[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable

Robert E. Wooden bob at donelsontrophy.com
Mon Jul 6 15:05:04 UTC 2020


On 7/3/2020 10:01 AM, Robert E. Wooden via samba wrote:
> On 7/3/2020 9:50 AM, Rowland penny via samba wrote:
>> Originally, Samba used /var/lib/samba/private for the dns.keytab and 
>> other dns files. This was then found to be possibly insecure, so it 
>> was decided to use /var/lib/samba/bind-dns instead. When you upgrade 
>> the Samba packages, the old files are not removed, but the new ones 
>> are created. You just need to make Bind9 etc use them.
>>
>> Rowland
>>
This problem continues.

For clarity, the hostnames are DC01, DC1 and DC2.

DC01 (/soon to be retired hardware/)
root at DC01:~# cat /etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab";
root at DC01:~# ls /var/lib/samba/bind-dns/
dns *dns.keytab* named.conf named.txt
root at DC01:~# ls /var/lib/samba/private
*dns.keytab* dns_update_list idmap.ldb . . . . more files
root at DC01:~# cat /etc/krb5.conf
[libdefaults]
     default_realm = SUBDOM.EXAMPLE.COM
     dns_lookup_kdc = true
     dns_lookup_realm = false
>>>>>>>>>>>>>>>>  snipped for brevity <<<<<<<<<<<<<<<<
; for Windows 2008 with AES
     default_tgs_enctypes =  aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
     default_tkt_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
     permitted_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
root at DC01:~# cat /etc/resolv.conf
nameserver 192.168.0.41
##nameserver 192.168.0.42
nameserver 192.168.0.50
search SUBDOM.EXAMPLE.COM
root at DC01:~# samba_dnsupdate --verbose –all-names/**//*<<< updates fail*/
dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM 
DC01.SUBDOM.EXAMPLE.COM 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM 
DC01.SUBDOM.EXAMPLE.COM 389 (add)
Successfully obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as DC01$


DC1 (newer hardware) /domain joined with DC01/
root at DC1:~# cat /etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab";
root at DC1:~# ls /var/lib/samba/bind-dns/
dns named.conf named.txt/*<<<<<<<<<<<<<<< notice dns.keytab is MISSING*/
root at DC1:~# ls /var/lib/samba/private/
*dns.keytab* hklm.ldb ldap_priv . . . . more files
root at DC1:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>>  snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC01
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC1:~# cat /etc/krb5.conf   <<<<<<<<<<< this /etc/krb5.conf file is 
generated by the installation
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>>  snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC1:~# cat /etc/resolv.conf
search SUBDOM.EXAMPLE.COM
nameserver 192.168.0.50
###nameserver 192.168.0.42
nameserver 192.168.0.41
root at DC01:~# samba_dnsupdate --verbose –all-names/**//*<<< updates 
correctly*/
update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM 
DC1.SUBDOM.EXAMPLE.COM 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM 
DC1.SUBDOM.EXAMPLE.COM 389 (add)
Successfully obtained Kerberos ticket to DNS/DC01.SUBDOM.EXAMPLE.COM as DC1$



DC2 (newer hardware) /*soon to be*//domain joined with DC01 & DC1/
root at DC2:~# cat /etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab";
root at DC2:~# ls /var/lib/samba/bind-dns/
dns *dns.keytab* named.conf named.txt
root at DC2:~# ls /var/lib/samba/private/
*dns.keytab* hklm.ldb ldap_priv . . . . more files
root at DC2:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>>  snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC01
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC2:~# cat /etc/resolv.conf
search SUBDOM.EXAMPLE.COM
##nameserver 192.168.0.41
nameserver 192.168.0.42
root at DC01:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>>  snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC01
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC2:~# samba_dnsupdate --verbose –all-names/**//*<<< updates 
correctly*/
update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM 
DC2.SUBDOM.EXAMPLE.COM 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM 
DC2.SUBDOM.EXAMPLE.COM 389 (add)
Successfully obtained Kerberos ticket to DNS/DC2.SUBDOM.EXAMPLE.COM as DC2$

A reminder, DC2 is NOT joined with the subdomain, yet.

And now the weird part, if I change DC01 /etc/bind/named.conf.options to 
.../private/dns.ketab (for testing purposes), DC1 (joined with DC01) 
samba_dnsupdate --verbose –all-names _will fail_ with 
"dns_tkey_gssnegotiate: TKEY is unacceptable" and the "Successfully 
obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as _DC1$_." 
(Notice that DC1 is "acquiring password" password from itself.)

When I change the DC01 ".../private/dns-keytab" _back to_ 
"....bind-dns/dns.keytab" DC1 will then "samba_dnsupdate --verbose 
–all-names" correctly BUT, "Successfully obtained Kerberos ticket to 
DNS/DC1.SUBDOM.EXAMPLE.COM as _DC01$_." <<<<< goes back to acquiring 
password from DC01(zero one).

At no time does DC01 complete samba_dnsupdate correctly.

The confusion of two (2)  dns.keytab files is causing (I could be wrong 
but,) issues with my subdomain.

It appears to me (and I could be wrong) that the two files are causing 
problems and I am not quite clear just how but, the two files are at 
issue? Why would a change on one DC cause the other to behave 
differently? And then change the "change" back, correct the issue with 
the other DC?

Why has one installation not created a ".../bind-dns/dns.keytab" file 
and yet the other has?

I followed the same "steps" during installation on both.

-- 

Bob Wooden



More information about the samba mailing list