[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision

Matthew Schumacher matt.s at aptalaska.net
Mon Aug 8 15:40:45 UTC 2022

On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> Can you run this script..
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh  
> and post the content.
> Thanks,
> Greetz,
> Louis
Hi Louis,

I can't post the output of that script due to it showing a lot of 
internal information, but I can say :

Hostname, dns, realm, etc is all fine.

There are only two interfaces lo0, eth0 and are configured correctly.

/etc/hosts has loopback and the IP address followed by short name and 
FQDN for this host

*/etc/resolve.conf is and then the other DNS servers* *(*I 
think this is the problem*)*

Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok

'kinit Administrator' checked successfully.

Samba is running as an AD DC

/etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and looks fine

/etc/nsswitch.conf shows "files ldap" since I use nss-pam-ldap on this 
host to resolve UID and GUI in AD

/etc/samba/smb.conf shows

     netbios name = dc-2
     realm = AD.DOMAIN.NET
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
     workgroup = AD
     idmap_ldb:userfc2307  = yes
     tls enabled  = yes
     tls keyfile  = /etc/ssl/certs/dc-2.pem
     tls certfile = /etc/ssl/certs/dc-2.pem
     tls cafile   = /etc/ssl/certs/dc-2.pem
     ntlm auth = mschapv2-and-ntlmv2-only

     path = /var/lib/samba/sysvol
     read only = No

     path = /var/lib/samba/sysvol/ad.domain.net/scripts
     read only = No

This DC is not being used as a fileserver

Detected bind DLZ enabled..

Time verified ok, within the allowed 300sec margin.
Time offset is currently : -1 seconds

Packages are missing because I don't have dpkg.  Distro is slackware, I 
compiled samba myself.

Given the above, let me include my /etc/named.conf

options {
     directory "/var/named";
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
     // query-source address * port 53;

     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
     minimal-responses yes;

//      forwarders {
//              x.x.x.x;
//      };


// a caching only nameserver config
zone "." IN {
     type hint;
     file "caching-example/named.root";

zone "localhost" IN {
     type master;
     file "caching-example/localhost.zone";
     allow-update { none; };

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "caching-example/named.local";
     allow-update { none; };

include "/var/lib/samba/bind-dns/named.conf";

Looking at the DNS servers in /etc/resolve.conf it occurred to me that 
using the loopback address wouldn't work, so I removed that, and it 
updated the dns against another domain controller without issue.

So, my question.  Is there any reason the local bind server with the DLZ 
plugin can't take kerberos authenticated updates?  Any thoughts on how 
to debug this?

Also,  samba_dnsupdate  --use-samba-tool works just fine, so, can I 
configure samba to use that internally when calling samba-dnsupdate with?

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

Any disadvantages of doing it that way?

Thanks for the help!

More information about the samba mailing list