thr3ads.net - samba - [Samba] dns_tkey_gssnegotiate: TKEY is unacceptable [Mar 2023]

If this information is useful, please help other people find it:
Share via:
Alex Wan
2023-Mar-28 09:26 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable

My OS is Ubuntu 20.04, with Samba version 4.15.13. bind is 9.16
I have an existing domain controller (compumaxdc01) and joined another
(compumaxdc03) to act as a secondary/back according to the
instructions on the wiki here
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
Both are using bind-dns as the backend, so I've made sure to not use
the dns.keytab in /var/lib/samba/private.
Also, instead of /usr/local/samba, my filesystem has it in /var/lib/samba.

I have done everything on
/wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable/
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting
however no matter what I do, running "samba_dnsupdate --verbose
--all-names" on the secondary always gets me the tkey error

dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 28 entries

here are the contents of the files
--------------------
/etc/resolvconf/resolv.conf.d/base
search thecompumax.com
nameserver 192.168.2.3 (secondary)
nameserver 192.168.2.1 (primary)
nameserver 192.168.1.1
nameserver 127.0.0.53
--------------------
/etc/samba/smb.conf
[global]
netbios name = COMPUMAXDC03
realm = THECOMPUMAX.COM
server role = active directory domain controller
workgroup = THECOMPUMAX
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000000
[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/thecompumax.com/scripts
read only = No
--------------------
/etc/hosts
127.0.0.1 localhost
192.168.2.3 compumaxdc03.thecompumax.com compumaxdc03
--------------------
/etc/apparmor.d/usr/sbin.named

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

  # Database file used by allow-new-zones
  /var/cache/bind/_default.nzd-lock rwk,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,

  # gssapi
  /var/lib/sss/pubconf/krb5.include.d/** r,
  /var/lib/sss/pubconf/krb5.include.d/ r,
  /var/lib/sss/mc/initgroups r,
  /etc/gss/mech.d/ r,

  # ldap
  /etc/ldap/ldap.conf r,
  /{,var/}run/slapd-*.socket rw,

  # dynamic updates
  /var/tmp/DNS_* rw,

  # dyndb backends
  /usr/lib/bind/*.so rm,

  # Samba DLZ
  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
  /var/lib/samba/bind-dns/dns.keytab rk,
  /var/lib/samba/bind-dns/named.conf rw,
  /var/lib/samba/bind-dns/* rw,
  /var/lib/samba/bind-dns/dns/** rwk,
  /var/lib/samba/private/dns.keytab rk,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/** rwk,
  /etc/samba/smb.conf r,
  /dev/urandom rwmk,
  owner /var/tmp/krb5_* rwk,
--------------------
/etc/bind/named.conf.options (root:bind -rw-r--r--)
options {
directory "/var/cache/bind";
dnssec-validation no;

listen-on-v6 { none; };
tkey-gssapi-keytab "var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
--------------------
/etc/bind/named.conf (root:bind -rw-r--r--)
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";

logging {
channel query_logging {
syslog daemon;
severity dynamic;
print-time yes;
};
category queries {
query_logging;
};
};
--------------------
yaml file in /etc/netplan
network:
  version: 2
  renderer: NetworkManager
  ethernets:
    eno1:
      dhcp4: no
      addresses:
        - 192.168.2.3/22
      gateway4: 192.168.1.1
      nameservers:
        search: [thecompumax.com ]
        addresses: [192.168.2.3, 192.168.2.1, 192.168.1.1]
--------------------
/etc/krb5.conf (root:named rw-r--r--)
[libdefaults]
default_realm = THECOMPUMAX.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
THECOMPUMAX.COM = {
default_domain = thecompumax.com
}

[domain_realm]
COMPUMAXDC03 = THECOMPUMAX.COM
--------------------
klist -k -K -t /var/lib/samba/bind-dns/dns.keytab
Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 03/28/2023 03:54:37
DNS/compumaxdc03.thecompumax.com at THECOMPUMAX.COM
(0x8a43b6881b1c7f5bde4fcd54b5a09f1c3652389d7cf0d8ef2f928f2588e72097)
   1 03/28/2023 03:54:37 dns-compumaxdc03 at THECOMPUMAX.COM
(0x8a43b6881b1c7f5bde4fcd54b5a09f1c3652389d7cf0d8ef2f928f2588e72097)
   1 03/28/2023 03:54:37
DNS/compumaxdc03.thecompumax.com at THECOMPUMAX.COM
(0x770bb6f353f9b8b4a119578d6c7c8ae1)
   1 03/28/2023 03:54:37 dns-compumaxdc03 at THECOMPUMAX.COM
(0x770bb6f353f9b8b4a119578d6c7c8ae1)
   1 03/28/2023 03:54:37
DNS/compumaxdc03.thecompumax.com at THECOMPUMAX.COM
(0x98fd5629817f11d06cc587745df0479a)
   1 03/28/2023 03:54:37 dns-compumaxdc03 at THECOMPUMAX.COM
(0x98fd5629817f11d06cc587745df0479a)
--------------------
please let me know if I missed any other files.

ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
returns 2 records, both which verify correctly.

I'm honestly at my wits end, and any help to resolve this would be
much appreciated
Reasonably Related Threads

Search for more apparently analagous threads
samba - Mar 2023 - dns_tkey_gssnegotiate: TKEY is unacceptable

[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable

Reasonably Related Threads

Wisdom of the Ancients
