[Samba] samba_dnsupdate error - TKEY is unacceptable
Rowland Penny
rpenny at samba.org
Sat Mar 12 19:22:36 UTC 2022
On Sat, 2022-03-12 at 13:52 -0500, Greg Schaub via samba wrote:
> I have built a new Samba DC server and am trying to join my existing
> Samba
> DC. The server source packages come from a new Ubuntu 20.04 install,
> fully
> patched (Samba version 4.13.17-Ubuntu). The samba_dns update fails
> with the
> error: /usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is
> unacceptable.
>
>
>
> I have tried to troubleshoot based on available information on the
> internet.
> I have actually found and updated for some issues. Here is what I've
> done:
>
> * Verified krb5.conf, smb.conf
> * Named.conf.options includes tkey-gssapi-keytab
> "/var/lib/samba/bind-dnd/dns.keytab
> * Performed the back-end dns shuffle (to samba dns, then back to
> bind)
> * Validated kinit/klist
> * Validated keys exist under dns.keytab
> * Tried to verify that the Bind AD account exists, but it did not
>
> * Tried samba_upgradedns --dns-backend=BIND9_DLZ - Said that the
> account already exists
> * Note that the account DID exist when doing "ldbsearch -H
> /var/lib/samba/private/sam.ldb 'cn=dns-SCHAUB-DC1' dn" (Note this is
> Private, not "./bin-dns/dns"
>
> * samba_dnsupdate --verbose --all-names still shows the same
> error
>
>
>
> Note that I am out of thoughts as to how to fix the issue and I
> suspect it
> has something to do with the ./private vs. the ./bind-dns
> pointers. I moved
> from bind to native several times along the way, but no joy. Note
> that my
> other server is on a RPI..
>
>
>
> I have tried to anticipate the log requests that you will have and
> have put
> the output below.
Just about the only info you didn't supply was the most interesting,
what is the IP of your new DC and what is in your /etc/resolv.conf and
have you restarted Samba or rebooted the DC
Your /etc/resolv.conf after the join should be changed to:
search home.theschaubs.com
nameserver THE_IP_OF_THIS_DC
If that doesn't work, add 'dns update command =
/usr/sbin/samba_dnsupdate --use-samba-tool' to the DC's smb.conf
Rowland
More information about the samba
mailing list