[Samba] dnsupdate failed with TKEY is unaceptable

Rommel Rodriguez Toirac rommelrt at nauta.cu
Thu Nov 19 19:14:36 UTC 2020

 Hello all;

any other ideas or tests to do to determine what is the cause of why dnsupdate does not work on the newly installed domain controller samba 4.13.2?

Rommel Rodriguez Toirac 

El 18 de noviembre de 2020 15:16:09 GMT-05:00, Rowland penny via samba <samba at lists.samba.org> escribió:
>On 18/11/2020 19:27, Rommel Rodriguez Toirac wrote:
>>  It is /etc/named.conf and /etc/samba/smb.conf
>> # cat /etc/named.conf
>>   tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> include "/usr/local/samba/bind-dns/named.conf";
>OK, does the /usr/local/samba/bind-dns directory exist ?
>if it does, is the 'named.conf. file in there, set up to use your Bind9
>version ?
>Also the dns.keytab should also exist in the same directory (there is 
>bug report about this not happening on newly joined DC's), so if it 
>doesn't exist, copy it from '/usr/local/samba/private' keeping the same
>permissions. Update the 'tkey-gssapi-keytab' path to reflect the

 Yes, the directory asked exist and is pointing to my named version:

[root at gtmad1 ]# ls /usr/local/samba/bind-dns/
dns  dns.keytab  named.conf  named.txt

[root at gtmad1 ]# cat /usr/local/samba/bind-dns/named.conf  
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
# This file should be included in your main BIND configuration file
# For example with
# include "/usr/local/samba/bind-dns/named.conf";

# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
dlz "AD DNS Zone" {
   # For BIND 9.8.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

   # For BIND 9.9.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

   # For BIND 9.10.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

   # For BIND 9.11.x
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";

   # For BIND 9.12.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so";

   # For BIND 9.14.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so";

   # For BIND 9.16.x
   # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";

[root at gtmad1 ] named -V
BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Extended Support Version) <id:ad4df16>
running on Linux x86_64 5.4.34-1-pve #1 SMP PVE 5.4.34-2 (Thu, 07 May 2020 10:02:02 +0200)
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with
-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2'
'--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '-
-disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/
redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
 named configuration:  /etc/named.conf
 rndc configuration:   /etc/rndc.conf
 DNSSEC root key:      /etc/bind.keys
 nsupdate session key: /var/run/named/session.key
 named PID file:       /var/run/named/named.pid
 named lock file:      /var/run/named/named.lock
 geoip-directory:      /usr/share/GeoIP

Rommel Rodriguez Toirac
rommelrt at nauta.cu

More information about the samba mailing list