[Samba] bind9 permissions and dns_tkey_gssnegotiate: TKEY is unacceptable problems
James Atwell
james.atwell365 at gmail.com
Mon Sep 13 15:47:57 UTC 2021
Hi Carlos,
I have not read that link. However I disabled apparmor entirely.
I was able to get the internal DNS to work correctly by removing
netplan. I plan to switch back to bind and see if it's fixed as well
with the removal of netplan.
On 9/11/2021 7:21 PM, Carlos Jesus wrote:
> Having had this problem recently myself, have you read
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
> <https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable>
>
> However, in my case, apparmor was on the way. The solution was this
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
> <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
>
> Best regards
> Carlos
>
> James Atwell via samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>> escreveu no dia quarta, 8/09/2021 à(s)
> 20:51:
>
> Hello,
>
> Unable to resolve bind9 permissions and dns_tkey_gssnegotiate:
> TKEY is unacceptable problem. This is a new DC joined to existing
> domain. First the important information out the way.
>
> OS = Ubuntu 20.04.3 LTS
>
> Samba Version = 4.14.7 (self compiled ./configure, make, make install)
>
> smb.conf
>
> # Global parameters
> [global]
> netbios name = PFDC4
> realm = DOMAIN.LOCAL // I Know
> server role = active directory domain controller
> workgroup = DOMAIN
> dns forwarder = 8.8.8.8 208.67.222.222
> server services = -dns
> log file = /usr/local/samba/var/log.samba
> log level = 1 auth_audit:3 auth_json_audit:3
> debug timestamp = Yes
> debug uid = Yes
> debug pid = Yes
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
>
> -rw-r--r-- 1 root root 1123 Sep 7 13:51 /etc/named.conf
>
> -rw-r--r-- 1 root named 92 Sep 3 15:42 /etc/krb5.conf
>
> ls -la /usr/local/samba/bind-dns/
>
> drwxrwx--- 3 root bind 4096 Sep 8 15:16 .
> drwxr-xr-x 12 root root 4096 Sep 3 15:40 ..
> drwxrwx--- 3 root bind 4096 Sep 8 14:36 dns
> -rw-r----- 2 root named 466 Sep 8 14:36 dns.keytab
> -rw-r--r-- 1 root root 1012 Sep 8 14:36 named.conf
> -rw-r--r-- 1 root root 2055 Sep 8 14:36 named.txt
>
>
> cat /etc/named.conf
>
> include "/usr/local/samba/bind-dns/named.conf";
>
> # Global Configuration Options
> options {
>
> auth-nxdomain yes;
> directory "/var/named";
> notify no;
> empty-zones-enable no;
> tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
> minimal-responses yes;
>
> # IP addresses and network ranges allowed to query the DNS
> server:
> allow-query {
> 127.0.0.1;
> 172.16.0.0/16 <http://172.16.0.0/16>;
> };
>
> # IP addresses and network ranges allowed to run recursive
> queries:
> # (Zones not served by this DNS server)
> allow-recursion {
> 127.0.0.1;
> 172.16.0.0./16;
> };
>
> # Forward queries that can not be answered from own zones
> # to these DNS servers:
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
>
> # Disable zone transfers
> allow-transfer {
> none;
> };
> };
>
> # Root Servers
> # (Required for recursive DNS queries)
> zone "." {
> type hint;
> file "named.root";
> };
>
> # localhost zone
> zone "localhost" {
> type master;
> file "master/localhost.zone";
> };
>
> # 127.0.0. zone.
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "master/0.0.127.zone";
> };
>
>
> cat /usr/local/samba/bind-dns/named.conf
>
> dlz "AD DNS Zone" {
>
> # For BIND 9.16.x
> database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";
> };
>
> cat /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
> version "0.0.7";
> notify no;
> empty-zones-enable no;
> allow-query { 127.0.0.1; 172.16.0.0/16
> <http://172.16.0.0/16>; };
> allow-recursion { 172.16.0.0/16 <http://172.16.0.0/16>;
> 127.0.0.1/32 <http://127.0.0.1/32>; };
> forwarders { 8.8.8.8; 8.8.4.4; };
> allow-transfer { none; };
> dnssec-validation no;
> listen-on port 53 { 172.16.232.18; 127.0.0.1; };
> tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
> minimal-responses yes;
> listen-on-v6 { any; };
> };
>
>
> If I missed anything let me know. I used the wiki for guidance.
> Bind9
> initially would not start. Would give me permission issues when
> starting. I solved this by disabling apparmor. After updating all
> the
> config files and changing ownership to user named(where mentioned
> in the
> wiki), bind9 failed to start. Again permission problems. Bind was
> unable to read config files in /usr/local/samba/bind-dns. I changed
> ownership from root:named back to root:bind and bind9 would start.
>
> I ran "samba_dnsupdate --all-names --verbose" and several dns updates
> got created. Ran the command again and received
> dns_tkey_gssnegotiate:
> TKEY is unacceptable issue. Tried the wiki to torubleshoot and yet I
> still have the issue. When running samba-tool drs showrepl, the newly
> created DC has no outbound neighbors. I'm sure it's due to my DNS
> issues. If I have learned anything with Samba, it's get DNS working
> correctly or I will have problems. What am I missing? Why won't
> bind9
> start with the user named? I assume I need to resolve this first
> before
> attempting to resolve the TKEY issue. The internal DNS btw will not
> work either. I get BADSIG[NOTAUTH] issue. Thanks for your time.
>
>
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
More information about the samba
mailing list