[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision
Matthew Schumacher
matt.s at aptalaska.net
Mon Aug 8 15:40:45 UTC 2022
On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> Can you run this script..
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> and post the content.
> Thanks,
>
> Greetz,
>
> Louis
>
>
Hi Louis,
I can't post the output of that script due to it showing a lot of
internal information, but I can say :
--------------------------------------------------------------------
Hostname, dns, realm, etc is all fine.
There are only two interfaces lo0, eth0 and are configured correctly.
/etc/hosts has loopback and the IP address followed by short name and
FQDN for this host
*/etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I
think this is the problem*)*
Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok
'kinit Administrator' checked successfully.
Samba is running as an AD DC
/etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and looks fine
/etc/nsswitch.conf shows "files ldap" since I use nss-pam-ldap on this
host to resolve UID and GUI in AD
/etc/samba/smb.conf shows
[global]
netbios name = dc-2
realm = AD.DOMAIN.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AD
idmap_ldb:userfc2307 = yes
tls enabled = yes
tls keyfile = /etc/ssl/certs/dc-2.pem
tls certfile = /etc/ssl/certs/dc-2.pem
tls cafile = /etc/ssl/certs/dc-2.pem
ntlm auth = mschapv2-and-ntlmv2-only
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/ad.domain.net/scripts
read only = No
This DC is not being used as a fileserver
Detected bind DLZ enabled..
Time verified ok, within the allowed 300sec margin.
Time offset is currently : -1 seconds
Packages are missing because I don't have dpkg. Distro is slackware, I
compiled samba myself.
--------------------------------------------------------------------
Given the above, let me include my /etc/named.conf
--------------------------------------------------------------------
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
// forwarders {
// x.x.x.x;
// };
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "caching-example/named.root";
};
zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
include "/var/lib/samba/bind-dns/named.conf";
--------------------------------------------------------------------
Looking at the DNS servers in /etc/resolve.conf it occurred to me that
using the loopback address wouldn't work, so I removed that, and it
updated the dns against another domain controller without issue.
So, my question. Is there any reason the local bind server with the DLZ
plugin can't take kerberos authenticated updates? Any thoughts on how
to debug this?
Also, samba_dnsupdate --use-samba-tool works just fine, so, can I
configure samba to use that internally when calling samba-dnsupdate with?
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
Any disadvantages of doing it that way?
Thanks for the help!
Matt
More information about the samba
mailing list