[Samba] Dns tkey negotiategss: TKEY is unacceptable - potential fix included

rme at bluemail.ch rme at bluemail.ch
Wed Sep 28 09:06:49 UTC 2022

Hello all

Yesterday I struggled getting my Samba BIND9_DLZ backend working on my 
Windows-Domain Joined Samba DC. From the logs and when using 
samba_dnsupdate the error was:

"Dns tkey negotiategss: TKEY is unacceptable"

Actually the error is known and remediation is described here: 

Unfortunately all the procedures on the wiki page did not help in my 
case and I found lots of online references that others suffer from the 
same issue.

After investigating deeper I found that my "samba_upgradedns 
--dns-backend=BIND9_DLZ" did create a user called "dns-host.DOMAIN.tld" 
instead of the expected "dns-host" user.

I found a potential bug in 
"/usr/lib/python3.10/site-packages/samba/provision/__init__.py" line 2460:

names.hostname = str(res4[0]["dNSHostName"]).replace("." + 
names.dnsdomain, "")

Where this replace (actually stripping of the domain name) does not work 
if lower/upper case is mixed and "names.dnsdomain" get converted to 
lowercase just a few lines above. So I changed the line to

names.hostname = str(res4[0]["dNSHostName"]).lower().replace("." + 
names.dnsdomain, "")

Finally I found that the script seems not to add the user properly to 
the DnsAdmins group which I fixed manually and added the "dns-host" user 
to the DnsAdmins group after the script created it.

I also found a related bug report here: 
<https://bugzilla.samba.org/show_bug.cgi?id=14632> but it looks like 
nobody cared yet (since about 1.5 years).

Is someone able to have a look. Indeed the fix seems to be fairly simple:
- case-insensitive stripping of dns domain name
- add proper grolup membership of DNS user

This might save lots of people some headache in the future.


More information about the samba mailing list