thr3ads.net - samba - [Samba] dnsupdate failed with TKEY is unaceptable [Nov 2020]

If this information is useful, please help other people find it:
Share via:
Rommel Rodriguez Toirac
2020-Nov-18 19:13 UTC
[Samba] dnsupdate failed with TKEY is unaceptable

-------- Mensaje original --------> ?> In my network I have a samba 4.11.4
as Active Directory Domain Controller installed in CentOS 7
(gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed samba 4.13.2
in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following the
wiki.samba.org guide I have joined it as a domain controller to my network.>
?> ? But I have a "dnsupdate_nameupdate_done: Failed DNS update with
exit code 26" due to "TKEY is unacceptable"> ?> ? Some of
my steps in the progress:> ?> ? Everything seems fine with directory
replication:> # samba-tool drs showrepl> Default-First-Site-NameGTMAD1>
DSA Options: 0x00000001> DSA object GUID:
03d9f4b0-72a5-47cd-b572-a33ae30b73ce> DSA invocationId:
1a022b20-9777-4366-b996-5b27a46aff42> ==== INBOUND NEIGHBORS ====>
DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @ Wed Nov
18 11:43:33 2020 CST was successful> ??????????????? 0 consecutive
failure(s).> ??????????????? Last success @ Wed Nov 18 11:43:33 2020 CST>
DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @ Wed Nov
18 11:43:33 2020 CST was successful> ??????????????? 0 consecutive
failure(s).> ??????????????? Last success @ Wed Nov 18 11:43:33 2020 CST>
CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @ Wed Nov
18 11:43:33 2020 CST was successful> ??????????????? 0 consecutive
failure(s).> ??????????????? Last success @ Wed Nov 18 11:43:33 2020 CST>
DC=gtm,DC=onat,DC=gob,DC=cu> ??????? Default-First-Site-NameGTMAD via RPC>
??????????????? DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c>
??????????????? Last attempt @ Wed Nov 18 11:43:33 2020 CST was successful>
??????????????? 0 consecutive failure(s).> ??????????????? Last success @ Wed
Nov 18 11:43:33 2020 CST> CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>
??????? Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object
GUID: 968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @
Wed Nov 18 11:43:33 2020 CST was successful> ??????????????? 0 consecutive
failure(s).> ??????????????? Last success @ Wed Nov 18 11:43:33 2020 CST>
==== OUTBOUND NEIGHBORS ====>
DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @
NTTIME(0) was successful> ??????????????? 0 consecutive failure(s).>
??????????????? Last success @ NTTIME(0)>
DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @
NTTIME(0) was successful> ??????????????? 0 consecutive failure(s).>
??????????????? Last success @ NTTIME(0)>
CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @
NTTIME(0) was successful> ??????????????? 0 consecutive failure(s).>
??????????????? Last success @ NTTIME(0)> DC=gtm,DC=onat,DC=gob,DC=cu>
??????? Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object
GUID: 968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @
NTTIME(0) was successful> ??????????????? 0 consecutive failure(s).>
??????????????? Last success @ NTTIME(0)>
CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu> ???????
Default-First-Site-NameGTMAD via RPC> ??????????????? DSA object GUID:
968f8914-c861-4cd4-96f4-7a233880992c> ??????????????? Last attempt @
NTTIME(0) was successful> ??????????????? 0 consecutive failure(s).>
??????????????? Last success @ NTTIME(0)> ==== KCC CONNECTION OBJECTS
====> Connection --> ??????? Connection name:
0c6a236f-edeb-486a-9791-d75de0564fc4> ??????? Enabled??????? : TRUE>
??????? Server DNS name : gtmad.gtm.onat.gob.cu> ??????? Server DN name? :
CN=NTDS
Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu>
??????????????? TransportType: RPC> ??????????????? options: 0x00000001>
Warning: No NC replicated for Connection!> ?> ?> ? When I check the
local DNS service I get the following:> # host -t A gtm.onat.gob.cu
localhost> Using domain server:> Name: localhost> Address:
127.0.0.1#53> Aliases:?> gtm.onat.gob.cu has address 192.168.41.17> ?
(It only solves the IP of the samba 4.11.4 AD-DC not his as well, do not know if
this is a problem)> ?> ?> ? When I check the status of the
named.service service it seems that everything is fine:> # systemctl status
named.service -l?> ? named.service - Berkeley Internet Name Domain (DNS)>
? Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset:
disabled)> ? Active: active (running) since Wed 2020-11-18 12:02:02 CST; 7s
ago> ?Process: 18524 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null
2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)>
?Process: 18539 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
(code=exited, status=0/SUCCESS)> ?Process: 18537 ExecStartPre=/bin/bash -c if
[ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then
/usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of
zone files is disabled"; fi (code=exited, status=0/SUCCESS)> Main PID:
18541 (named)> ?? Tasks: 35 (limit: 26213)> ? Memory: 102.6M> ? CGroup:
/system.slice/named.service> ????????? ??18541 /usr/sbin/named -u named -c
/etc/named.conf> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
configuring command channel from '/etc/rndc.key'> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on
127.0.0.1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
configuring command channel from '/etc/rndc.key'> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: command channel listening on ::1#953>
nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded
serial 0> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone
0.0.127.in-addr.arpa/IN: loaded serial 2013050101> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial
2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all zones
loaded> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: running> nov
18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name
Domain (DNS).> ?> ?> ? When I check the status of the samba service I
have the following problem:> # systemctl status samba-ad-dc.service> ?
samba-ad-dc.service - Samba Active Directory Domain Controller> ?? Loaded:
loaded (/etc/systemd/system/samba-ad-dc.service; disabled; vendor preset:
disabled)> ?? Active: active (running) since Tue 2020-11-17 11:58:14 CST; 23h
ago> ? Process: 197 ExecStart=/usr/sbin/samba -D (code=exited,
status=0/SUCCESS)> ?Main PID: 198 (samba)> ??? Tasks: 59 (limit:
26213)> ?? Memory: 342.1M> ?? CGroup:
/system.slice/samba-ad-dc.service> ?????????? ?? 198 /usr/sbin/samba -D>
?????????? ...> ?????????? ?? 208 /usr/sbin/samba -D> ?????????? ?? 209
/sbin//smbd -D --option=server role check:inhibit=yes --foreground>
?????????? ?? 210 /usr/sbin/samba -D> ?????????? ...> ?????????? ?? 230
/sbin//winbindd -D --option=server role check:inhibit=yes --foreground>
?????????? ?? 231 /usr/sbin/samba -D> ?????????? ...> ?????????? ?? 249
/sbin//smbd -D --option=server role check:inhibit=yes --foreground>
?????????? ?? 250 /sbin//smbd -D --option=server role check:inhibit=yes
--foreground> ?????????? ?? 251 /usr/sbin/samba -D> ?????????? ...>
?????????? ?? 259 /sbin//smbd -D --option=server role check:inhibit=yes
--foreground> ?????????? ??1138 /sbin//winbindd -D --option=server role
check:inhibit=yes --foreground> ?????????? ??1139 /sbin//winbindd -D
--option=server role check:inhibit=yes --foreground> ?????????? ??1140
/sbin//winbindd -D --option=server role check:inhibit=yes --foreground>
?????????? nov 18 11:28:30 gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18
11:28:30.911574,? 0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30
gtmad1.gtm.onat.gob.cu samba[231]:?? /sbin//samba_dnsupdate:
dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:30
gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.928092,? 0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30
gtmad1.gtm.onat.gob.cu samba[231]:?? /sbin//samba_dnsupdate:
dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:30
gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:30.953861,? 0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:30
gtmad1.gtm.onat.gob.cu samba[231]:?? /sbin//samba_dnsupdate:
dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:31
gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.006807,? 0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)> nov 18 11:28:31
gtmad1.gtm.onat.gob.cu samba[231]:?? /sbin//samba_dnsupdate:
dns_tkey_gssnegotiate: TKEY is unacceptable> nov 18 11:28:31
gtmad1.gtm.onat.gob.cu samba[231]: [2020/11/18 11:28:31.028370,? 0]
../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)> nov 18
11:28:31 gtmad1.gtm.onat.gob.cu samba[231]:?? dnsupdate_nameupdate_done: Failed
DNS update with exit code 26> ?> ? How I can fix this?Does
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
help?Regards,-- Tom			me at tdiehl.org?Thank for answer me;following the
wiki.samba.org related to the topic "TKEY is unacceptable"? ?Verifying
the dns.keytab file content:# klist -k /usr/local/samba/private/dns.keytab
?Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ----
-------------------------------------------------------------------------- ??1
DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU ??1 dns-gtmad1 at GTM.ONAT.GOB.CU
??1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU ??1 dns-gtmad1 at
GTM.ONAT.GOB.CU ??1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU ??1 dns-gtmad1
at GTM.ONAT.GOB.CU?There is a kerberos principal.?When I check for the bind AD
account, it exist:# ldbsearch -H /usr/local/samba/private/sam.ldb
'cn=dns-GTMAD' dn # record 1 dn:
CN=dns-gtmad,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref:
ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu # Referral
ref: ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu #
Referral ref:
ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # returned
4 records # 1 entries # 3 referrals ?Verifying the /etc/krb5.conf permissions:#
ls -l /usr/local/samba/private/dns.keytab -rw-r----- 2 root named 517 nov 17
15:09 /usr/local/samba/private/dns.keytab?The content of my /etc/named.conf:#
cat /etc/named.conf # Global Configuration Options options { ???auth-nxdomain
yes; ???version "Parametro no soportado"; ???directory
"/var/named"; ???notify no; ???empty-zones-enable no;
???dnssec-validation no; ???dnssec-enable no; ???dnssec-lookaside no;
???listen-on-v6 { none; }; ???listen-on port 53 { 192.168.41.18; 127.0.0.1; };
???# IP addresses and network ranges allowed to query the DNS server:
???allow-query { ???????127.0.0.1; ???????192.168.41.0/24; ???};
???allow-query-cache { ???????127.0.0.1; ???????192.168.41.0/24; ???}; ???# IP
addresses and network ranges allowed to run recursive queries: ???# (Zones not
served by this DNS server) ???allow-recursion { ???????127.0.0.1;
???????192.168.41.0/24; ???}; ???# Forward queries that can not be answered from
own zones ???# to these DNS servers: ???forwarders { ???????10.10.8.2; ???};
???# Disable zone transfers ????allow-transfer { ???????none; ???};
?????tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
??minimal-responses yes; }; # Root Servers # (Required for recursive DNS
queries) #zone "." { # ??type hint; # ??file "named.root";
#}; # localhost zone zone "localhost" { ???type master; ???file
"master/localhost.zone"; }; # 127.0.0. zone. zone
"0.0.127.in-addr.arpa" { ???type master; ???file
"master/0.0.127.zone"; }; include
"/usr/local/samba/bind-dns/named.conf";?Is there something
wrong?__Rommel Rodr?guez Toiracrommelrt at nauta.cu
Apparently Analagous Threads

Search for more reasonably related threads
samba - Nov 2020 - dnsupdate failed with TKEY is unaceptable

[Samba] dnsupdate failed with TKEY is unaceptable

Apparently Analagous Threads

Wisdom of the Ancients
