[Samba] dnsupdate failed with TKEY is unaceptable
Rommel Rodriguez Toirac
rommelrt at nauta.cu
Wed Nov 18 19:13:25 UTC 2020
-------- Mensaje original --------> > In my network I have a samba 4.11.4 as Active Directory Domain Controller installed in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following the wiki.samba.org guide I have joined it as a domain controller to my network.> > But I have a "dnsupdate_nameupdate_done: Failed DNS update with exit code 26" due to "TKEY is unacceptable"> > Some of my steps in the progress:> > Everything seems fine with directory replication:> # samba-tool drs showrepl> Default-First-Site-NameGTMAD1> DSA Options: 0x00000001> DSA object GUID: 03d9f4b0-72a5-47cd-b572-a33ae30b73ce> DSA invocationId: 1a022b20-9777-4366-b996-5b27a46aff42> ==== INBOUND NEIGHBORS ====> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful> 0 consecutive failure(s).> Last success @ Wed Nov 18 11:43:33 2020 CST> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful> 0 consecutive failure(s).> Last success @ Wed Nov 18 11:43:33 2020 CST> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful> 0 consecutive failure(s).> Last success @ Wed Nov 18 11:43:33 2020 CST> DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful> 0 consecutive failure(s).> Last success @ Wed Nov 18 11:43:33 2020 CST> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful> 0 consecutive failure(s).> Last success @ Wed Nov 18 11:43:33 2020 CST> ==== OUTBOUND NEIGHBORS ====> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ NTTIME(0) was successful> 0 consecutive failure(s).> Last success @ NTTIME(0)> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ NTTIME(0) was successful> 0 consecutive failure(s).> Last success @ NTTIME(0)> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ NTTIME(0) was successful> 0 consecutive failure(s).> Last success @ NTTIME(0)> DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ NTTIME(0) was successful> 0 consecutive failure(s).> Last success @ NTTIME(0)> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> Default-First-Site-NameGTMAD via RPC> DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c> Last attempt @ NTTIME(0) was successful> 0 consecutive failure(s).> Last success @ NTTIME(0)> ==== KCC CONNECTION OBJECTS ====> Connection --> Connection name: 0c6a236f-edeb-486a-9791-d75de0564fc4> Enabled : TRUE> Server DNS name : gtmad.gtm.onat.gob.cu> Server DN name : CN=NTDS Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> TransportType: RPC> options: 0x00000001> Warning: No NC replicated for Connection!> > > When I check the local DNS service I get the following:> # host -t A gtm.onat.gob.cu localhost> Using domain server:> Name: localhost> Address: 127.0.0.1#53> Aliases: > gtm.onat.gob.cu has address 192.168.41.17> (It only solves the IP of the samba 4.11.4 AD-DC not his as well, do not know if this is a problem)> > > When I check the status of the named.service service it seems that everything is fine:> # systemctl status named.service -l > ● named.service - Berkeley Internet Name Domain (DNS)> Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)> Active: active (running) since Wed 2020-11-18 12:02:02 CST; 7s ago> Process: 18524 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)> Process: 18539 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)> Process: 18537 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)> Main PID: 18541 (named)> Tasks: 35 (limit: 26213)> Memory: 102.6M> CGroup: /system.slice/named.service> └─18541 /usr/sbin/named -u named -c /etc/named.conf> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on 127.0.0.1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on ::1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded serial 0> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial 2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: running> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain (DNS).> > > When I check the status of the samba service I have the following problem:> # systemctl status samba-ad-dc.service> ● samba-ad-dc.service - Samba Active Directory Domain Controller> Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; disabled; vendor preset: disabled)> Active: active (running) since Tue 2020-11-17 11:58:14 CST; 23h ago> Process: 197 ExecStart=/usr/sbin/samba -D (code=exited, status=0/SUCCESS)> Main PID: 198 (samba)> Tasks: 59 (limit: 26213)> Memory: 342.1M> CGroup: /system.slice/samba-ad-dc.service> ├─ 198 /usr/sbin/samba -D> ...> ├─ 208 /usr/sbin/samba -D> ├─ 209 /sbin//smbd -D --option=server role check:inhibit=yes --foreground> ├─ 210 /usr/sbin/samba -D> ...> ├─ 230 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground> ├─ 231 /usr/sbin/samba -D> ...> ├─ 249 /sbin//smbd -D --option=server role check:inhibit=yes --foreground> ├─ 250 /sbin//smbd -D --option=server role check:inhibit=yes --foreground> ├─ 251 /usr/sbin/samba -D> ...> ├─ 259 /sbin//smbd -D --option=server role check:inhibit=yes --foreground> ├─1138 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground> ├─1139 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground> └─1140 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.911574, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.928092, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.953861, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.006807, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.028370, 0] ../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: dnsupdate_nameupdate_done: Failed DNS update with exit code 26> > How I can fix this?Does https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable help?Regards,-- Tom me at tdiehl.org Thank for answer me;following the wiki.samba.org related to the topic "TKEY is unacceptable" Verifying the dns.keytab file content:# klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU 1 dns-gtmad1 at GTM.ONAT.GOB.CU 1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU 1 dns-gtmad1 at GTM.ONAT.GOB.CU 1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU 1 dns-gtmad1 at GTM.ONAT.GOB.CU There is a kerberos principal. When I check for the bind AD account, it exist:# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-GTMAD' dn # record 1 dn: CN=dns-gtmad,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # returned 4 records # 1 entries # 3 referrals Verifying the /etc/krb5.conf permissions:# ls -l /usr/local/samba/private/dns.keytab -rw-r----- 2 root named 517 nov 17 15:09 /usr/local/samba/private/dns.keytab The content of my /etc/named.conf:# cat /etc/named.conf # Global Configuration Options options { auth-nxdomain yes; version "Parametro no soportado"; directory "/var/named"; notify no; empty-zones-enable no; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; listen-on-v6 { none; }; listen-on port 53 { 192.168.41.18; 127.0.0.1; }; # IP addresses and network ranges allowed to query the DNS server: allow-query { 127.0.0.1; 192.168.41.0/24; }; allow-query-cache { 127.0.0.1; 192.168.41.0/24; }; # IP addresses and network ranges allowed to run recursive queries: # (Zones not served by this DNS server) allow-recursion { 127.0.0.1; 192.168.41.0/24; }; # Forward queries that can not be answered from own zones # to these DNS servers: forwarders { 10.10.8.2; }; # Disable zone transfers allow-transfer { none; }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; minimal-responses yes; }; # Root Servers # (Required for recursive DNS queries) #zone "." { # type hint; # file "named.root"; #}; # localhost zone zone "localhost" { type master; file "master/localhost.zone"; }; # 127.0.0. zone. zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; }; include "/usr/local/samba/bind-dns/named.conf"; Is there something wrong?__Rommel Rodríguez Toiracrommelrt at nauta.cu
More information about the samba
mailing list