samba - Sep 2022 - Dns tkey negotiategss: TKEY is unacceptable - potential fix included

Hello all

Yesterday I struggled getting my Samba BIND9_DLZ backend working on my 
Windows-Domain Joined Samba DC. From the logs and when using 
samba_dnsupdate the error was:

"Dns tkey negotiategss: TKEY is unacceptable"

Actually the error is known and remediation is described here: 
<https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable>

Unfortunately all the procedures on the wiki page did not help in my 
case and I found lots of online references that others suffer from the 
same issue.


After investigating deeper I found that my "samba_upgradedns 
--dns-backend=BIND9_DLZ" did create a user called
"dns-host.DOMAIN.tld"
instead of the expected "dns-host" user.

I found a potential bug in 
"/usr/lib/python3.10/site-packages/samba/provision/__init__.py" line
2460:

names.hostname = str(res4[0]["dNSHostName"]).replace("." + 
names.dnsdomain, "")

Where this replace (actually stripping of the domain name) does not work 
if lower/upper case is mixed and "names.dnsdomain" get converted to 
lowercase just a few lines above. So I changed the line to

names.hostname =
str(res4[0]["dNSHostName"]).lower().replace("." +
names.dnsdomain, "")



Finally I found that the script seems not to add the user properly to 
the DnsAdmins group which I fixed manually and added the "dns-host"
user
to the DnsAdmins group after the script created it.

I also found a related bug report here: 
<https://bugzilla.samba.org/show_bug.cgi?id=14632> but it looks like 
nobody cared yet (since about 1.5 years).


Is someone able to have a look. Indeed the fix seems to be fairly simple:
- case-insensitive stripping of dns domain name
- add proper grolup membership of DNS user


This might save lots of people some headache in the future.

Thanks
Rainer

On 28/09/2022 10:06, Rainer Meier via samba wrote:
> Hello all
> 
> Yesterday I struggled getting my Samba BIND9_DLZ backend working on my 
> Windows-Domain Joined Samba DC. From the logs and when using 
> samba_dnsupdate the error was:
> 
> "Dns tkey negotiategss: TKEY is unacceptable"
> 
> Actually the error is known and remediation is described here: 
>
<https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable>
> 
> 
> Unfortunately all the procedures on the wiki page did not help in my 
> case and I found lots of online references that others suffer from the 
> same issue.
> 
> 
> After investigating deeper I found that my "samba_upgradedns 
> --dns-backend=BIND9_DLZ" did create a user called
"dns-host.DOMAIN.tld"
> instead of the expected "dns-host" user.
> 
> I found a potential bug in 
> "/usr/lib/python3.10/site-packages/samba/provision/__init__.py"
line 2460:
> 
> names.hostname =
str(res4[0]["dNSHostName"]).replace("." +
> names.dnsdomain, "")
What version of Samba are you using ?

I ask this because i cannot find a version of the __init.py__ you refer 
to that has that line in the position you say it is (line 2460), it is 
near the top.
> 
> Where this replace (actually stripping of the domain name) does not work 
> if lower/upper case is mixed and "names.dnsdomain" get converted
to
> lowercase just a few lines above. So I changed the line to
> 
> names.hostname =
str(res4[0]["dNSHostName"]).lower().replace("." +
> names.dnsdomain, "")
I cannot find that line at all.
> 
> 
> 
> Finally I found that the script seems not to add the user properly to 
> the DnsAdmins group which I fixed manually and added the
"dns-host" user
> to the DnsAdmins group after the script created it.
> 
> I also found a related bug report here: 
> <https://bugzilla.samba.org/show_bug.cgi?id=14632> but it looks like 
> nobody cared yet (since about 1.5 years).
Oh we have bugs much older than that ;-)

However it looks like you are correct, there is code to create the 
'dns-host' user, even if it may be incorrect, there is code to create 
the dnsadmins group, but there doesn't seem to be code to add the user 
to the group.

Rowland
> 
> 
> Is someone able to have a look. Indeed the fix seems to be fairly simple:
> - case-insensitive stripping of dns domain name
> - add proper grolup membership of DNS user
> 
> 
> This might save lots of people some headache in the future.
> 
> Thanks
> Rainer
>