAAA dc2.kevboland.kevbo.org
> 2605:xxxx:xxxx:xxxx::185 Calling nsupdate for AAAA
> dc2.kevboland.kevbo.org 2605:xxxx:xxxx:xxxx::185 (add)
> Successfully obtained Kerberos ticket to DNS/dc2.kevboland.kevbo.org
> as DC2$ Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc2.kevboland.kevbo.org. 900 IN AAAA
> 2605:xxxx:xxxx:xxxx::185
>
> I had this problem before I enabled ipv6. I've had the problem for a
> while now, and I just kept hoping that it would fix itself with
> updates, but it hasn't.
>
> When IP addresses on the servers change (like they tend to with
> ipv6), I do this manual switch to get updated addresses into bind.
>
> Is there anything else I can try?
>
Add 'dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool'
to smb.conf
Rowland
More information about the samba
mailing list