samba - Sep 2013 - Samba4 AD with bind DNS / TKEY is unacceptable

Hi,

i try to migrate an existing W2k3 AD to Samba4 with bind.

Everything works fine, but dnsupdate fails with error: 
"dns_tkey_negotiategss: TKEY is unaccepteable".

I found a lot of discussions around this topic, but no solution.

Envirenment:

OS: SLES11 SP3 with bind 9.9.3P2
Samba Packages from Servet: sernet-samba-4.0.9-5.suse111

I checked the following Points:

After joining the domain bind starts and replication from the w2k3 PDC 
works.

Then i changed the DNS NS RRs to get the Samba Server as the primary DNS 
and transfer all FSMO roles to the samba server.

In named.conf I made the following entries:

options {
...
       # Samba AD
       auth-nxdomain yes;
       empty-zones-enable no;
       tkey-gssapi-keytab "/var/lib/named/samba/private/dns.keytab";
}

...

include "/var/lib/named/samba/private/named.conf";

Both files are readeable for the bind system user:

ls -l /var/lib/samba/private/
insgesamt 11696
drwxrwx--- 3 root named    4096 11. Sep 18:13 dns
-rw-r----- 1 root named     987 11. Sep 18:12 dns.keytab
-rw-r--r-- 1 root root     2270 11. Sep 13:41 dns_update_list
-rw-r--r-- 1 root root      544 11. Sep 18:17 named.conf
-r--r--r-- 1 root root      312 11. Sep 19:18 named.conf.update

Changing DNS RRs manualy with samba-tool dns add|delete and so on works 
fine.

klist -k for the keytab-file gives the followin output:

Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL

What's wrong? Any ideas?

Stefan

Sorry my English isn't as good as it should be. ;-)

Am 12.09.2013 00:01, schrieb Patrick Gray:
> Is your existing server SBS by any
> chance?
What's the meaning of this sentence?

Stefan

Hello,

after resolving my problem (more or less), i try to migrate an W2k3 SBS. 
Here i found new but similar problems. It seems that the LDAP Structure 
for the DNS Zones of a SBS is different from w2k3 standard or enterprise.

It seems that the BIND9_DLZ  driver, samba-tool and samba_dnsupdate have 
problems with this structure. We switched the DNS to samba internal. 
After this resolving names is possible:

s4ad:~ # dig @localhost  s4ad.xxxx.local

; <<>> DiG 9.9.3-P2 <<>> @localhost s4ad.xxxx.local
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61943
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;s4ad.xxxx.local.      IN      A

;; ANSWER SECTION:
s4ad.xxxx.local. 900   IN      A       192.168.1.10

...but using samba-tool didn't work:

samba-tool dns zonelist s4ad.xxxx.local
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:s4ad.xxxx.local[,sign]
Ticket in credentials cache for administrator at XXXX.LOCAL expired, will 
refresh
Password for [administrator at XXXX.LOCAL]:
ERROR(runtime): uncaught exception - (9717,
'WERR_DNS_ERROR_DS_UNAVAILABLE')
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line
812, in run
     request_filter)

The Samba Logfile shows:

[2013/09/16 11:12:30.197554,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2013/09/16 11:12:30.197757,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2013/09/16 11:12:39.875479,  3] 
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2013/09/16 11:12:39.903960,  2] 
../source4/rpc_server/dnsserver/dnsdb.c:140(dnsserver_db_enumerate_zones)
   dnsserver: Found DNS zone .
[2013/09/16 11:12:39.908238,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2013/09/16 11:12:39.908471,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]

It seems, that samba-tool and samba_dnsupdate didn't know where to find 
the DNS Zones in the LDAP DID of the SBS LDAP-Structure.

Does anybody knows this behavior or any workarounds?

Stefan