samba - Feb 2018 - win2003 AD migration to SAMBA 4.6 - dnsupdate problem

I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to win 
2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc., 
etc. - 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

My problem are DNS Updates, I have kerberos working (added enctypes = 
rc4-hmac for compatibility), SAMBA join without errors, I have created 
DNS records, can move FSMO. But DNS if working only on DC1,  not on DC2, 
I have found in logs troubles with dnsupdates. DC1 thinks it is only one 
DC in domain.

_ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV 0 
100 3268 dc2.test.local.
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor 
code may provide more information, Minor = KDC has no support for 
encryption type.
Failed nsupdate: 1
Failed update of 20 entries

bB

Hi Tomas,
> I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to win
> 2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc.,
> etc. -
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
>
> My problem are DNS Updates, I have kerberos working (added enctypes >
rc4-hmac for compatibility),
May I ask you where did you add that? Where did you read that you had to 
do that? Could you try to just remove it?

 > SAMBA join without errors, I have created
> DNS records,
how did you create the records? Could you try the following on your two 
DCs to force the update without going through the authenticated DNS process
  samba_dnsupdate --use-samba-tool

By the way, is your /etc/resolv.conf pointing to yourself? Is your 
/etc/krb5.conf and /var/lib/samba/private/krb5.conf identical?

Denis

 > can move FSMO. But DNS if working only on DC1,  not on
DC2,
> I have found in logs troubles with dnsupdates. DC1 thinks it is only one
> DC in domain.
>
> _ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV 0
> 100 3268 dc2.test.local.
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
> code may provide more information, Minor = KDC has no support for
> encryption type.
> Failed nsupdate: 1
> Failed update of 20 entries
>
> bB
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

Hello Denis,

1. KRB - I tried kinit from local terminal and got answer about troubles 
with encryption, so I findout win 2003 ciphers, and put to krb5.conf
2. from wiki - Verifying the DNS Entries, If you join a Samba DC that 
runs Samba 4.7 and later, samba-tool created all required DNS entries 
automatically. To manually create the records on an earlier version, see 
Verifying and Creating a DC DNS Record - 
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

3. yes, resolv.conf is poiting to 127.0.0.1
4. you are right, krb5.conf are not identical, I forgot move it to 
/var/lib/samba/private

now the situation is with identical krb5.conf files not contenting 
rc4-hmac and weak cipher enabled, I got error like before, it means 
troubles with ciphers. If I put lines to both files I got a new error - 
dns_tkey_negotiategss: TKEY is unacceptable

I have tried to push dns updates, how you wrote - samba_dnsupdate 
--use-samba-tool - 18 records synchronized, 2 failed with error 
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR'), 
samba_dnsupdate ends with dns_tkey_negotiategss: TKEY is unacceptable, 
Failed nsupdate: 1, Failed update of 2 entries



I hope I wrote everything important

regards
bB





>
>>I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to 
>>win
>>2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc.,
>>etc. -
>>https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>
>>
>>My problem are DNS Updates, I have kerberos working (added enctypes
>>rc4-hmac for compatibility),
>
>May I ask you where did you add that? Where did you read that you had 
>to do that? Could you try to just remove it?
>
> > SAMBA join without errors, I have created
>>DNS records,
>
>how did you create the records? Could you try the following on your two 
>DCs to force the update without going through the authenticated DNS 
>process
>samba_dnsupdate --use-samba-tool
>
>By the way, is your /etc/resolv.conf pointing to yourself? Is your 
>/etc/krb5.conf and /var/lib/samba/private/krb5.conf identical?
>
>Denis
>
> > can move FSMO. But DNS if working only on DC1,  not on DC2,
>>I have found in logs troubles with dnsupdates. DC1 thinks it is only 
>>one
>>DC in domain.
>>
>>_ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV 
>>0
>>100 3268 dc2.test.local.
>>tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  
>>Minor
>>code may provide more information, Minor = KDC has no support for
>>encryption type.
>>Failed nsupdate: 1
>>Failed update of 20 entries
>>
>>bB
>
>-- Denis Cardon
>Tranquil IT Systems
>Les Espaces Jules Verne, bâtiment A
>12 avenue Jules Verne
>44230 Saint Sébastien sur Loire
>tel : +33 (0) 2.40.97.57.55
>http://www.tranquil.it
>
>Samba install wiki for Frenchies : https://dev.tranquil.it
>WAPT, software deployment made easy : https://wapt.fr
>
>-- To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba