[Samba] bind9 permissions and dns_tkey_gssnegotiate: TKEY is unacceptable problems

[James Atwell]

Hello,

       Unable to resolve bind9 permissions and dns_tkey_gssnegotiate: 
TKEY is unacceptable problem. This is a new DC joined to existing 
domain. First the important information out the way.

OS = Ubuntu 20.04.3 LTS

Samba Version = 4.14.7 (self compiled ./configure, make, make install)

smb.conf

# Global parameters
[global]
         netbios name = PFDC4
         realm = DOMAIN.LOCAL // I Know
         server role = active directory domain controller
         workgroup = DOMAIN
         dns forwarder = 8.8.8.8 208.67.222.222
         server services = -dns
         log file = /usr/local/samba/var/log.samba
         log level = 1 auth_audit:3 auth_json_audit:3
         debug timestamp = Yes
         debug uid = Yes
         debug pid = Yes

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
         read only = No


-rw-r--r-- 1 root root 1123 Sep  7 13:51 /etc/named.conf

-rw-r--r-- 1 root named 92 Sep  3 15:42 /etc/krb5.conf

ls -la /usr/local/samba/bind-dns/

drwxrwx---  3 root bind  4096 Sep  8 15:16 .
drwxr-xr-x 12 root root  4096 Sep  3 15:40 ..
drwxrwx---  3 root bind  4096 Sep  8 14:36 dns
-rw-r-----  2 root named  466 Sep  8 14:36 dns.keytab
-rw-r--r--  1 root root  1012 Sep  8 14:36 named.conf
-rw-r--r--  1 root root  2055 Sep  8 14:36 named.txt


cat /etc/named.conf

include "/usr/local/samba/bind-dns/named.conf";

# Global Configuration Options
options {

     auth-nxdomain yes;
     directory "/var/named";
     notify no;
     empty-zones-enable no;
     tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
     minimal-responses yes;

     # IP addresses and network ranges allowed to query the DNS server:
     allow-query {
         127.0.0.1;
         172.16.0.0/16;
     };

     # IP addresses and network ranges allowed to run recursive queries:
     # (Zones not served by this DNS server)
     allow-recursion {
         127.0.0.1;
         172.16.0.0./16;
     };

     # Forward queries that can not be answered from own zones
     # to these DNS servers:
     forwarders {
         8.8.8.8;
         8.8.4.4;
     };

     # Disable zone transfers
     allow-transfer {
         none;
     };
  };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
    type hint;
    file "named.root";
};

# localhost zone
zone "localhost" {
     type master;
     file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
     type master;
     file "master/0.0.127.zone";
};


cat /usr/local/samba/bind-dns/named.conf

dlz "AD DNS Zone" {

     # For BIND 9.16.x
      database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";
};

cat /etc/bind/named.conf.options

options {
         directory "/var/cache/bind";
         version "0.0.7";
         notify no;
         empty-zones-enable no;
         allow-query { 127.0.0.1; 172.16.0.0/16; };
         allow-recursion { 172.16.0.0/16;  127.0.0.1/32; };
         forwarders { 8.8.8.8; 8.8.4.4; };
         allow-transfer { none; };
         dnssec-validation no;
         listen-on port 53 { 172.16.232.18; 127.0.0.1; };
         tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
         minimal-responses yes;
         listen-on-v6 { any; };
};


If I missed anything let me know.  I used the wiki for guidance. Bind9 
initially would not start. Would give me permission issues when 
starting. I solved this by disabling apparmor.  After updating all the 
config files and changing ownership to user named(where mentioned in the 
wiki), bind9 failed to start.  Again permission problems. Bind was 
unable to read config files in /usr/local/samba/bind-dns. I changed 
ownership from root:named back to root:bind and bind9 would start.

I ran "samba_dnsupdate --all-names --verbose" and several dns updates 
got created.  Ran the command again and received dns_tkey_gssnegotiate: 
TKEY is unacceptable issue.  Tried the wiki to torubleshoot and yet I 
still have the issue. When running samba-tool drs showrepl, the newly 
created DC has no outbound neighbors. I'm sure it's due to my DNS 
issues. If I have learned anything with Samba, it's get DNS working 
correctly or I will have problems.  What am I missing? Why won't bind9 
start with the user named? I assume I need to resolve this first before 
attempting to resolve the TKEY issue.  The internal DNS btw will not 
work either. I get BADSIG[NOTAUTH] issue. Thanks for your time.


-James