[Samba] dnsupdate failed with TKEY is unaceptable

me at tdiehl.org me at tdiehl.org
Wed Nov 18 18:12:47 UTC 2020 

On Wed, 18 Nov 2020, Rommel Rodriguez Toirac via samba wrote:

>  
> In my network I have a samba 4.11.4 as Active Directory Domain Controller installed in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following the wiki.samba.org guide I have joined it as a domain controller to my network.
>  
>   But I have a "dnsupdate_nameupdate_done: Failed DNS update with exit code 26" due to "TKEY is unacceptable"
>  
>   Some of my steps in the progress:
>  
>   Everything seems fine with directory replication:
> # samba-tool drs showrepl
> Default-First-Site-NameGTMAD1
> DSA Options: 0x00000001
> DSA object GUID: 03d9f4b0-72a5-47cd-b572-a33ae30b73ce
> DSA invocationId: 1a022b20-9777-4366-b996-5b27a46aff42
> ==== INBOUND NEIGHBORS ====
> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 18 11:43:33 2020 CST
> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 18 11:43:33 2020 CST
> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 18 11:43:33 2020 CST
> DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 18 11:43:33 2020 CST
> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 18 11:43:33 2020 CST
> ==== OUTBOUND NEIGHBORS ====
> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
> DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>         Default-First-Site-NameGTMAD via RPC
>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
> ==== KCC CONNECTION OBJECTS ====
> Connection --
>         Connection name: 0c6a236f-edeb-486a-9791-d75de0564fc4
>         Enabled        : TRUE
>         Server DNS name : gtmad.gtm.onat.gob.cu
>         Server DN name  : CN=NTDS Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>                 TransportType: RPC
>                 options: 0x00000001
> Warning: No NC replicated for Connection!
>  
>  
>   When I check the local DNS service I get the following:
> # host -t A gtm.onat.gob.cu localhost
> Using domain server:
> Name: localhost
> Address: 127.0.0.1#53
> Aliases: 
> gtm.onat.gob.cu has address 192.168.41.17
>   (It only solves the IP of the samba 4.11.4 AD-DC not his as well, do not know if this is a problem)
>  
>  
>   When I check the status of the named.service service it seems that everything is fine:
> # systemctl status named.service -l 
> ● named.service - Berkeley Internet Name Domain (DNS)
>   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
>   Active: active (running) since Wed 2020-11-18 12:02:02 CST; 7s ago
>  Process: 18524 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
>  Process: 18539 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
>  Process: 18537 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
> Main PID: 18541 (named)
>    Tasks: 35 (limit: 26213)
>   Memory: 102.6M
>   CGroup: /system.slice/named.service
>           └─18541 /usr/sbin/named -u named -c /etc/named.conf
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on 127.0.0.1#953
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on ::1#953
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded serial 0
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial 2013050101
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: running
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain (DNS).
>  
>  
>   When I check the status of the samba service I have the following problem:
> # systemctl status samba-ad-dc.service
> ● samba-ad-dc.service - Samba Active Directory Domain Controller
>    Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; disabled; vendor preset: disabled)
>    Active: active (running) since Tue 2020-11-17 11:58:14 CST; 23h ago
>   Process: 197 ExecStart=/usr/sbin/samba -D (code=exited, status=0/SUCCESS)
>  Main PID: 198 (samba)
>     Tasks: 59 (limit: 26213)
>    Memory: 342.1M
>    CGroup: /system.slice/samba-ad-dc.service
>            ├─ 198 /usr/sbin/samba -D
>            ...
>            ├─ 208 /usr/sbin/samba -D
>            ├─ 209 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
>            ├─ 210 /usr/sbin/samba -D
>            ...
>            ├─ 230 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
>            ├─ 231 /usr/sbin/samba -D
>            ...
>            ├─ 249 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
>            ├─ 250 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
>            ├─ 251 /usr/sbin/samba -D
>            ...
>            ├─ 259 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
>            ├─1138 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
>            ├─1139 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
>            └─1140 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
>            nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.911574,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.928092,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.953861,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.006807,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.028370,  0] ../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 26
>  
>   How I can fix this?

Does https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable help?

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list