[Samba] Dns tkey negotiategss: TKEY is unacceptable - potential fix included

Rowland Penny rpenny at samba.org
Wed Sep 28 10:50:34 UTC 2022 


On 28/09/2022 10:06, Rainer Meier via samba wrote:
> Hello all
> 
> Yesterday I struggled getting my Samba BIND9_DLZ backend working on my 
> Windows-Domain Joined Samba DC. From the logs and when using 
> samba_dnsupdate the error was:
> 
> "Dns tkey negotiategss: TKEY is unacceptable"
> 
> Actually the error is known and remediation is described here: 
> <https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable> 
> 
> 
> Unfortunately all the procedures on the wiki page did not help in my 
> case and I found lots of online references that others suffer from the 
> same issue.
> 
> 
> After investigating deeper I found that my "samba_upgradedns 
> --dns-backend=BIND9_DLZ" did create a user called "dns-host.DOMAIN.tld" 
> instead of the expected "dns-host" user.
> 
> I found a potential bug in 
> "/usr/lib/python3.10/site-packages/samba/provision/__init__.py" line 2460:
> 
> names.hostname = str(res4[0]["dNSHostName"]).replace("." + 
> names.dnsdomain, "")

What version of Samba are you using ?

I ask this because i cannot find a version of the __init.py__ you refer 
to that has that line in the position you say it is (line 2460), it is 
near the top.

> 
> Where this replace (actually stripping of the domain name) does not work 
> if lower/upper case is mixed and "names.dnsdomain" get converted to 
> lowercase just a few lines above. So I changed the line to
> 
> names.hostname = str(res4[0]["dNSHostName"]).lower().replace("." + 
> names.dnsdomain, "")

I cannot find that line at all.

> 
> 
> 
> Finally I found that the script seems not to add the user properly to 
> the DnsAdmins group which I fixed manually and added the "dns-host" user 
> to the DnsAdmins group after the script created it.
> 
> I also found a related bug report here: 
> <https://bugzilla.samba.org/show_bug.cgi?id=14632> but it looks like 
> nobody cared yet (since about 1.5 years).

Oh we have bugs much older than that ;-)

However it looks like you are correct, there is code to create the 
'dns-host' user, even if it may be incorrect, there is code to create 
the dnsadmins group, but there doesn't seem to be code to add the user 
to the group.

Rowland

> 
> 
> Is someone able to have a look. Indeed the fix seems to be fairly simple:
> - case-insensitive stripping of dns domain name
> - add proper grolup membership of DNS user
> 
> 
> This might save lots of people some headache in the future.
> 
> Thanks
> Rainer
>

More information about the samba mailing list