[Samba] dnsupdate failed with TKEY is unaceptable
L.P.H. van Belle
belle at bazuin.nl
Fri Nov 20 13:40:46 UTC 2020
Ah i see..
/usr/local/samba/private/dns.keytab
Thats the "old" path..
Your using bind9 you should have:
/usr/local/samba/bind-dns/dns.keytab
dont forget to set the needed rights on bind-dns folder.
On road, cant look deeper in it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Rommel Rodriguez Toirac [mailto:rommelrt at nauta.cu]
> Verzonden: vrijdag 20 november 2020 14:35
> Aan: L.P.H. van Belle
> CC: Lista samba4
> Onderwerp: RE: [Samba] dnsupdate failed with TKEY is unaceptable
>
> El 20 de noviembre de 2020 2:22:45 GMT-05:00, "L.P.H. van
> Belle" <belle at bazuin.nl> escribió:
> >I suggest you read :
> >https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_
> is_unacceptable
> >
>
>
> Hello;
> I read the URL sugessted. There exist a Kerberos principal;
> there exist the bind AD account and the files permission in
> /usr/local/samba/private/dns.keytab are correct.
>
> This are the result of commands suggested to run:
>
>
> [root at gtmad1 samba]# klist -k /usr/local/samba/private/dns.keytab
> Keytab name: FILE:/usr/local/samba/private/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
> 1 dns-gtmad1 at GTM.ONAT.GOB.CU
> 1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
> 1 dns-gtmad1 at GTM.ONAT.GOB.CU
> 1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU
> 1 dns-gtmad1 at GTM.ONAT.GOB.CU
>
>
> [root at gtmad1 samba]# ldbsearch -H
> /usr/local/samba/private/sam.ldb 'cn=dns-GTMAD1' dn
> # record 1
> dn: CN=dns-gtmad1,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu
>
> # Referral
> ref:
> ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>
> # Referral
> ref:
> ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
>
> # Referral
> ref:
> ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
>
> # returned 4 records
> # 1 entries
> # 3 referrals
>
> [root at gtmad1 samba]# ls -l /usr/local/samba/private/dns.keytab
> -rw-r----- 2 root named 517 nov 17 15:09
> /usr/local/samba/private/dns.keytab
>
>
> [root at gtmad1 samba]# cat /etc/named.conf
> named.conf named.conf_back
> [root at gtmad1 samba]# cat /etc/named.conf
> # Global Configuration Options
> options {
>
> auth-nxdomain yes;
> version "Parametro no soportado";
> directory "/var/named";
> notify no;
> empty-zones-enable no;
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 192.168.41.18; 127.0.0.1; };
>
> # IP addresses and network ranges allowed to query the DNS server:
> allow-query {
> 127.0.0.1;
> 192.168.41.0/24;
> };
> allow-query-cache {
> 127.0.0.1;
> 192.168.41.0/24;
> };
>
> # IP addresses and network ranges allowed to run recursive queries:
> # (Zones not served by this DNS server)
> allow-recursion {
> 127.0.0.1;
> 192.168.41.0/24;
> };
>
> # Forward queries that can not be answered from own zones
> # to these DNS servers:
> forwarders {
> 10.10.8.2;
> };
>
> # Disable zone transfers
> allow-transfer {
> none;
> };
>
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> minimal-responses yes;
>
> };
>
> # Root Servers
> # (Required for recursive DNS queries)
> #zone "." {
> # type hint;
> # file "named.root";
> #};
>
> # localhost zone
> zone "localhost" {
> type master;
> file "master/localhost.zone";
> };
>
> # 127.0.0. zone.
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "master/0.0.127.zone";
> };
>
> include "/usr/local/samba/bind-dns/named.conf";
>
> --
> Rommel Rodriguez Toirac
> rommelrt at nauta.cu
>
>
More information about the samba
mailing list