[Samba] dnsupdate failed with TKEY is unaceptable

Rommel Rodriguez Toirac rommelrt at nauta.cu
Fri Nov 20 13:35:20 UTC 2020


El 20 de noviembre de 2020 2:22:45 GMT-05:00, "L.P.H. van Belle" <belle at bazuin.nl> escribió:
>I suggest you read : 
>https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
>


Hello;
I read the URL sugessted. There exist a Kerberos principal; there exist the bind AD  account and the files permission in /usr/local/samba/private/dns.keytab are correct.

 This are the result of commands suggested to run:


 [root at gtmad1 samba]# klist -k /usr/local/samba/private/dns.keytab  
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
  1 dns-gtmad1 at GTM.ONAT.GOB.CU
  1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
  1 dns-gtmad1 at GTM.ONAT.GOB.CU
  1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
  1 dns-gtmad1 at GTM.ONAT.GOB.CU


[root at gtmad1 samba]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-GTMAD1' dn
# record 1
dn: CN=dns-gtmad1,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu

# Referral
ref: ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu

# Referral
ref: ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu

# Referral
ref: ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu

# returned 4 records
# 1 entries
# 3 referrals

[root at gtmad1 samba]# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 2 root named 517 nov 17 15:09 /usr/local/samba/private/dns.keytab


[root at gtmad1 samba]# cat /etc/named.conf
named.conf       named.conf_back   
[root at gtmad1 samba]# cat /etc/named.conf
# Global Configuration Options
options {

   auth-nxdomain yes;
   version "Parametro no soportado";
   directory "/var/named";
   notify no;
   empty-zones-enable no;
   dnssec-validation no;
   dnssec-enable no;
   dnssec-lookaside no;
   listen-on-v6 { none; };
   listen-on port 53 { 192.168.41.18; 127.0.0.1; };

   # IP addresses and network ranges allowed to query the DNS server:
   allow-query {
       127.0.0.1;
       192.168.41.0/24;
   };
   allow-query-cache {
       127.0.0.1;
       192.168.41.0/24;
   };

   # IP addresses and network ranges allowed to run recursive queries:
   # (Zones not served by this DNS server)
   allow-recursion {
       127.0.0.1;
       192.168.41.0/24;
   };

   # Forward queries that can not be answered from own zones
   # to these DNS servers:
   forwarders {
       10.10.8.2;
   };

   # Disable zone transfers  
   allow-transfer {
       none;
   };
   
  tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
  minimal-responses yes;

};

# Root Servers
# (Required for recursive DNS queries)
#zone "." {
#   type hint;
#   file "named.root";
#};

# localhost zone
zone "localhost" {
   type master;
   file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
   type master;
   file "master/0.0.127.zone";
};

include "/usr/local/samba/bind-dns/named.conf";

-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu



More information about the samba mailing list