[Samba] dnsupdate failed with TKEY is unaceptable
Rommel Rodriguez Toirac
rommelrt at nauta.cu
Fri Nov 20 13:35:20 UTC 2020
El 20 de noviembre de 2020 2:22:45 GMT-05:00, "L.P.H. van Belle" <belle at bazuin.nl> escribió:
>I suggest you read :
>https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
>
Hello;
I read the URL sugessted. There exist a Kerberos principal; there exist the bind AD account and the files permission in /usr/local/samba/private/dns.keytab are correct.
This are the result of commands suggested to run:
[root at gtmad1 samba]# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
1 dns-gtmad1 at GTM.ONAT.GOB.CU
1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
1 dns-gtmad1 at GTM.ONAT.GOB.CU
1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
1 dns-gtmad1 at GTM.ONAT.GOB.CU
[root at gtmad1 samba]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-GTMAD1' dn
# record 1
dn: CN=dns-gtmad1,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu
# Referral
ref: ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
# Referral
ref: ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
# Referral
ref: ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
# returned 4 records
# 1 entries
# 3 referrals
[root at gtmad1 samba]# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 2 root named 517 nov 17 15:09 /usr/local/samba/private/dns.keytab
[root at gtmad1 samba]# cat /etc/named.conf
named.conf named.conf_back
[root at gtmad1 samba]# cat /etc/named.conf
# Global Configuration Options
options {
auth-nxdomain yes;
version "Parametro no soportado";
directory "/var/named";
notify no;
empty-zones-enable no;
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { none; };
listen-on port 53 { 192.168.41.18; 127.0.0.1; };
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
192.168.41.0/24;
};
allow-query-cache {
127.0.0.1;
192.168.41.0/24;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
192.168.41.0/24;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
10.10.8.2;
};
# Disable zone transfers
allow-transfer {
none;
};
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
minimal-responses yes;
};
# Root Servers
# (Required for recursive DNS queries)
#zone "." {
# type hint;
# file "named.root";
#};
# localhost zone
zone "localhost" {
type master;
file "master/localhost.zone";
};
# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
include "/usr/local/samba/bind-dns/named.conf";
--
Rommel Rodriguez Toirac
rommelrt at nauta.cu
More information about the samba
mailing list