greg at theschaubs.com
2022-Mar-12 18:52 UTC
[Samba] samba_dnsupdate error - TKEY is unacceptable
I have built a new Samba DC server and am trying to join my existing Samba
DC. The server source packages come from a new Ubuntu 20.04 install, fully
patched (Samba version 4.13.17-Ubuntu). The samba_dns update fails with the
error: /usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is
unacceptable.
I have tried to troubleshoot based on available information on the internet.
I have actually found and updated for some issues. Here is what I've done:
* Verified krb5.conf, smb.conf
* Named.conf.options includes tkey-gssapi-keytab
"/var/lib/samba/bind-dnd/dns.keytab
* Performed the back-end dns shuffle (to samba dns, then back to bind)
* Validated kinit/klist
* Validated keys exist under dns.keytab
* Tried to verify that the Bind AD account exists, but it did not
* Tried samba_upgradedns --dns-backend=BIND9_DLZ - Said that the
account already exists
* Note that the account DID exist when doing "ldbsearch -H
/var/lib/samba/private/sam.ldb 'cn=dns-SCHAUB-DC1' dn" (Note this
is
Private, not "./bin-dns/dns"
* samba_dnsupdate --verbose --all-names still shows the same error
Note that I am out of thoughts as to how to fix the issue and I suspect it
has something to do with the ./private vs. the ./bind-dns pointers. I moved
from bind to native several times along the way, but no joy. Note that my
other server is on a RPI..
I have tried to anticipate the log requests that you will have and have put
the output below.
Regards.Greg
Logged error
[2022/03/12 12:55:48.518677, 3]
../../source4/dsdb/dns/dns_update.c:111(dnsupdate_spnupdate_done)
/usr/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
/usr/sbin/samba_dnsupdate: GENSEC backend 'gssapi_spnego' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'gssapi_krb5' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'gssapi_krb5_sasl'
registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'spnego' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'schannel' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'naclrpc_as_system'
registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'sasl-EXTERNAL' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'ntlmssp' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'ntlmssp_resume_ccache'
registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'http_basic' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'http_ntlm' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'http_negotiate' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'krb5' registered
/usr/sbin/samba_dnsupdate: GENSEC backend 'fake_gssapi_krb5'
registered
/usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
/usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
/usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
/usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
/usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is unacceptable
/usr/sbin/samba_dnsupdate: Failed update of 5 entries
samba_runcmd_io_handler: Child /usr/sbin/samba_dnsupdate exited 5
[2022/03/12 12:55:49.587916, 0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
dnsupdate_nameupdate_done: Failed DNS update with exit code 5
Samba Version
root at schaub-dc1:/etc/bind# samba-tool -V
samba-tool: no such subcommand: -V
4.13.17-Ubuntu
Klist output
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at HOME.THESCHAUBS.COM
<mailto:administrator at HOME.THESCHAUBS.COM>
Valid starting Expires Service principal
03/12/2022 13:07:35 03/12/2022 23:07:35
krbtgt/HOME.THESCHAUBS.COM at HOME.THESCHAUBS.COM
<mailto:krbtgt/HOME.THESCHAUBS.COM at HOME.THESCHAUBS.COM>
renew until 03/13/2022 14:07:26
klist on keytab
Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/schaub-dc1.home.theschaubs.com at HOME.THESCHAUBS.COM
<mailto:DNS/schaub-dc1.home.theschaubs.com at HOME.THESCHAUBS.COM>
1 dns-schaub-dc1 at HOME.THESCHAUBS.COM
<mailto:dns-schaub-dc1 at HOME.THESCHAUBS.COM>
1 DNS/schaub-dc1.home.theschaubs.com at HOME.THESCHAUBS.COM
<mailto:DNS/schaub-dc1.home.theschaubs.com at HOME.THESCHAUBS.COM>
1 dns-schaub-dc1 at HOME.THESCHAUBS.COM
<mailto:dns-schaub-dc1 at HOME.THESCHAUBS.COM>
1 DNS/schaub-dc1.home.theschaubs.com at HOME.THESCHAUBS.COM
<mailto:DNS/schaub-dc1.home.theschaubs.com at HOME.THESCHAUBS.COM>
1 dns-schaub-dc1 at HOME.THESCHAUBS.COM
<mailto:dns-schaub-dc1 at HOME.THESCHAUBS.COM>
Output from ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb
'cn=dns-SCHAUB-DC1' dn
.
No encrypted secrets key file. Secret attributes will not be encrypted or
decrypted
# Referral
ref:
ldap://home.theschaubs.com/CN=Configuration,DC=home,DC=theschaubs,DC=com
# Referral
ref:
ldap://home.theschaubs.com/DC=DomainDnsZones,DC=home,DC=theschaubs,DC=com
# Referral
ref:
ldap://home.theschaubs.com/DC=ForestDnsZones,DC=home,DC=theschaubs,DC=com
# returned 3 records
# 0 entries
# 3 referrals
Output from ldbsearch -H /var/lib/samba/private/sam.ldb
'cn=dns-SCHAUB-DC1'
dn
.
# record 1
dn: CN=dns-schaub-dc1,CN=Users,DC=home,DC=theschaubs,DC=com
# Referral
ref:
ldap://home.theschaubs.com/CN=Configuration,DC=home,DC=theschaubs,DC=com
# Referral
ref:
ldap://home.theschaubs.com/DC=DomainDnsZones,DC=home,DC=theschaubs,DC=com
# Referral
ref:
ldap://home.theschaubs.com/DC=ForestDnsZones,DC=home,DC=theschaubs,DC=com
# returned 4 records
# 1 entries
# 3 referrals
Output from samba_upgradedns --dns-backend=BIND9_DLZ
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Reading domain information
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/HOME.THESCHAUBS.COM.zone
/usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is
deprecated, use 'warning' instead
logger.warn("DNS records will be automatically created")
DNS records will be automatically created
DNS partitions already exist
dns-schaub-dc1 account already exists
See /var/lib/samba/bind-dns/named.conf for an example configuration include
file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
smb.conf
# Global parameters
[global]
netbios name = SCHAUB-DC1
realm = HOME.THESCHAUBS.COM <http://HOME.THESCHAUBS.COM>
server role = active directory domain controller
# server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
server services = -dns
workgroup = HOME
dns forwarder = 192.168.3.1 192.168.1.1 8.8.8.8
ldap server require strong auth = no
allow dns updates = nonsecure and secure
require strong key = no
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
max log size = 10000
smbd profiling level = on
log level = 3
# log level = 1 auth_audit:3 dsdb_audit:3
# log level = 1 auth:10
[netlogon]
path = /var/lib/samba/sysvol/home.theschaubs.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
krb5.conf
---------------------------------------
[libdefaults]
default_realm = HOME.THESCHAUBS.COM <http://HOME.THESCHAUBS.COM>
dns_lookup_realm = false
dns_lookup_kdc = true
ls from /var/lib/samba/bind-dns
drwxrwx--- 3 root bind 4096 Feb 27 20:13 dns
-rw-r----- 2 root bind 577 Feb 27 17:29 dns.keytab
-rw-r--r-- 1 root root 1087 Feb 27 20:13 named.conf
-rw-r--r-- 1 root root 2051 Feb 27 20:13 named.txt
named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so";
# For BIND 9.14.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_14.so";
# For BIND 9.16.x
database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
};
/etc/bind/named.conf.options
#acl internals { 127.0.0.0/8; 192.168.0.0/24; 192.168.1.0/24;
192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; 192.168.10.0/24; };
include "/var/lib/samba/bind-dns/named.conf" in named.conf.options;
# Global Configuration Options
options {
auth-nxdomain yes;
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/bind-dnd/dns.keytab";
minimal-responses yes;
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
192.168.2.0/24;
192.168.3.0/24;
192.168.4.0/24;
192.168.10.0/24;
};
# IP addresses and network rages allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
192.168.2.0/24;
192.168.3.0/24;
192.168.4.0/24;
192.168.10.0/24;
};
# allow-recursion { "internals"; };
# Forward queries that can not be answered from our own zones
# to these DNS servers:
forwarders { 8.8.8.8; 8.8.4.4; };
# Disable zone transfers
allow-transfer { none; };
# dnssec-validation no;
# dnssec-enable no;
# dnssec-lookaside no;
# If you only use IPv4.
listen-on-v6 { none; };
# Add any subnets or hosts you want to allow to use this DNS server:
# allow-query { "internals"; };
# allow-query-cache { "internals"; };
# Add any subnets you want to allow to run recursive queries:
# recursion yes;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//======================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//======================================================================
//dnssec-validation auto;
//listen-on-v6 { any; };
// Root Servers
// (Required for recursive DNS queries)
//zone "." {
// type hint;
// file "named.root";
//};
// localhost zone
//zone "localhost" {
// type master;
// file "master/localhost.zone";
//};
// 127.0.0. zone.
//zone "0.0.127.in-addr.arpa" {
// type master;
// file "master/0.0.127.zone";
//};
};
On Sat, 2022-03-12 at 13:52 -0500, Greg Schaub via samba wrote:> I have built a new Samba DC server and am trying to join my existing > Samba > DC. The server source packages come from a new Ubuntu 20.04 install, > fully > patched (Samba version 4.13.17-Ubuntu). The samba_dns update fails > with the > error: /usr/sbin/samba_dnsupdate: dns_tkey_gssnegotiate: TKEY is > unacceptable. > > > > I have tried to troubleshoot based on available information on the > internet. > I have actually found and updated for some issues. Here is what I've > done: > > * Verified krb5.conf, smb.conf > * Named.conf.options includes tkey-gssapi-keytab > "/var/lib/samba/bind-dnd/dns.keytab > * Performed the back-end dns shuffle (to samba dns, then back to > bind) > * Validated kinit/klist > * Validated keys exist under dns.keytab > * Tried to verify that the Bind AD account exists, but it did not > > * Tried samba_upgradedns --dns-backend=BIND9_DLZ - Said that the > account already exists > * Note that the account DID exist when doing "ldbsearch -H > /var/lib/samba/private/sam.ldb 'cn=dns-SCHAUB-DC1' dn" (Note this is > Private, not "./bin-dns/dns" > > * samba_dnsupdate --verbose --all-names still shows the same > error > > > > Note that I am out of thoughts as to how to fix the issue and I > suspect it > has something to do with the ./private vs. the ./bind-dns > pointers. I moved > from bind to native several times along the way, but no joy. Note > that my > other server is on a RPI.. > > > > I have tried to anticipate the log requests that you will have and > have put > the output below.Just about the only info you didn't supply was the most interesting, what is the IP of your new DC and what is in your /etc/resolv.conf and have you restarted Samba or rebooted the DC Your /etc/resolv.conf after the join should be changed to: search home.theschaubs.com nameserver THE_IP_OF_THIS_DC If that doesn't work, add 'dns update command /usr/sbin/samba_dnsupdate --use-samba-tool' to the DC's smb.conf Rowland