[Samba] dnsupdate failed with TKEY is unaceptable

Rommel Rodriguez Toirac rommelrt at nauta.cu
Wed Nov 18 20:49:40 UTC 2020

El 18 de noviembre de 2020 15:16:09 GMT-05:00, Rowland penny via samba <samba at lists.samba.org> escribió:
>On 18/11/2020 19:27, Rommel Rodriguez Toirac wrote:
>>  It is /etc/named.conf and /etc/samba/smb.conf
>> # cat /etc/named.conf
>>   tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> include "/usr/local/samba/bind-dns/named.conf";
>OK, does the /usr/local/samba/bind-dns directory exist ?
>if it does, is the 'named.conf. file in there, set up to use your Bind9
>version ?
>Also the dns.keytab should also exist in the same directory (there is 
>bug report about this not happening on newly joined DC's), so if it 
>doesn't exist, copy it from '/usr/local/samba/private' keeping the same
>permissions. Update the 'tkey-gssapi-keytab' path to reflect the

 Yes, the directory asked exist and is pointing to my named version:

[root at gtmad1 ]# ls /usr/local/samba/bind-dns/
dns  dns.keytab  named.conf  named.txt

[root at gtmad1 ]# cat /usr/local/samba/bind-dns/named.conf  
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
# This file should be included in your main BIND configuration file
# For example with
# include "/usr/local/samba/bind-dns/named.conf";

# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
dlz "AD DNS Zone" {
   # For BIND 9.8.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

   # For BIND 9.9.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

   # For BIND 9.10.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

   # For BIND 9.11.x
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";

   # For BIND 9.12.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so";

   # For BIND 9.14.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so";

   # For BIND 9.16.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";

[root at gtmad1 ] named -V
BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Extended Support Version) <id:ad4df16>
running on Linux x86_64 5.4.34-1-pve #1 SMP PVE 5.4.34-2 (Thu, 07 May 2020 10:02:02 +0200)
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with
-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2'
'--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '-
-disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/
redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
 named configuration:  /etc/named.conf
 rndc configuration:   /etc/rndc.conf
 DNSSEC root key:      /etc/bind.keys
 nsupdate session key: /var/run/named/session.key
 named PID file:       /var/run/named/named.pid
 named lock file:      /var/run/named/named.lock
 geoip-directory:      /usr/share/GeoIP

Rommel Rodriguez Toirac
rommelrt at nauta.cu

More information about the samba mailing list