[Samba] dnsupdate failed with TKEY is unaceptable
me at tdiehl.org
me at tdiehl.org
Wed Nov 18 18:12:47 UTC 2020
On Wed, 18 Nov 2020, Rommel Rodriguez Toirac via samba wrote:
>
> In my network I have a samba 4.11.4 as Active Directory Domain Controller installed in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following the wiki.samba.org guide I have joined it as a domain controller to my network.
>
> But I have a "dnsupdate_nameupdate_done: Failed DNS update with exit code 26" due to "TKEY is unacceptable"
>
> Some of my steps in the progress:
>
> Everything seems fine with directory replication:
> # samba-tool drs showrepl
> Default-First-Site-NameGTMAD1
> DSA Options: 0x00000001
> DSA object GUID: 03d9f4b0-72a5-47cd-b572-a33ae30b73ce
> DSA invocationId: 1a022b20-9777-4366-b996-5b27a46aff42
> ==== INBOUND NEIGHBORS ====
> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
> 0 consecutive failure(s).
> Last success @ Wed Nov 18 11:43:33 2020 CST
> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
> 0 consecutive failure(s).
> Last success @ Wed Nov 18 11:43:33 2020 CST
> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
> 0 consecutive failure(s).
> Last success @ Wed Nov 18 11:43:33 2020 CST
> DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
> 0 consecutive failure(s).
> Last success @ Wed Nov 18 11:43:33 2020 CST
> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful
> 0 consecutive failure(s).
> Last success @ Wed Nov 18 11:43:33 2020 CST
> ==== OUTBOUND NEIGHBORS ====
> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
> DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> Default-First-Site-NameGTMAD via RPC
> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
> ==== KCC CONNECTION OBJECTS ====
> Connection --
> Connection name: 0c6a236f-edeb-486a-9791-d75de0564fc4
> Enabled : TRUE
> Server DNS name : gtmad.gtm.onat.gob.cu
> Server DN name : CN=NTDS Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
>
>
> When I check the local DNS service I get the following:
> # host -t A gtm.onat.gob.cu localhost
> Using domain server:
> Name: localhost
> Address: 127.0.0.1#53
> Aliases:
> gtm.onat.gob.cu has address 192.168.41.17
> (It only solves the IP of the samba 4.11.4 AD-DC not his as well, do not know if this is a problem)
>
>
> When I check the status of the named.service service it seems that everything is fine:
> # systemctl status named.service -l
> ● named.service - Berkeley Internet Name Domain (DNS)
> Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
> Active: active (running) since Wed 2020-11-18 12:02:02 CST; 7s ago
> Process: 18524 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
> Process: 18539 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
> Process: 18537 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
> Main PID: 18541 (named)
> Tasks: 35 (limit: 26213)
> Memory: 102.6M
> CGroup: /system.slice/named.service
> └─18541 /usr/sbin/named -u named -c /etc/named.conf
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on 127.0.0.1#953
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on ::1#953
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded serial 0
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial 2013050101
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: running
> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain (DNS).
>
>
> When I check the status of the samba service I have the following problem:
> # systemctl status samba-ad-dc.service
> ● samba-ad-dc.service - Samba Active Directory Domain Controller
> Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; disabled; vendor preset: disabled)
> Active: active (running) since Tue 2020-11-17 11:58:14 CST; 23h ago
> Process: 197 ExecStart=/usr/sbin/samba -D (code=exited, status=0/SUCCESS)
> Main PID: 198 (samba)
> Tasks: 59 (limit: 26213)
> Memory: 342.1M
> CGroup: /system.slice/samba-ad-dc.service
> ├─ 198 /usr/sbin/samba -D
> ...
> ├─ 208 /usr/sbin/samba -D
> ├─ 209 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
> ├─ 210 /usr/sbin/samba -D
> ...
> ├─ 230 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
> ├─ 231 /usr/sbin/samba -D
> ...
> ├─ 249 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
> ├─ 250 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
> ├─ 251 /usr/sbin/samba -D
> ...
> ├─ 259 /sbin//smbd -D --option=server role check:inhibit=yes --foreground
> ├─1138 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
> ├─1139 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
> └─1140 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.911574, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.928092, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.953861, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.006807, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.028370, 0] ../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)
> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: dnsupdate_nameupdate_done: Failed DNS update with exit code 26
>
> How I can fix this?
Does https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable help?
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list