[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision
Rowland Penny
rpenny at samba.org
Mon Aug 8 16:02:30 UTC 2022
On Mon, 2022-08-08 at 08:40 -0700, Matthew Schumacher via samba wrote:
> On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> > Can you run this script..
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> > and post the content.
> > Thanks,
> >
> > Greetz,
> >
> > Louis
> >
> >
> Hi Louis,
>
> I can't post the output of that script due to it showing a lot of
> internal information, but I can say :
Did you miss this:
Please check this and if required, sanitise it.
>
> --------------------------------------------------------------------
> Hostname, dns, realm, etc is all fine.
>
> There are only two interfaces lo0, eth0 and are configured correctly.
>
> /etc/hosts has loopback and the IP address followed by short name
> and
> FQDN for this host
>
> */etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I
> think this is the problem*)*
You should be using the DC's ipaddress as the nameserver.
>
> Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok
>
> 'kinit Administrator' checked successfully.
>
> Samba is running as an AD DC
>
> /etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and
> looks fine
>
> /etc/nsswitch.conf shows "files ldap" since I use nss-pam-ldap on
> this
> host to resolve UID and GUI in AD
>
> /etc/samba/smb.conf shows
>
> [global]
> netbios name = dc-2
> realm = AD.DOMAIN.NET
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = AD
> idmap_ldb:userfc2307 = yes
> tls enabled = yes
> tls keyfile = /etc/ssl/certs/dc-2.pem
> tls certfile = /etc/ssl/certs/dc-2.pem
> tls cafile = /etc/ssl/certs/dc-2.pem
> ntlm auth = mschapv2-and-ntlmv2-only
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.domain.net/scripts
> read only = No
>
> This DC is not being used as a fileserver
>
> Detected bind DLZ enabled..
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : -1 seconds
>
> Packages are missing because I don't have dpkg. Distro is slackware,
> I
> compiled samba myself.
You could use winbind instead of ldap, but you would probably need to
create the required links.
> --------------------------------------------------------------------
>
> Given the above, let me include my /etc/named.conf
>
> --------------------------------------------------------------------
> options {
> directory "/var/named";
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> // query-source address * port 53;
>
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> minimal-responses yes;
>
> // forwarders {
> // x.x.x.x;
> // };
You need to set the 'forwarders'
>
> };
>
> //
> // a caching only nameserver config
> //
> zone "." IN {
> type hint;
> file "caching-example/named.root";
> };
>
> zone "localhost" IN {
> type master;
> file "caching-example/localhost.zone";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "caching-example/named.local";
> allow-update { none; };
> };
>
> include "/var/lib/samba/bind-dns/named.conf";
> --------------------------------------------------------------------
>
>
> Looking at the DNS servers in /etc/resolve.conf it occurred to me
> that
> using the loopback address wouldn't work, so I removed that, and it
> updated the dns against another domain controller without issue.
>
> So, my question. Is there any reason the local bind server with the
> DLZ
> plugin can't take kerberos authenticated updates? Any thoughts on
> how
> to debug this?
Are you sure it isn't working now that you have fixed /etc/resolv.conf
?
>
> Also, samba_dnsupdate --use-samba-tool works just fine, so, can I
> configure samba to use that internally when calling samba-dnsupdate
> with?
>
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> Any disadvantages of doing it that way?
None what so ever.
Rowland
More information about the samba
mailing list