[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
Robert E. Wooden
bob at donelsontrophy.com
Mon Jul 6 15:05:04 UTC 2020
On 7/3/2020 10:01 AM, Robert E. Wooden via samba wrote:
> On 7/3/2020 9:50 AM, Rowland penny via samba wrote:
>> Originally, Samba used /var/lib/samba/private for the dns.keytab and
>> other dns files. This was then found to be possibly insecure, so it
>> was decided to use /var/lib/samba/bind-dns instead. When you upgrade
>> the Samba packages, the old files are not removed, but the new ones
>> are created. You just need to make Bind9 etc use them.
>>
>> Rowland
>>
This problem continues.
For clarity, the hostnames are DC01, DC1 and DC2.
DC01 (/soon to be retired hardware/)
root at DC01:~# cat /etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab";
root at DC01:~# ls /var/lib/samba/bind-dns/
dns *dns.keytab* named.conf named.txt
root at DC01:~# ls /var/lib/samba/private
*dns.keytab* dns_update_list idmap.ldb . . . . more files
root at DC01:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
root at DC01:~# cat /etc/resolv.conf
nameserver 192.168.0.41
##nameserver 192.168.0.42
nameserver 192.168.0.50
search SUBDOM.EXAMPLE.COM
root at DC01:~# samba_dnsupdate --verbose –all-names/**//*<<< updates fail*/
dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM
DC01.SUBDOM.EXAMPLE.COM 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM
DC01.SUBDOM.EXAMPLE.COM 389 (add)
Successfully obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as DC01$
DC1 (newer hardware) /domain joined with DC01/
root at DC1:~# cat /etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab";
root at DC1:~# ls /var/lib/samba/bind-dns/
dns named.conf named.txt/*<<<<<<<<<<<<<<< notice dns.keytab is MISSING*/
root at DC1:~# ls /var/lib/samba/private/
*dns.keytab* hklm.ldb ldap_priv . . . . more files
root at DC1:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC01
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC1:~# cat /etc/krb5.conf <<<<<<<<<<< this /etc/krb5.conf file is
generated by the installation
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC1:~# cat /etc/resolv.conf
search SUBDOM.EXAMPLE.COM
nameserver 192.168.0.50
###nameserver 192.168.0.42
nameserver 192.168.0.41
root at DC01:~# samba_dnsupdate --verbose –all-names/**//*<<< updates
correctly*/
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM
DC1.SUBDOM.EXAMPLE.COM 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM
DC1.SUBDOM.EXAMPLE.COM 389 (add)
Successfully obtained Kerberos ticket to DNS/DC01.SUBDOM.EXAMPLE.COM as DC1$
DC2 (newer hardware) /*soon to be*//domain joined with DC01 & DC1/
root at DC2:~# cat /etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab";
root at DC2:~# ls /var/lib/samba/bind-dns/
dns *dns.keytab* named.conf named.txt
root at DC2:~# ls /var/lib/samba/private/
*dns.keytab* hklm.ldb ldap_priv . . . . more files
root at DC2:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC01
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC2:~# cat /etc/resolv.conf
search SUBDOM.EXAMPLE.COM
##nameserver 192.168.0.41
nameserver 192.168.0.42
root at DC01:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<
[realms]
SUBDOM.EXAMPLE.COM = {
kdc = DC01
kdc = DC1
kdc = DC2
admin_server = DC1
root at DC2:~# samba_dnsupdate --verbose –all-names/**//*<<< updates
correctly*/
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM
DC2.SUBDOM.EXAMPLE.COM 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM
DC2.SUBDOM.EXAMPLE.COM 389 (add)
Successfully obtained Kerberos ticket to DNS/DC2.SUBDOM.EXAMPLE.COM as DC2$
A reminder, DC2 is NOT joined with the subdomain, yet.
And now the weird part, if I change DC01 /etc/bind/named.conf.options to
.../private/dns.ketab (for testing purposes), DC1 (joined with DC01)
samba_dnsupdate --verbose –all-names _will fail_ with
"dns_tkey_gssnegotiate: TKEY is unacceptable" and the "Successfully
obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as _DC1$_."
(Notice that DC1 is "acquiring password" password from itself.)
When I change the DC01 ".../private/dns-keytab" _back to_
"....bind-dns/dns.keytab" DC1 will then "samba_dnsupdate --verbose
–all-names" correctly BUT, "Successfully obtained Kerberos ticket to
DNS/DC1.SUBDOM.EXAMPLE.COM as _DC01$_." <<<<< goes back to acquiring
password from DC01(zero one).
At no time does DC01 complete samba_dnsupdate correctly.
The confusion of two (2) dns.keytab files is causing (I could be wrong
but,) issues with my subdomain.
It appears to me (and I could be wrong) that the two files are causing
problems and I am not quite clear just how but, the two files are at
issue? Why would a change on one DC cause the other to behave
differently? And then change the "change" back, correct the issue with
the other DC?
Why has one installation not created a ".../bind-dns/dns.keytab" file
and yet the other has?
I followed the same "steps" during installation on both.
--
Bob Wooden
More information about the samba
mailing list