[Samba] Dns tkey negotiategss: TKEY is unacceptable - potential fix included
rme at bluemail.ch
rme at bluemail.ch
Wed Sep 28 09:06:49 UTC 2022
Hello all
Yesterday I struggled getting my Samba BIND9_DLZ backend working on my
Windows-Domain Joined Samba DC. From the logs and when using
samba_dnsupdate the error was:
"Dns tkey negotiategss: TKEY is unacceptable"
Actually the error is known and remediation is described here:
<https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable>
Unfortunately all the procedures on the wiki page did not help in my
case and I found lots of online references that others suffer from the
same issue.
After investigating deeper I found that my "samba_upgradedns
--dns-backend=BIND9_DLZ" did create a user called "dns-host.DOMAIN.tld"
instead of the expected "dns-host" user.
I found a potential bug in
"/usr/lib/python3.10/site-packages/samba/provision/__init__.py" line 2460:
names.hostname = str(res4[0]["dNSHostName"]).replace("." +
names.dnsdomain, "")
Where this replace (actually stripping of the domain name) does not work
if lower/upper case is mixed and "names.dnsdomain" get converted to
lowercase just a few lines above. So I changed the line to
names.hostname = str(res4[0]["dNSHostName"]).lower().replace("." +
names.dnsdomain, "")
Finally I found that the script seems not to add the user properly to
the DnsAdmins group which I fixed manually and added the "dns-host" user
to the DnsAdmins group after the script created it.
I also found a related bug report here:
<https://bugzilla.samba.org/show_bug.cgi?id=14632> but it looks like
nobody cared yet (since about 1.5 years).
Is someone able to have a look. Indeed the fix seems to be fairly simple:
- case-insensitive stripping of dns domain name
- add proper grolup membership of DNS user
This might save lots of people some headache in the future.
Thanks
Rainer
More information about the samba
mailing list