[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision

Rowland Penny rpenny at samba.org
Mon Aug 8 16:02:30 UTC 2022 

On Mon, 2022-08-08 at 08:40 -0700, Matthew Schumacher via samba wrote:
> On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> > Can you run this script..
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh  
> > and post the content.
> > Thanks,
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> Hi Louis,
> 
> I can't post the output of that script due to it showing a lot of 
> internal information, but I can say :

Did you miss this:

Please check this and if required, sanitise it.

> 
> --------------------------------------------------------------------
> Hostname, dns, realm, etc is all fine.
> 
> There are only two interfaces lo0, eth0 and are configured correctly.
> 
> /etc/hosts has loopback and the IP address followed by short name
> and 
> FQDN for this host
> 
> */etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I 
> think this is the problem*)*

You should be using the DC's ipaddress as the nameserver.

> 
> Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok
> 
> 'kinit Administrator' checked successfully.
> 
> Samba is running as an AD DC
> 
> /etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and
> looks fine
> 
> /etc/nsswitch.conf shows "files ldap" since I use nss-pam-ldap on
> this 
> host to resolve UID and GUI in AD
> 
> /etc/samba/smb.conf shows
> 
> [global]
>      netbios name = dc-2
>      realm = AD.DOMAIN.NET
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>      workgroup = AD
>      idmap_ldb:userfc2307  = yes
>      tls enabled  = yes
>      tls keyfile  = /etc/ssl/certs/dc-2.pem
>      tls certfile = /etc/ssl/certs/dc-2.pem
>      tls cafile   = /etc/ssl/certs/dc-2.pem
>      ntlm auth = mschapv2-and-ntlmv2-only
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/ad.domain.net/scripts
>      read only = No
> 
> This DC is not being used as a fileserver
> 
> Detected bind DLZ enabled..
> 
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : -1 seconds
> 
> Packages are missing because I don't have dpkg.  Distro is slackware,
> I 
> compiled samba myself.

You could use winbind instead of ldap, but you would probably need to
create the required links.

> --------------------------------------------------------------------
> 
> Given the above, let me include my /etc/named.conf
> 
> --------------------------------------------------------------------
> options {
>      directory "/var/named";
>      /*
>       * If there is a firewall between you and nameservers you want
>       * to talk to, you might need to uncomment the query-source
>       * directive below.  Previous versions of BIND always asked
>       * questions using port 53, but BIND 8.1 uses an unprivileged
>       * port by default.
>       */
>      // query-source address * port 53;
> 
>      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>      minimal-responses yes;
> 
> //      forwarders {
> //              x.x.x.x;
> //      };

You need to set the 'forwarders'

> 
> };
> 
> //
> // a caching only nameserver config
> //
> zone "." IN {
>      type hint;
>      file "caching-example/named.root";
> };
> 
> zone "localhost" IN {
>      type master;
>      file "caching-example/localhost.zone";
>      allow-update { none; };
> };
> 
> zone "0.0.127.in-addr.arpa" IN {
>      type master;
>      file "caching-example/named.local";
>      allow-update { none; };
> };
> 
> include "/var/lib/samba/bind-dns/named.conf";
> --------------------------------------------------------------------
> 
> 
> Looking at the DNS servers in /etc/resolve.conf it occurred to me
> that 
> using the loopback address wouldn't work, so I removed that, and it 
> updated the dns against another domain controller without issue.
> 
> So, my question.  Is there any reason the local bind server with the
> DLZ 
> plugin can't take kerberos authenticated updates?  Any thoughts on
> how 
> to debug this?

Are you sure it isn't working now that you have fixed /etc/resolv.conf
?

> 
> Also,  samba_dnsupdate  --use-samba-tool works just fine, so, can I 
> configure samba to use that internally when calling samba-dnsupdate
> with?
> 
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> 
> Any disadvantages of doing it that way?

None what so ever.

Rowland

More information about the samba mailing list