samba - Sep 2021 - bind9 permissions and dns_tkey_gssnegotiate: TKEY is unacceptable problems

Hello,

 ????? Unable to resolve bind9 permissions and dns_tkey_gssnegotiate: 
TKEY is unacceptable problem. This is a new DC joined to existing 
domain. First the important information out the way.

OS = Ubuntu 20.04.3 LTS

Samba Version = 4.14.7 (self compiled ./configure, make, make install)

smb.conf

# Global parameters
[global]
 ??????? netbios name = PFDC4
 ??????? realm = DOMAIN.LOCAL // I Know
 ??????? server role = active directory domain controller
 ??????? workgroup = DOMAIN
 ??????? dns forwarder = 8.8.8.8 208.67.222.222
 ??????? server services = -dns
 ??????? log file = /usr/local/samba/var/log.samba
 ??????? log level = 1 auth_audit:3 auth_json_audit:3
 ??????? debug timestamp = Yes
 ??????? debug uid = Yes
 ??????? debug pid = Yes

[sysvol]
 ??????? path = /usr/local/samba/var/locks/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
 ??????? read only = No


-rw-r--r-- 1 root root 1123 Sep? 7 13:51 /etc/named.conf

-rw-r--r-- 1 root named 92 Sep? 3 15:42 /etc/krb5.conf

ls -la /usr/local/samba/bind-dns/

drwxrwx---? 3 root bind? 4096 Sep? 8 15:16 .
drwxr-xr-x 12 root root? 4096 Sep? 3 15:40 ..
drwxrwx---? 3 root bind? 4096 Sep? 8 14:36 dns
-rw-r-----? 2 root named? 466 Sep? 8 14:36 dns.keytab
-rw-r--r--? 1 root root? 1012 Sep? 8 14:36 named.conf
-rw-r--r--? 1 root root? 2055 Sep? 8 14:36 named.txt


cat /etc/named.conf

include "/usr/local/samba/bind-dns/named.conf";

# Global Configuration Options
options {

 ??? auth-nxdomain yes;
 ??? directory "/var/named";
 ??? notify no;
 ??? empty-zones-enable no;
 ??? tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
 ??? minimal-responses yes;

 ??? # IP addresses and network ranges allowed to query the DNS server:
 ??? allow-query {
 ??????? 127.0.0.1;
 ??????? 172.16.0.0/16;
 ??? };

 ??? # IP addresses and network ranges allowed to run recursive queries:
 ??? # (Zones not served by this DNS server)
 ??? allow-recursion {
 ??????? 127.0.0.1;
 ??????? 172.16.0.0./16;
 ??? };

 ??? # Forward queries that can not be answered from own zones
 ??? # to these DNS servers:
 ??? forwarders {
 ??????? 8.8.8.8;
 ??????? 8.8.4.4;
 ??? };

 ??? # Disable zone transfers
 ??? allow-transfer {
 ??????? none;
 ??? };
 ?};

# Root Servers
# (Required for recursive DNS queries)
zone "." {
 ?? type hint;
 ?? file "named.root";
};

# localhost zone
zone "localhost" {
 ??? type master;
 ??? file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
 ??? type master;
 ??? file "master/0.0.127.zone";
};


cat /usr/local/samba/bind-dns/named.conf

dlz "AD DNS Zone" {

 ??? # For BIND 9.16.x
 ???? database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";
};

cat /etc/bind/named.conf.options

options {
 ??????? directory "/var/cache/bind";
 ??????? version "0.0.7";
 ??????? notify no;
 ??????? empty-zones-enable no;
 ??????? allow-query { 127.0.0.1; 172.16.0.0/16; };
 ??????? allow-recursion { 172.16.0.0/16;? 127.0.0.1/32; };
 ??????? forwarders { 8.8.8.8; 8.8.4.4; };
 ??????? allow-transfer { none; };
 ??????? dnssec-validation no;
 ??????? listen-on port 53 { 172.16.232.18; 127.0.0.1; };
 ??????? tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
 ??????? minimal-responses yes;
 ??????? listen-on-v6 { any; };
};


If I missed anything let me know.? I used the wiki for guidance. Bind9 
initially would not start. Would give me permission issues when 
starting. I solved this by disabling apparmor.? After updating all the 
config files and changing ownership to user named(where mentioned in the 
wiki), bind9 failed to start.? Again permission problems. Bind was 
unable to read config files in /usr/local/samba/bind-dns. I changed 
ownership from root:named back to root:bind and bind9 would start.

I ran "samba_dnsupdate --all-names --verbose" and several dns updates 
got created.? Ran the command again and received dns_tkey_gssnegotiate: 
TKEY is unacceptable issue.? Tried the wiki to torubleshoot and yet I 
still have the issue. When running samba-tool drs showrepl, the newly 
created DC has no outbound neighbors. I'm sure it's due to my DNS 
issues. If I have learned anything with Samba, it's get DNS working 
correctly or I will have problems.? What am I missing? Why won't bind9 
start with the user named? I assume I need to resolve this first before 
attempting to resolve the TKEY issue.? The internal DNS btw will not 
work either. I get BADSIG[NOTAUTH] issue. Thanks for your time.


-James