[Samba] dnsupdate failed with TKEY is unaceptable

Rommel Rodriguez Toirac rommelrt at nauta.cu
Wed Nov 18 17:34:32 UTC 2020 

 
In my network I have a samba 4.11.4 as Active Directory Domain Controller installed in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following the wiki.samba.org guide I have joined it as a domain controller to my network. 
 
  But I have a "dnsupdate_nameupdate_done: Failed DNS update with exit code 26" due to "TKEY is unacceptable"
  
  Some of my steps in the progress:
  
  Everything seems fine with directory replication:
# samba-tool drs showrepl
Default-First-Site-NameGTMAD1
DSA Options: 0x00000001
DSA object GUID: 03d9f4b0-72a5-47cd-b572-a33ae30b73ce
DSA invocationId: 1a022b20-9777-4366-b996-5b27a46aff42
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
                0 consecutive failure(s).
                Last success @ Wed Nov 18 11:43:33 2020 CST
DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
                0 consecutive failure(s).
                Last success @ Wed Nov 18 11:43:33 2020 CST
CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
                0 consecutive failure(s).
                Last success @ Wed Nov 18 11:43:33 2020 CST
DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
                0 consecutive failure(s).
                Last success @ Wed Nov 18 11:43:33 2020 CST
CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
                0 consecutive failure(s).
                Last success @ Wed Nov 18 11:43:33 2020 CST
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
        Default-First-Site-NameGTMAD via RPC
                DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
        Connection name: 0c6a236f-edeb-486a-9791-d75de0564fc4
        Enabled        : TRUE
        Server DNS name : gtmad.gtm.onat.gob.cu
        Server DN name  : CN=NTDS Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
  
  
  When I check the local DNS service I get the following:
# host -t A gtm.onat.gob.cu localhost 
Using domain server: 
Name: localhost 
Address: 127.0.0.1#53 
Aliases:  
gtm.onat.gob.cu has address 192.168.41.17
  (It only solves the IP of the samba 4.11.4 AD-DC not his as well, do not know if this is a problem)
  
  
  When I check the status of the named.service service it seems that everything is fine:
# systemctl status named.service -l  
● named.service - Berkeley Internet Name Domain (DNS) 
  Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) 
  Active: active (running) since Wed 2020-11-18 12:02:02 CST; 7s ago 
 Process: 18524 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) 
 Process: 18539 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) 
 Process: 18537 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) 
Main PID: 18541 (named) 
   Tasks: 35 (limit: 26213) 
  Memory: 102.6M 
  CGroup: /system.slice/named.service 
          └─18541 /usr/sbin/named -u named -c /etc/named.conf 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key' 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on 127.0.0.1#953 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key' 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on ::1#953 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded serial 0 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial 2013050101 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: running 
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain (DNS).
  
  
  When I check the status of the samba service I have the following problem:
# systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-11-17 11:58:14 CST; 23h ago
  Process: 197 ExecStart=/usr/sbin/samba -D (code=exited, status=0/SUCCESS)
 Main PID: 198 (samba)
    Tasks: 59 (limit: 26213)
   Memory: 342.1M
   CGroup: /system.slice/samba-ad-dc.service
           ├─ 198 /usr/sbin/samba -D
           ...
           ├─ 208 /usr/sbin/samba -D
           ├─ 209 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
           ├─ 210 /usr/sbin/samba -D
           ...
           ├─ 230 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
           ├─ 231 /usr/sbin/samba -D
           ...
           ├─ 249 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
           ├─ 250 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
           ├─ 251 /usr/sbin/samba -D
           ...
           ├─ 259 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
           ├─1138 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
           ├─1139 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
           └─1140 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
           nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.911574,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.928092,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.953861,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.006807,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.028370,  0] ../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)
nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 26
 
  How I can fix this?
 
  Where else to check to find a solution?
  Thanks in advanceRommel Rodriguez Toiracrommelrt at nauta.cu

More information about the samba mailing list