[Samba] samba_dnsupdate error - TKEY is unacceptable

greg at theschaubs.com greg at theschaubs.com
Sat Mar 12 20:27:03 UTC 2022 

Hi Rowland,

Not sure if it's the most interesting because that is the one I forgot, and
therefore forgot to check when configuring the DC.  Whatever the case, you
sniffed it out:  I had my nameserver order reversed.  I probably copied it
from the other DC and forgot to reverse them.

All working fine now.  Thanks so much for your help.  

...Greg

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via
samba
Sent: Saturday, March 12, 2022 2:23 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] samba_dnsupdate error - TKEY is unacceptable

On Sat, 2022-03-12 at 13:52 -0500, Greg Schaub via samba wrote:
> I have built a new Samba DC server and am trying to join my existing 
> Samba DC.  The server source packages come from a new Ubuntu 20.04 
> install, fully patched (Samba version 4.13.17-Ubuntu). The samba_dns 
> update fails with the
> error:  /usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is 
> unacceptable.
> 
>  
> 
> I have tried to troubleshoot based on available information on the 
> internet.
> I have actually found and updated for some issues.  Here is what I've
> done:
> 
> *	Verified krb5.conf, smb.conf
> *	Named.conf.options includes  tkey-gssapi-keytab
> "/var/lib/samba/bind-dnd/dns.keytab
> *	Performed the back-end dns shuffle (to samba dns, then back to
> bind)
> *	Validated kinit/klist
> *	Validated keys exist under dns.keytab
> *	Tried to verify that the Bind AD account exists, but it did not
> 
> *	Tried samba_upgradedns --dns-backend=BIND9_DLZ - Said that the
> account already exists
> *	Note that the account DID exist when doing "ldbsearch -H
> /var/lib/samba/private/sam.ldb 'cn=dns-SCHAUB-DC1' dn" (Note this is 
> Private, not "./bin-dns/dns"
> 
> *	samba_dnsupdate --verbose --all-names still shows the same
> error
> 
>  
> 
> Note that I am out of thoughts as to how to fix the issue and I 
> suspect it has something to do with the ./private vs. the ./bind-dns 
> pointers.  I moved from bind to native several times along the way, 
> but no joy.  Note that my other server is on a RPI..
> 
>  
> 
> I have tried to anticipate the log requests that you will have and 
> have put the output below.

Just about the only info you didn't supply was the most interesting, what is
the IP of your new DC and what is in your /etc/resolv.conf and have you
restarted Samba or rebooted the DC

Your /etc/resolv.conf after the join should be changed to:

search home.theschaubs.com
nameserver THE_IP_OF_THIS_DC

If that doesn't work, add 'dns update command = /usr/sbin/samba_dnsupdate
--use-samba-tool' to the DC's smb.conf

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list