Roy Eastwood
2018-Mar-15 12:57 UTC
[Samba] DNS Updates fail with dns_tkey_gssnegotiate: TKEY is unacceptable
Hi, I have a test system with two DCs based on samba v 4.8.0 with BIND9_DLZ as the dns backend running on a fresh install of Gentoo. I can't get DNS Updates to work on both DCs. If I issue the command: samba_dnsupdate --verbose after the 2nd DC has joined the domain I get the errors (just showing the last entry): update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com gentoo-dc2.samba4p8.example.com 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com gentoo-dc2.samba4p8.example.com 389 (add) Successfully obtained Kerberos ticket to DNS/gentoo-dc1.samba4p8.example.com as GENTOO-DC2$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com. 900 IN SRV 0 100 389 gentoo-dc2.samba4p8.example.com. dns_tkey_gssnegotiate: TKEY is unacceptable Failed nsupdate: 1 Failed update of 26 entries I have following the Wiki for troubleshooting this error and all seems OK: gentoo-dc2 ~ # ktutil -k /var/lib/samba/private/dns.keytab list /var/lib/samba/private/dns.keytab: Vno Type Principal Aliases 2 des-cbc-crc DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM 2 des-cbc-crc dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM 2 des-cbc-md5 DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM 2 des-cbc-md5 dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM 2 arcfour-hmac-md5 DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM 2 arcfour-hmac-md5 dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM 2 aes128-cts-hmac-sha1-96 DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM 2 aes128-cts-hmac-sha1-96 dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM 2 aes256-cts-hmac-sha1-96 DNS/gentoo-dc2.samba4p8.example.com at SAMBA4P8.EXAMPLE.COM 2 aes256-cts-hmac-sha1-96 dns-GENTOO-DC2 at SAMBA4P8.EXAMPLE.COM gentoo-dc2 ~ # ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=dns-gentoo-dc2' dn # record 1 dn: CN=dns-GENTOO-DC2,CN=Users,DC=samba4p8,DC=example,DC=com # Referral ref: ldap://samba4p8.example.com/CN=Configuration,DC=samba4p8,DC=example,DC=com # Referral ref: ldap://samba4p8.example.com/DC=DomainDnsZones,DC=samba4p8,DC=example,DC=com # Referral ref: ldap://samba4p8.example.com/DC=ForestDnsZones,DC=samba4p8,DC=example,DC=com # returned 4 records # 1 entries # 3 referrals named -V produces the relevant build options: '--with-dlopen' and '--with-gssapi' I ran named with the debug option "-d 7" and it produced this log output: 15-Mar-2018 12:29:13.562 starting BIND 9.11.2-P1 <id:2c2bc60> 15-Mar-2018 12:29:13.563 running on Linux x86_64 4.9.76-gentoo-r1 #1 SMP Wed Mar 14 23:34:12 GMT 2018 15-Mar-2018 12:29:13.563 built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--enable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--enable-threads' '--without-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--with-gssapi' '--without-idn' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--with-python' '--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib' '--with-randomdev=/dev/urandom' '--with-geoip' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 15-Mar-2018 12:29:13.563 running as: named -u named -f -g 15-Mar-2018 12:29:13.563 ---------------------------------------------------- 15-Mar-2018 12:29:13.563 BIND 9 is maintained by Internet Systems Consortium, 15-Mar-2018 12:29:13.563 Inc. (ISC), a non-profit 501(c)(3) public-benefit 15-Mar-2018 12:29:13.563 corporation. Support and training for BIND 9 are 15-Mar-2018 12:29:13.563 available at https://www.isc.org/support 15-Mar-2018 12:29:13.563 ---------------------------------------------------- 15-Mar-2018 12:29:13.563 adjusted limit on open files from 4096 to 1048576 15-Mar-2018 12:29:13.563 found 1 CPU, using 1 worker thread 15-Mar-2018 12:29:13.563 using 1 UDP listener per interface 15-Mar-2018 12:29:13.563 using up to 4096 sockets 15-Mar-2018 12:29:13.565 ./config.c: option 'lmdb-mapsize' was not enabled at compile time (ignored) 15-Mar-2018 12:29:13.565 loading configuration from '/etc/bind/named.conf' 15-Mar-2018 12:29:13.566 reading built-in trusted keys from file '/etc/bind/bind.keys' 15-Mar-2018 12:29:13.566 GeoIP Country (IPv4) (type 1) DB not available 15-Mar-2018 12:29:13.566 GeoIP Country (IPv6) (type 12) DB not available 15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 2) DB not available 15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 6) DB not available 15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 30) DB not available 15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 31) DB not available 15-Mar-2018 12:29:13.566 GeoIP Region (type 3) DB not available 15-Mar-2018 12:29:13.566 GeoIP Region (type 7) DB not available 15-Mar-2018 12:29:13.566 GeoIP ISP (type 4) DB not available 15-Mar-2018 12:29:13.566 GeoIP Org (type 5) DB not available 15-Mar-2018 12:29:13.566 GeoIP AS (type 9) DB not available 15-Mar-2018 12:29:13.566 GeoIP Domain (type 11) DB not available 15-Mar-2018 12:29:13.566 GeoIP NetSpeed (type 10) DB not available 15-Mar-2018 12:29:13.566 using default UDP/IPv4 port range: [32768, 60999] 15-Mar-2018 12:29:13.566 using default UDP/IPv6 port range: [32768, 60999] 15-Mar-2018 12:29:13.566 listening on IPv4 interface lo, 127.0.0.1#53 15-Mar-2018 12:29:13.567 listening on IPv4 interface enp0s3, 192.168.2.16#53 15-Mar-2018 12:29:13.567 generating session key for dynamic DNS 15-Mar-2018 12:29:13.567 sizing zone task pool based on 3 zones 15-Mar-2018 12:29:13.568 zone 'localhost' allows unsigned updates from remote hosts, which is insecure 15-Mar-2018 12:29:13.568 zone '0.0.127.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure 15-Mar-2018 12:29:13.568 Loading 'AD DNS Zone' using driver dlopen 15-Mar-2018 12:29:13.580 samba_dlz: INFO: Current debug levels: 15-Mar-2018 12:29:13.580 samba_dlz: all: 7 15-Mar-2018 12:29:13.580 samba_dlz: tdb: 7 15-Mar-2018 12:29:13.580 samba_dlz: printdrivers: 7 15-Mar-2018 12:29:13.580 samba_dlz: lanman: 7 15-Mar-2018 12:29:13.580 samba_dlz: smb: 7 15-Mar-2018 12:29:13.580 samba_dlz: rpc_parse: 7 15-Mar-2018 12:29:13.580 samba_dlz: rpc_srv: 7 15-Mar-2018 12:29:13.580 samba_dlz: rpc_cli: 7 15-Mar-2018 12:29:13.581 samba_dlz: passdb: 7 15-Mar-2018 12:29:13.581 samba_dlz: sam: 7 15-Mar-2018 12:29:13.581 samba_dlz: auth: 7 15-Mar-2018 12:29:13.581 samba_dlz: winbind: 7 15-Mar-2018 12:29:13.581 samba_dlz: vfs: 7 15-Mar-2018 12:29:13.581 samba_dlz: idmap: 7 15-Mar-2018 12:29:13.581 samba_dlz: quota: 7 15-Mar-2018 12:29:13.581 samba_dlz: acls: 7 15-Mar-2018 12:29:13.581 samba_dlz: locking: 7 15-Mar-2018 12:29:13.581 samba_dlz: msdfs: 7 15-Mar-2018 12:29:13.581 samba_dlz: dmapi: 7 15-Mar-2018 12:29:13.581 samba_dlz: registry: 7 15-Mar-2018 12:29:13.582 samba_dlz: scavenger: 7 15-Mar-2018 12:29:13.582 samba_dlz: dns: 7 15-Mar-2018 12:29:13.582 samba_dlz: ldb: 7 15-Mar-2018 12:29:13.582 samba_dlz: tevent: 7 15-Mar-2018 12:29:13.582 samba_dlz: auth_audit: 7 15-Mar-2018 12:29:13.582 samba_dlz: auth_json_audit: 7 15-Mar-2018 12:29:13.582 samba_dlz: kerberos: 7 15-Mar-2018 12:29:13.582 samba_dlz: drs_repl: 7 15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_spnego' registered 15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5' registered 15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered 15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'spnego' registered 15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'schannel' registered 15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'naclrpc_as_system' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_basic' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_ntlm' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_negotiate' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'krb5' registered 15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered 15-Mar-2018 12:29:13.616 samba_dlz: ldb: No encrypted secrets key file. Secret attributes will not be encrypted or decrypted 15-Mar-2018 12:29:13.616 samba_dlz: 15-Mar-2018 12:29:13.653 samba_dlz: schema_fsmo_init: we are master[no] updates allowed[no] 15-Mar-2018 12:29:13.669 samba_dlz: started for DN DC=samba4p8,DC=example,DC=com 15-Mar-2018 12:29:13.669 samba_dlz: starting configure 15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone 'samba4p8.example.com' 15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone '2.168.192.in-addr.arpa' 15-Mar-2018 12:29:13.672 samba_dlz: configured writeable zone '_msdcs.samba4p8.example.com' 15-Mar-2018 12:29:13.672 none:103: 'max-cache-size 90%' - setting to 893MB (out of 992MB) 15-Mar-2018 12:29:13.673 obtaining root key for view _default from '/etc/bind/bind.keys' 15-Mar-2018 12:29:13.673 set up managed keys zone for view _default, file 'managed-keys.bind' 15-Mar-2018 12:29:13.673 zone 'version.bind' allows unsigned updates from remote hosts, which is insecure 15-Mar-2018 12:29:13.673 zone 'hostname.bind' allows unsigned updates from remote hosts, which is insecure 15-Mar-2018 12:29:13.673 zone 'authors.bind' allows unsigned updates from remote hosts, which is insecure 15-Mar-2018 12:29:13.674 zone 'id.server' allows unsigned updates from remote hosts, which is insecure 15-Mar-2018 12:29:13.674 none:103: 'max-cache-size 90%' - setting to 893MB (out of 992MB) 15-Mar-2018 12:29:13.675 command channel listening on 127.0.0.1#953 15-Mar-2018 12:29:13.675 not using config file logging statement for logging due to -g option 15-Mar-2018 12:29:13.675 managed-keys-zone: loaded serial 3 15-Mar-2018 12:29:13.676 zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101 15-Mar-2018 12:29:13.676 zone localhost/IN: loaded serial 2008122601 15-Mar-2018 12:29:13.676 all zones loaded 15-Mar-2018 12:29:13.676 running Can anyone spot what I am missing or what I've done wrong? Appreciate any help. Many thanks, Roy