[Samba] Dns tkey negotiategss: TKEY is unacceptable - potential fix included
rpenny at samba.org
Wed Sep 28 10:50:34 UTC 2022
On 28/09/2022 10:06, Rainer Meier via samba wrote:
> Hello all
> Yesterday I struggled getting my Samba BIND9_DLZ backend working on my
> Windows-Domain Joined Samba DC. From the logs and when using
> samba_dnsupdate the error was:
> "Dns tkey negotiategss: TKEY is unacceptable"
> Actually the error is known and remediation is described here:
> Unfortunately all the procedures on the wiki page did not help in my
> case and I found lots of online references that others suffer from the
> same issue.
> After investigating deeper I found that my "samba_upgradedns
> --dns-backend=BIND9_DLZ" did create a user called "dns-host.DOMAIN.tld"
> instead of the expected "dns-host" user.
> I found a potential bug in
> "/usr/lib/python3.10/site-packages/samba/provision/__init__.py" line 2460:
> names.hostname = str(res4["dNSHostName"]).replace("." +
> names.dnsdomain, "")
What version of Samba are you using ?
I ask this because i cannot find a version of the __init.py__ you refer
to that has that line in the position you say it is (line 2460), it is
near the top.
> Where this replace (actually stripping of the domain name) does not work
> if lower/upper case is mixed and "names.dnsdomain" get converted to
> lowercase just a few lines above. So I changed the line to
> names.hostname = str(res4["dNSHostName"]).lower().replace("." +
> names.dnsdomain, "")
I cannot find that line at all.
> Finally I found that the script seems not to add the user properly to
> the DnsAdmins group which I fixed manually and added the "dns-host" user
> to the DnsAdmins group after the script created it.
> I also found a related bug report here:
> <https://bugzilla.samba.org/show_bug.cgi?id=14632> but it looks like
> nobody cared yet (since about 1.5 years).
Oh we have bugs much older than that ;-)
However it looks like you are correct, there is code to create the
'dns-host' user, even if it may be incorrect, there is code to create
the dnsadmins group, but there doesn't seem to be code to add the user
to the group.
> Is someone able to have a look. Indeed the fix seems to be fairly simple:
> - case-insensitive stripping of dns domain name
> - add proper grolup membership of DNS user
> This might save lots of people some headache in the future.
More information about the samba