[Samba] dnsupdate failed with TKEY is unaceptable

Rommel Rodriguez Toirac rommelrt at nauta.cu
Wed Nov 18 19:13:25 UTC 2020


-------- Mensaje original -------->  > In my network I have a samba 4.11.4 as Active Directory Domain Controller installed in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following the wiki.samba.org guide I have joined it as a domain controller to my network.>  >   But I have a "dnsupdate_nameupdate_done: Failed DNS update with exit code 26" due to "TKEY is unacceptable">  >   Some of my steps in the progress:>  >   Everything seems fine with directory replication:> # samba-tool drs showrepl> Default-First-Site-NameGTMAD1> DSA Options: 0x00000001> DSA object GUID: 03d9f4b0-72a5-47cd-b572-a33ae30b73ce> DSA invocationId: 1a022b20-9777-4366-b996-5b27a46aff42> ==== INBOUND NEIGHBORS ====> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful>                 0 consecutive failure(s).>                 Last success @ Wed Nov 18 11:43:33 2020 CST> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful>                 0 consecutive failure(s).>                 Last success @ Wed Nov 18 11:43:33 2020 CST> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful>                 0 consecutive failure(s).>                 Last success @ Wed Nov 18 11:43:33 2020 CST> DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful>                 0 consecutive failure(s).>                 Last success @ Wed Nov 18 11:43:33 2020 CST> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful>                 0 consecutive failure(s).>                 Last success @ Wed Nov 18 11:43:33 2020 CST> ==== OUTBOUND NEIGHBORS ====> DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ NTTIME(0) was successful>                 0 consecutive failure(s).>                 Last success @ NTTIME(0)> DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ NTTIME(0) was successful>                 0 consecutive failure(s).>                 Last success @ NTTIME(0)> CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ NTTIME(0) was successful>                 0 consecutive failure(s).>                 Last success @ NTTIME(0)> DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ NTTIME(0) was successful>                 0 consecutive failure(s).>                 Last success @ NTTIME(0)> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>         Default-First-Site-NameGTMAD via RPC>                 DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>                 Last attempt @ NTTIME(0) was successful>                 0 consecutive failure(s).>                 Last success @ NTTIME(0)> ==== KCC CONNECTION OBJECTS ====> Connection -->         Connection name: 0c6a236f-edeb-486a-9791-d75de0564fc4>         Enabled        : TRUE>         Server DNS name : gtmad.gtm.onat.gob.cu>         Server DN name  : CN=NTDS Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>                 TransportType: RPC>                 options: 0x00000001> Warning: No NC replicated for Connection!>  >  >   When I check the local DNS service I get the following:> # host -t A gtm.onat.gob.cu localhost> Using domain server:> Name: localhost> Address: 127.0.0.1#53> Aliases: > gtm.onat.gob.cu has address 192.168.41.17>   (It only solves the IP of the samba 4.11.4 AD-DC not his as well, do not know if this is a problem)>  >  >   When I check the status of the named.service service it seems that everything is fine:> # systemctl status named.service -l > ● named.service - Berkeley Internet Name Domain (DNS)>   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)>   Active: active (running) since Wed 2020-11-18 12:02:02 CST; 7s ago>  Process: 18524 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)>  Process: 18539 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)>  Process: 18537 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)> Main PID: 18541 (named)>    Tasks: 35 (limit: 26213)>   Memory: 102.6M>   CGroup: /system.slice/named.service>           └─18541 /usr/sbin/named -u named -c /etc/named.conf> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on 127.0.0.1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from '/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on ::1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded serial 0> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial 2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: running> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain (DNS).>  >  >   When I check the status of the samba service I have the following problem:> # systemctl status samba-ad-dc.service> ● samba-ad-dc.service - Samba Active Directory Domain Controller>    Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; disabled; vendor preset: disabled)>    Active: active (running) since Tue 2020-11-17 11:58:14 CST; 23h ago>   Process: 197 ExecStart=/usr/sbin/samba -D (code=exited, status=0/SUCCESS)>  Main PID: 198 (samba)>     Tasks: 59 (limit: 26213)>    Memory: 342.1M>    CGroup: /system.slice/samba-ad-dc.service>            ├─ 198 /usr/sbin/samba -D>            ...>            ├─ 208 /usr/sbin/samba -D>            ├─ 209 /sbin//smbd -D --option=server role check:inhibit=yes --foreground>            ├─ 210 /usr/sbin/samba -D>            ...>            ├─ 230 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground>            ├─ 231 /usr/sbin/samba -D>            ...>            ├─ 249 /sbin//smbd -D --option=server role check:inhibit=yes --foreground>            ├─ 250 /sbin//smbd -D --option=server role check:inhibit=yes --foreground>            ├─ 251 /usr/sbin/samba -D>            ...>            ├─ 259 /sbin//smbd -D --option=server role check:inhibit=yes --foreground>            ├─1138 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground>            ├─1139 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground>            └─1140 /sbin//winbindd -D --option=server role check:inhibit=yes --foreground>            nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.911574,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.928092,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.953861,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.006807,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:   /sbin//samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.028370,  0] ../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)> nov 18 11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 26>  >   How I can fix this?Does https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable help?Regards,-- Tom			me at tdiehl.org Thank for answer me;following the wiki.samba.org related to the topic "TKEY is unacceptable"   Verifying the dns.keytab file content:# klist -k /usr/local/samba/private/dns.keytab  Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- --------------------------------------------------------------------------   1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU   1 dns-gtmad1 at GTM.ONAT.GOB.CU   1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU   1 dns-gtmad1 at GTM.ONAT.GOB.CU   1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU   1 dns-gtmad1 at GTM.ONAT.GOB.CU There is a kerberos principal. When I check for the bind AD account, it exist:# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-GTMAD' dn # record 1 dn: CN=dns-gtmad,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # returned 4 records # 1 entries # 3 referrals  Verifying the /etc/krb5.conf permissions:# ls -l /usr/local/samba/private/dns.keytab -rw-r----- 2 root named 517 nov 17 15:09 /usr/local/samba/private/dns.keytab The content of my /etc/named.conf:# cat /etc/named.conf # Global Configuration Options options {    auth-nxdomain yes;    version "Parametro no soportado";    directory "/var/named";    notify no;    empty-zones-enable no;    dnssec-validation no;    dnssec-enable no;    dnssec-lookaside no;    listen-on-v6 { none; };    listen-on port 53 { 192.168.41.18; 127.0.0.1; };    # IP addresses and network ranges allowed to query the DNS server:    allow-query {        127.0.0.1;        192.168.41.0/24;    };    allow-query-cache {        127.0.0.1;        192.168.41.0/24;    };    # IP addresses and network ranges allowed to run recursive queries:    # (Zones not served by this DNS server)    allow-recursion {        127.0.0.1;        192.168.41.0/24;    };    # Forward queries that can not be answered from own zones    # to these DNS servers:    forwarders {        10.10.8.2;    };    # Disable zone transfers     allow-transfer {        none;    };      tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";   minimal-responses yes; }; # Root Servers # (Required for recursive DNS queries) #zone "." { #   type hint; #   file "named.root"; #}; # localhost zone zone "localhost" {    type master;    file "master/localhost.zone"; }; # 127.0.0. zone. zone "0.0.127.in-addr.arpa" {    type master;    file "master/0.0.127.zone"; }; include "/usr/local/samba/bind-dns/named.conf"; Is there something wrong?__Rommel Rodríguez Toiracrommelrt at nauta.cu


More information about the samba mailing list