Many (many) hours later, I'm finally throwing in the towel and seeking help.
I have read everything I can find on the internet to no avail to get past
my issues. I have to say, I'm very disappointed in the general quality and
fragmentation of information on this topic. Samba isn't a turn-key
solution as an AD by any stretch of the imagination. I've run the gamut so
far with issues that internet digging has (mostly) resolved.
I had this essentially all working with the internal DNS....until that
corrupted with strange error messages about undotted things that
essentially broke it.
And so, on to bind. I've got plenty of experience with that, should be
fairly easy, right? ha
Another 5-6 hours later, I'm stuck at what seems to be the same brick wall
many people end up with...TKEY is unacceptable. Along with that, RSAT is
essentially non-functional with the AD Users/Computers working sporadically
and the DNS never having connected once to named (always denied). klist
never works after a reboot....always requires another init, even though the
keytab in /var/lib/samba/private is good
I simply have no idea where to go from here. I've done everything on the
Wiki 2-3 times. I've rebuilt from the start twice. Every time I end up in
the exact same place.
I'm looking for ideas. I've updated permissions on all the files
mentioned
anywhere on the internet in /var/lib/samba. Kerberos works fine except
for the aforementioned post-boot absence of a ticket.
Here are some files to start with
========================================smb.conf:
========================================[global]
workgroup = HEATHFAM
realm = HEATHFAM.COM <http://heathfam.com/>
netbios name = SAMBA-AD
server role = active directory domain controller
allow dns updates = nonsecure
# dns forwarder = 8.8.8.8
# dns forwarder = 10.0.2.10
idmap_ldb:use rfc2307 = yes
server services = rpc, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, s3fs
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
username map = /etc/samba/user.map
[netlogon]
path = /var/lib/samba/sysvol/heathfam.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
========================================named.conf.local
========================================zone "heathfam.com" {
type master;
file "/var/lib/bind/zones/db.heathfam.com"; # zone file path
allow-update { 10.0.2.0/24; };
};
zone "2.0.10.in-addr.arpa" {
type master;
file "/var/lib/bind/zones/db.10.0.2"; # 10.128.2.0/16 subnet
allow-update { 10.0.2.0/24; };
};
========================================named.conf.options
========================================acl "trusted" {
127.0.0.1;
10.0.2.0/24;
};
options {
directory "/var/cache/bind";
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
//======================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//======================================================================
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on { 10.0.2.4; };
notify no;
empty-zones-enable no;
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
10.0.2.0/24;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion { trusted; };
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
10.0.2.10;
8.8.8.8;
};
# Disable zone transfers
allow-transfer {
127.0.0.1;
10.0.2.0/24;
};
};
========================================bottom of /etc/apparmor.d/usr.sbin.named
========================================# Samba4 DLZ and Active Directory Zones
(default source installation)
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/ rw,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/tmp/** rwmk,
}
========================================output of samba_dnsupdate
========================================
oot at samba-ad:/etc/apparmor.d# samba_dnsupdate --verbose
IPs: ['10.0.2.4']
Looking for DNS entry A samba-ad.heathfam.com 10.0.2.4 as
samba-ad.heathfam.com.
Looking for DNS entry A heathfam.com 10.0.2.4 as heathfam.com.
Failed to find DNS entry A heathfam.com 10.0.2.4
Looking for DNS entry SRV _ldap._tcp.heathfam.com samba-ad.heathfam.com 389
as _ldap._tcp.heathfam.com.
Checking 0 0 389 samba-ad.heathfam.com. against SRV _ldap._tcp.heathfam.com
samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 389 as _ldap._tcp.dc._msdcs.heathfam.com.
Checking 0 0 389 samba-ad.heathfam.com. against SRV _ldap._tcp.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4-
9165-b0073b4f4cfe.domains._msdcs.heathfam.com samba-ad.heathfam.com 389 as
_ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4-
9165-b0073b4f4cfe.domains._msdcs.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _kerberos._tcp.heathfam.com samba-ad.heathfam.com 88
as _kerberos._tcp.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.heathfam.com
samba-ad.heathfam.com 88
Looking for DNS entry SRV _kerberos._udp.heathfam.com samba-ad.heathfam.com 88
as _kerberos._udp.heathfam.com.
Checking 0 0 88 samba-ad.heathfam.com. against SRV _kerberos._
udp.heathfam.com samba-ad.heathfam.com 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 88 as _kerberos._tcp.dc._msdcs.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 88
Looking for DNS entry SRV _kpasswd._tcp.heathfam.com samba-ad.heathfam.com 464
as _kpasswd._tcp.heathfam.com.
Failed to find DNS entry SRV _kpasswd._tcp.heathfam.com
samba-ad.heathfam.com 464
Looking for DNS entry SRV _kpasswd._udp.heathfam.com samba-ad.heathfam.com 464
as _kpasswd._udp.heathfam.com.
Failed to find DNS entry SRV _kpasswd._udp.heathfam.com
samba-ad.heathfam.com 464
Looking for DNS entry CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
msdcs.heathfam.com samba-ad.heathfam.com as 5abed772-459b-4b4f-8fc0-
83526ca15b42._msdcs.heathfam.com.
Failed to find DNS entry CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
msdcs.heathfam.com samba-ad.heathfam.com
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 88 as _kerberos._tcp.Default-First-
Site-Name._sites.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 88 as _kerberos._tcp.Default-First-
Site-Name._sites.dc._msdcs.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.Default-First-
Site-Name._sites.dc._msdcs.heathfam.com samba-ad.heathfam.com 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com
samba-ad.heathfam.com 389 as _ldap._tcp.pdc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com
samba-ad.heathfam.com 389
Looking for DNS entry A gc._msdcs.heathfam.com 10.0.2.4 as gc._
msdcs.heathfam.com.
Failed to find DNS entry A gc._msdcs.heathfam.com 10.0.2.4
Looking for DNS entry SRV _gc._tcp.heathfam.com samba-ad.heathfam.com 3268
as _gc._tcp.heathfam.com.
Failed to find DNS entry SRV _gc._tcp.heathfam.com samba-ad.heathfam.com
3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.heathfam.com
samba-ad.heathfam.com 3268 as _ldap._tcp.gc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.gc._msdcs.heathfam.com
samba-ad.heathfam.com 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 3268 as
_gc._tcp.Default-First-Site-Name._sites.heathfam.com.
Failed to find DNS entry SRV _gc._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
msdcs.heathfam.com samba-ad.heathfam.com 3268 as
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
msdcs.heathfam.com samba-ad.heathfam.com 3268
Looking for DNS entry A DomainDnsZones.heathfam.com
<http://domaindnszones.heathfam.com/> 10.0.2.4 as
DomainDnsZones.heathfam.com <http://domaindnszones.heathfam.com/>.
Failed to find DNS entry A DomainDnsZones.heathfam.com
<http://domaindnszones.heathfam.com/> 10.0.2.4
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389
Looking for DNS entry A ForestDnsZones.heathfam.com
<http://forestdnszones.heathfam.com/> 10.0.2.4 as
ForestDnsZones.heathfam.com <http://forestdnszones.heathfam.com/>.
Failed to find DNS entry A ForestDnsZones.heathfam.com
<http://forestdnszones.heathfam.com/> 10.0.2.4
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389
Calling nsupdate for A heathfam.com 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
heathfam.com. 900 IN A 10.0.2.4
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.1ebfe405-6e9f-49d4-
9165-b0073b4f4cfe.domains._msdcs.heathfam.com samba-ad.heathfam.com 389
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs.heathfam.com.
900 IN SRV 0 100 389 samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.heathfam.com samba-ad.heathfam.com 88
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.heathfam.com. 900 IN SRV 0 100 88
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.heathfam.com. 900 IN SRV 0 100 88
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._tcp.heathfam.com samba-ad.heathfam.com 464
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.heathfam.com. 900 IN SRV 0 100 464
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._udp.heathfam.com samba-ad.heathfam.com 464
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.heathfam.com. 900 IN SRV 0 100 464
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
msdcs.heathfam.com samba-ad.heathfam.com (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
5abed772-459b-4b4f-8fc0-83526ca15b42._msdcs.heathfam.com. 900 IN CNAME
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN SRV 0 100
389 samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com. 900 IN
SRV 0 100 389 samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN SRV 0
100 88 samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com. 900
IN SRV 0 100 88 samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.heathfam.com
samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.heathfam.com. 900 IN SRV 0 100 389
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for A gc._msdcs.heathfam.com 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.heathfam.com. 900 IN A 10.0.2.4
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.heathfam.com samba-ad.heathfam.com 3268
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.heathfam.com. 900 IN SRV 0 100 3268
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.heathfam.com
samba-ad.heathfam.com 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.heathfam.com. 900 IN SRV 0 100 3268
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN SRV 0 100 3268
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
msdcs.heathfam.com samba-ad.heathfam.com 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.com. 900 IN
SRV 0 100 3268 samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for A DomainDnsZones.heathfam.com
<http://domaindnszones.heathfam.com/> 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.heathfam.com <http://domaindnszones.heathfam.com/>. 900 IN
A 10.0.2.4
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for A ForestDnsZones.heathfam.com
<http://forestdnszones.heathfam.com/> 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.heathfam.com <http://forestdnszones.heathfam.com/>. 900 IN
A 10.0.2.4
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 23 entries
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jared Heath via samba > Verzonden: woensdag 27 september 2017 5:50 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba as AD travails > > Many (many) hours later, I'm finally throwing in the towel > and seeking help.Ok, here is its.. At least lets give it a try. ;-)> > I have read everything I can find on the internet to no avail > to get past my issues. I have to say, I'm very disappointed > in the general quality and > fragmentation of information on this topic. Samba isn't a turn-key > solution as an AD by any stretch of the imagination. I've > run the gamut so far with issues that internet digging has > (mostly) resolved. > > I had this essentially all working with the internal > DNS....until that corrupted with strange error messages about > undotted things that essentially broke it. > > And so, on to bind. I've got plenty of experience with that, > should be fairly easy, right? ha > > Another 5-6 hours later, I'm stuck at what seems to be the > same brick wall > many people end up with...TKEY is unacceptable.This should help, if not, can you explain why not? What did you encounter? https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable And https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration> Along with that, RSAT is > essentially non-functional with the AD Users/Computers > working sporadically and the DNS never having connected once > to named (always denied).Did you setup the SePrivileges? https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege> klist never works after a > reboot....always requires another init, even though the > keytab in /var/lib/samba/private is goodDhcp IP? Is resolvconf installed? Is /etc/resolv.conf , nameserver pointing as first to its own dns.> > I simply have no idea where to go from here. I've done > everything on the Wiki 2-3 times. I've rebuilt from the > start twice. Every time I end up in the exact same place. > > I'm looking for ideas. I've updated permissions on all the > files mentioned > anywhere on the internet in /var/lib/samba. Kerberos works > fine except > for the aforementioned post-boot absence of a ticket.Last, can you also tell with OS is used? And post the content of. /etc/hosts /etc/resolv.conf> > Here are some files to start with > > ========================================> smb.conf: > ========================================> [global] > workgroup = HEATHFAM > realm = HEATHFAM.COM <http://heathfam.com/> > netbios name = SAMBA-AD > server role = active directory domain controller > allow dns updates = nonsecure > # dns forwarder = 8.8.8.8 > # dns forwarder = 10.0.2.10 > idmap_ldb:use rfc2307 = yes > server services = rpc, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate, s3fs > tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > > username map = /etc/samba/user.map > > [netlogon] > path = /var/lib/samba/sysvol/heathfam.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoI suggest also to remove the comment behind REALM. Ok, now is see more here, remove these 2 zone's from bind. The heathfam.com zone is mananged by samba+bind9_dlz If you provisioned with BIND9_FLATFILE, then i suggest reprovision with BIND9_DLZ.> > ========================================> named.conf.local > ========================================> zone "heathfam.com" { > type master; > file "/var/lib/bind/zones/db.heathfam.com"; # zone file path > allow-update { 10.0.2.0/24; }; > }; > > zone "2.0.10.in-addr.arpa" { > type master; > file "/var/lib/bind/zones/db.10.0.2"; # 10.128.2.0/16 subnet > allow-update { 10.0.2.0/24; }; > };^^^^^^^^^^^^^^^^^^^^^ those 2 remove them.> > ========================================> named.conf.options > ========================================> acl "trusted" { > 127.0.0.1; > 10.0.2.0/24; > }; > > options { > directory "/var/cache/bind"; > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > > //=========================================================> =============> // If BIND logs error messages about the root key > being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > //=========================================================> =============> dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on { 10.0.2.4; }; > > notify no; > empty-zones-enable no; > > # IP addresses and network ranges allowed to query the DNS server: > allow-query { > 127.0.0.1; > 10.0.2.0/24; > }; > > # IP addresses and network ranges allowed to run > recursive queries: > # (Zones not served by this DNS server) > allow-recursion { trusted; }; > > # Forward queries that can not be answered from own zones > # to these DNS servers: > forwarders { > 10.0.2.10; > 8.8.8.8; > }; > > # Disable zone transfers > allow-transfer { > 127.0.0.1; > 10.0.2.0/24; > }; > }; > > ========================================> bottom of /etc/apparmor.d/usr.sbin.named > ========================================> # Samba4 DLZ and Active Directory Zones (default source installation) > /var/lib/samba/lib/** rm, > /var/lib/samba/private/dns.keytab r, > /var/lib/samba/private/ rw, > /var/lib/samba/private/named.conf r, > /var/lib/samba/private/dns/** rwk, > /var/tmp/** rwmk, > } > > > ========================================> output of samba_dnsupdate > ========================================> > oot at samba-ad:/etc/apparmor.d# samba_dnsupdate --verbose > IPs: ['10.0.2.4'] > Looking for DNS entry A samba-ad.heathfam.com 10.0.2.4 as > samba-ad.heathfam.com. > Looking for DNS entry A heathfam.com 10.0.2.4 as heathfam.com. > Failed to find DNS entry A heathfam.com 10.0.2.4 Looking for > DNS entry SRV _ldap._tcp.heathfam.com samba-ad.heathfam.com > 389 as _ldap._tcp.heathfam.com. > Checking 0 0 389 samba-ad.heathfam.com. against SRV > _ldap._tcp.heathfam.com samba-ad.heathfam.com 389 Looking for > DNS entry SRV _ldap._tcp.dc._msdcs.heathfam.com > samba-ad.heathfam.com 389 as _ldap._tcp.dc._msdcs.heathfam.com. > Checking 0 0 389 samba-ad.heathfam.com. against SRV > _ldap._tcp.dc._ msdcs.heathfam.com samba-ad.heathfam.com 389 > Looking for DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4- > 9165-b0073b4f4cfe.domains._msdcs.heathfam.com > samba-ad.heathfam.com 389 as > _ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs > .heathfam.com. > Failed to find DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4- > 9165-b0073b4f4cfe.domains._msdcs.heathfam.com > samba-ad.heathfam.com 389 Looking for DNS entry SRV > _kerberos._tcp.heathfam.com samba-ad.heathfam.com 88 as > _kerberos._tcp.heathfam.com. > Failed to find DNS entry SRV _kerberos._tcp.heathfam.com > samba-ad.heathfam.com 88 Looking for DNS entry SRV > _kerberos._udp.heathfam.com samba-ad.heathfam.com 88 as > _kerberos._udp.heathfam.com. > Checking 0 0 88 samba-ad.heathfam.com. against SRV > _kerberos._ udp.heathfam.com samba-ad.heathfam.com 88 Looking > for DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com > samba-ad.heathfam.com 88 as _kerberos._tcp.dc._msdcs.heathfam.com. > Failed to find DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com > samba-ad.heathfam.com 88 > Looking for DNS entry SRV _kpasswd._tcp.heathfam.com > samba-ad.heathfam.com 464 as _kpasswd._tcp.heathfam.com. > Failed to find DNS entry SRV _kpasswd._tcp.heathfam.com > samba-ad.heathfam.com 464 Looking for DNS entry SRV > _kpasswd._udp.heathfam.com samba-ad.heathfam.com 464 as > _kpasswd._udp.heathfam.com. > Failed to find DNS entry SRV _kpasswd._udp.heathfam.com > samba-ad.heathfam.com 464 Looking for DNS entry CNAME > 5abed772-459b-4b4f-8fc0-83526ca15b42._ > msdcs.heathfam.com samba-ad.heathfam.com as > 5abed772-459b-4b4f-8fc0- 83526ca15b42._msdcs.heathfam.com. > Failed to find DNS entry CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._ > msdcs.heathfam.com samba-ad.heathfam.com Looking for DNS > entry SRV _ldap._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 389 as > _ldap._tcp.Default-First-Site-Name._sites.heathfam.com. > Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 389 Looking for DNS > entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._ > msdcs.heathfam.com samba-ad.heathfam.com 389 as > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com. > Failed to find DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._ > msdcs.heathfam.com samba-ad.heathfam.com 389 Looking for DNS > entry SRV _kerberos._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 88 as > _kerberos._tcp.Default-First- Site-Name._sites.heathfam.com. > Failed to find DNS entry SRV _kerberos._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 88 Looking for DNS > entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._ > msdcs.heathfam.com samba-ad.heathfam.com 88 as > _kerberos._tcp.Default-First- Site-Name._sites.dc._msdcs.heathfam.com. > Failed to find DNS entry SRV _kerberos._tcp.Default-First- > Site-Name._sites.dc._msdcs.heathfam.com samba-ad.heathfam.com > 88 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com > samba-ad.heathfam.com 389 as _ldap._tcp.pdc._msdcs.heathfam.com. > Failed to find DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com > samba-ad.heathfam.com 389 > Looking for DNS entry A gc._msdcs.heathfam.com 10.0.2.4 as > gc._ msdcs.heathfam.com. > Failed to find DNS entry A gc._msdcs.heathfam.com 10.0.2.4 > Looking for DNS entry SRV _gc._tcp.heathfam.com > samba-ad.heathfam.com 3268 as _gc._tcp.heathfam.com. > Failed to find DNS entry SRV _gc._tcp.heathfam.com > samba-ad.heathfam.com > 3268 > Looking for DNS entry SRV _ldap._tcp.gc._msdcs.heathfam.com > samba-ad.heathfam.com 3268 as _ldap._tcp.gc._msdcs.heathfam.com. > Failed to find DNS entry SRV > _ldap._tcp.gc._msdcs.heathfam.com samba-ad.heathfam.com 3268 > Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 3268 as > _gc._tcp.Default-First-Site-Name._sites.heathfam.com. > Failed to find DNS entry SRV _gc._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 3268 Looking for DNS > entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._ > msdcs.heathfam.com samba-ad.heathfam.com 3268 as > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.com. > Failed to find DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._ > msdcs.heathfam.com samba-ad.heathfam.com 3268 Looking for DNS > entry A DomainDnsZones.heathfam.com > <http://domaindnszones.heathfam.com/> 10.0.2.4 as > DomainDnsZones.heathfam.com <http://domaindnszones.heathfam.com/>. > Failed to find DNS entry A DomainDnsZones.heathfam.com > <http://domaindnszones.heathfam.com/> 10.0.2.4 Looking for > DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com > <http://tcp.domaindnszones.heathfam.com/> > samba-ad.heathfam.com 389 as _ldap._tcp.DomainDnsZones.heathfam.com > <http://tcp.domaindnszones.heathfam.com/>. > Failed to find DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com > <http://tcp.domaindnszones.heathfam.com/> > samba-ad.heathfam.com 389 Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._ > sites.DomainDnsZones.heathfam.com > <http://sites.domaindnszones.heathfam.com/> > samba-ad.heathfam.com 389 as > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com > <http://sites.domaindnszones.heathfam.com/>. > Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._ > sites.DomainDnsZones.heathfam.com > <http://sites.domaindnszones.heathfam.com/> > samba-ad.heathfam.com 389 Looking for DNS entry A > ForestDnsZones.heathfam.com > <http://forestdnszones.heathfam.com/> 10.0.2.4 as > ForestDnsZones.heathfam.com <http://forestdnszones.heathfam.com/>. > Failed to find DNS entry A ForestDnsZones.heathfam.com > <http://forestdnszones.heathfam.com/> 10.0.2.4 Looking for > DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com > <http://tcp.forestdnszones.heathfam.com/> > samba-ad.heathfam.com 389 as _ldap._tcp.ForestDnsZones.heathfam.com > <http://tcp.forestdnszones.heathfam.com/>. > Failed to find DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com > <http://tcp.forestdnszones.heathfam.com/> > samba-ad.heathfam.com 389 Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.heathfam.com > <http://sites.forestdnszones.heathfam.com/> > samba-ad.heathfam.com 389 as > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com > <http://sites.forestdnszones.heathfam.com/>. > Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.heathfam.com > <http://sites.forestdnszones.heathfam.com/> > samba-ad.heathfam.com 389 Calling nsupdate for A heathfam.com > 10.0.2.4 (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > heathfam.com. 900 IN A 10.0.2.4 > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.1ebfe405-6e9f-49d4- > 9165-b0073b4f4cfe.domains._msdcs.heathfam.com > samba-ad.heathfam.com 389 > (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs > .heathfam.com. > 900 IN SRV 0 100 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _kerberos._tcp.heathfam.com > samba-ad.heathfam.com 88 > (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _kerberos._tcp.heathfam.com. 900 IN SRV 0 100 88 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.heathfam.com > samba-ad.heathfam.com 88 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _kerberos._tcp.dc._msdcs.heathfam.com. 900 IN SRV 0 100 88 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _kpasswd._tcp.heathfam.com > samba-ad.heathfam.com 464 > (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _kpasswd._tcp.heathfam.com. 900 IN SRV 0 100 464 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _kpasswd._udp.heathfam.com > samba-ad.heathfam.com 464 > (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _kpasswd._udp.heathfam.com. 900 IN SRV 0 100 464 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._ > msdcs.heathfam.com samba-ad.heathfam.com (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > 5abed772-459b-4b4f-8fc0-83526ca15b42._msdcs.heathfam.com. 900 > IN CNAME samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 389 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.heathfam.com. 900 > IN SRV 0 100 > 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._ > msdcs.heathfam.com samba-ad.heathfam.com 389 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.c > om. 900 IN SRV 0 100 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 88 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _kerberos._tcp.Default-First-Site-Name._sites.heathfam.com. > 900 IN SRV 0 100 88 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._ > msdcs.heathfam.com samba-ad.heathfam.com 88 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.heathf > am.com. 900 IN SRV 0 100 88 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.heathfam.com > samba-ad.heathfam.com 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.pdc._msdcs.heathfam.com. 900 IN SRV 0 100 389 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for A gc._msdcs.heathfam.com 10.0.2.4 > (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > gc._msdcs.heathfam.com. 900 IN A 10.0.2.4 > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _gc._tcp.heathfam.com > samba-ad.heathfam.com 3268 > (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _gc._tcp.heathfam.com. 900 IN SRV 0 100 3268 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.heathfam.com > samba-ad.heathfam.com 3268 (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.gc._msdcs.heathfam.com. 900 IN SRV 0 100 3268 > samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._ > sites.heathfam.com samba-ad.heathfam.com 3268 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _gc._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN > SRV 0 100 3268 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._ > msdcs.heathfam.com samba-ad.heathfam.com 3268 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.c > om. 900 IN SRV 0 100 3268 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for A DomainDnsZones.heathfam.com > <http://domaindnszones.heathfam.com/> 10.0.2.4 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > DomainDnsZones.heathfam.com > <http://domaindnszones.heathfam.com/>. 900 IN > A 10.0.2.4 > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.heathfam.com > <http://tcp.domaindnszones.heathfam.com/> > samba-ad.heathfam.com 389 (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.DomainDnsZones.heathfam.com > <http://tcp.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 > 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.DomainDnsZones.heathfam.com > <http://sites.domaindnszones.heathfam.com/> > samba-ad.heathfam.com 389 (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com > <http://sites.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 > 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for A ForestDnsZones.heathfam.com > <http://forestdnszones.heathfam.com/> 10.0.2.4 (add) Outgoing > update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > ForestDnsZones.heathfam.com > <http://forestdnszones.heathfam.com/>. 900 IN > A 10.0.2.4 > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.heathfam.com > <http://tcp.forestdnszones.heathfam.com/> > samba-ad.heathfam.com 389 (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.ForestDnsZones.heathfam.com > <http://tcp.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 > 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.heathfam.com > <http://sites.forestdnszones.heathfam.com/> > samba-ad.heathfam.com 389 (add) Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; > UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com > <http://sites.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 > 389 samba-ad.heathfam.com. > > dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: > 1 Failed update of 23 entries > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >So few hints see how far your getting. Greetz, Louis
On Tue, 26 Sep 2017 22:49:34 -0500 Jared Heath via samba <samba at lists.samba.org> wrote:> Many (many) hours later, I'm finally throwing in the towel and > seeking help. > > I have read everything I can find on the internet to no avail to get > past my issues. I have to say, I'm very disappointed in the general > quality and fragmentation of information on this topic. Samba isn't > a turn-key solution as an AD by any stretch of the imagination. I've > run the gamut so far with issues that internet digging has (mostly) > resolved.I was going to ask if you had read the Samba wiki, but I wont bother, mainly because it doesn't tell you not to add your zone files to your bind conf files, but it will do.> [global] > workgroup = HEATHFAM > realm = HEATHFAM.COM <http://heathfam.com/> > netbios name = SAMBA-AD > server role = active directory domain controller > allow dns updates = nonsecure > # dns forwarder = 8.8.8.8 > # dns forwarder = 10.0.2.10 > idmap_ldb:use rfc2307 = yes > server services = rpc, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, s3fsyou can write the above line as 'server services = -dns'> tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > > username map = /etc/samba/user.mapRemove the above line, you do not need it on a DC.> > [netlogon] > path = /var/lib/samba/sysvol/heathfam.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ========================================> named.conf.local > ========================================> zone "heathfam.com" { > type master; > file "/var/lib/bind/zones/db.heathfam.com"; # zone file path > allow-update { 10.0.2.0/24; }; > }; > > zone "2.0.10.in-addr.arpa" { > type master; > file "/var/lib/bind/zones/db.10.0.2"; # 10.128.2.0/16 subnet > allow-update { 10.0.2.0/24; }; > }; >Remove these zones files, they are in AD if using BIND_DLZ Rowland