Stefan Kania
2018-May-02 11:54 UTC
[Samba] samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
Hello, we have the following problem with a ADDC Sernet 4.7.6-11 on CentOS 7.4. We have two DCs, replication is working fine. We use bind9 as dns-backend. When we do a "samba_dnsupdate --all-names" we get the following messages: ------------------- [root at dc1 ~]# samba_dnsupdate --all-names dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable Failed update of 29 entries ------------------- We checked all the filesystem permissions the user "named". He can read the dns.keytab and can write to all DNS-files. We checked for the dns-dc1 and dns-dc2 user. We removed the dns.keyfile and the users and recreated both new with "samba_upgradedns --dns-backend=BIND9_DLZ" We even even did the change to the internal DNS and back to bind9. We checked the entry for the dns.keytab in /etc/named.conf. We checked the dns.keytab-file and all needed entries are there. Here is our smb.conf file: ------------------ # Global parameters [global] netbios name = DC1 realm = TRIVIUM.S1.EXAMPLE.NET server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = TRIVIUM idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/trivium.s1.example.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ------------------ Here is the result from samba_dnsupdate --all-names -d 9 ------------------ INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 scavenger: 9 dns: 9 ldb: 9 tevent: 9 auth_audit: 9 auth_json_audit: 9 kerberos: 9 drs_repl: 9 lpcfg_load: refreshing parameters from /etc/samba/smb.conf Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes added interface ens160 ip=192.168.226.101 bcast=192.168.226.255 netmask=255.255.255.0 lpcfg_servicenumber: couldn't find ldb schema_fsmo_init: we are master[yes] updates allowed[no] schema_fsmo_init: we are master[yes] updates allowed[no] ldb_wrap open of secrets.ldb Received smb_krb5 packet of length 313 Received smb_krb5 packet of length 177 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism gssapi_krb5_sasl Ticket in credentials cache for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 36000 secs Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 36000 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secsdns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35999 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@TRIVIUM.S1.EXAMPLE.NET will expire in 35998 secs dns_tkey_negotiategss: TKEY is unacceptable ------------------ It's also not possible to join a samba-fs to the domain and doing the dns-update. Join works, the machine is domain-member but no dns-update is running and we get the errormessage "ERROR_DNS_UPDATE_FAILED" Can it be, that the problem comes from the long REALM TRIVIUM.S1.EXAMPLE.NET? Is it maybe one level to long? We tried everything from the wiki burt nothing works for us. So maybe one of you has a solution. Thanks Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180502/f42b4213/signature.sig>
Rowland Penny
2018-May-02 12:27 UTC
[Samba] samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
On Wed, 2 May 2018 13:54:01 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hello, > we have the following problem with a ADDC Sernet 4.7.6-11 on CentOS > 7.4. We have two DCs, replication is working fine. We use bind9 as > dns-backend. When we do a "samba_dnsupdate --all-names" we get the > following messages: > ------------------- > [root at dc1 ~]# samba_dnsupdate --all-names > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > dns_tkey_negotiategss: TKEY is unacceptable > Failed update of 29 entries > ------------------- > > We checked all the filesystem permissions the user "named". He can > read the dns.keytab and can write to all DNS-files. > We checked for the dns-dc1 and dns-dc2 user. We removed the > dns.keyfile and the users and recreated both new with > "samba_upgradedns --dns-backend=BIND9_DLZ" > We even even did the change to the internal DNS and back to bind9. We > checked the entry for the dns.keytab in /etc/named.conf. We checked > the dns.keytab-file and all needed entries are there. > > Here is our smb.conf file: > ------------------ > # Global parameters > [global] > netbios name = DC1 > realm = TRIVIUM.S1.EXAMPLE.NET > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = TRIVIUM > idmap_ldb:use rfc2307 = yes > [netlogon] > path = /var/lib/samba/sysvol/trivium.s1.example.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoTry adding 'dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool' to smb.conf and run 'samba_dnsupdate --all-names --use-samba-tool' Rowland
Stefan Kania
2018-May-02 12:39 UTC
[Samba] samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
Hi Rowland, Am 02.05.2018 um 14:27 schrieb Rowland Penny via samba:> Try adding 'dns update command = /usr/sbin/samba_dnsupdate > --use-samba-tool' to smb.conf > > and run 'samba_dnsupdate --all-names --use-samba-tool'we did this and we now getting the following error-message: ----------- . . ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed update of 29 entries ------------ We get the message for all entries. It look for me like there was no update, because all entries already there. Or is it still a problem? Stefna -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180502/72320fb0/signature.sig>
Apparently Analagous Threads
- samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
- samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
- samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
- samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable