Robert E. Wooden
2020-Jul-03 15:01 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
On 7/3/2020 9:50 AM, Rowland penny via samba wrote:> I thought I explained that, but lets try again ;-) > > Originally, Samba used /var/lib/samba/private for the dns.keytab and > other dns files. This was then found to be possibly insecure, so it > was decided to use /var/lib/samba/bind-dns instead. When you upgrade > the Samba packages, the old files are not removed, but the new ones > are created. You just need to make Bind9 etc use them. > > Rowland >Thanks for your help. (Time to make another donation to Samba!) -- Bob Wooden
Robert E. Wooden
2020-Jul-06 15:05 UTC
[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable
On 7/3/2020 10:01 AM, Robert E. Wooden via samba wrote:> On 7/3/2020 9:50 AM, Rowland penny via samba wrote: >> Originally, Samba used /var/lib/samba/private for the dns.keytab and >> other dns files. This was then found to be possibly insecure, so it >> was decided to use /var/lib/samba/bind-dns instead. When you upgrade >> the Samba packages, the old files are not removed, but the new ones >> are created. You just need to make Bind9 etc use them. >> >> Rowland >>This problem continues. For clarity, the hostnames are DC01, DC1 and DC2. DC01 (/soon to be retired hardware/) root at DC01:~# cat /etc/bind/named.conf.options tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab"; root at DC01:~# ls /var/lib/samba/bind-dns/ dns *dns.keytab* named.conf named.txt root at DC01:~# ls /var/lib/samba/private *dns.keytab* dns_update_list idmap.ldb . . . . more files root at DC01:~# cat /etc/krb5.conf [libdefaults] ??? default_realm = SUBDOM.EXAMPLE.COM ??? dns_lookup_kdc = true ??? dns_lookup_realm = false>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<; for Windows 2008 with AES ??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ??? default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ??? permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 root at DC01:~# cat /etc/resolv.conf nameserver 192.168.0.41 ##nameserver 192.168.0.42 nameserver 192.168.0.50 search SUBDOM.EXAMPLE.COM root at DC01:~# samba_dnsupdate --verbose ?all-names/**//*<<< updates fail*/ dns_tkey_gssnegotiate: TKEY is unacceptable Failed nsupdate: 1 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM DC01.SUBDOM.EXAMPLE.COM 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM DC01.SUBDOM.EXAMPLE.COM 389 (add) Successfully obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as DC01$ DC1 (newer hardware) /domain joined with DC01/ root at DC1:~# cat /etc/bind/named.conf.options tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab"; root at DC1:~# ls /var/lib/samba/bind-dns/ dns named.conf named.txt/*<<<<<<<<<<<<<<< notice dns.keytab is MISSING*/ root at DC1:~# ls /var/lib/samba/private/ *dns.keytab* hklm.ldb ldap_priv . . . . more files root at DC1:~# cat /etc/krb5.conf [libdefaults] default_realm = SUBDOM.EXAMPLE.COM>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<[realms] SUBDOM.EXAMPLE.COM = { kdc = DC01 kdc = DC1 kdc = DC2 admin_server = DC1 root at DC1:~# cat /etc/krb5.conf?? <<<<<<<<<<< this /etc/krb5.conf file is generated by the installation [libdefaults] default_realm = SUBDOM.EXAMPLE.COM>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<[realms] SUBDOM.EXAMPLE.COM = { kdc = DC1 kdc = DC2 admin_server = DC1 root at DC1:~# cat /etc/resolv.conf search SUBDOM.EXAMPLE.COM nameserver 192.168.0.50 ###nameserver 192.168.0.42 nameserver 192.168.0.41 root at DC01:~# samba_dnsupdate --verbose ?all-names/**//*<<< updates correctly*/ update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM DC1.SUBDOM.EXAMPLE.COM 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM DC1.SUBDOM.EXAMPLE.COM 389 (add) Successfully obtained Kerberos ticket to DNS/DC01.SUBDOM.EXAMPLE.COM as DC1$ DC2 (newer hardware) /*soon to be*//domain joined with DC01 & DC1/ root at DC2:~# cat /etc/bind/named.conf.options tkey-gssapi-keytab "/var/lib/samba/*bind-dns*/dns.keytab"; root at DC2:~# ls /var/lib/samba/bind-dns/ dns *dns.keytab* named.conf named.txt root at DC2:~# ls /var/lib/samba/private/ *dns.keytab* hklm.ldb ldap_priv . . . . more files root at DC2:~# cat /etc/krb5.conf [libdefaults] default_realm = SUBDOM.EXAMPLE.COM>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<[realms] SUBDOM.EXAMPLE.COM = { kdc = DC01 kdc = DC1 kdc = DC2 admin_server = DC1 root at DC2:~# cat /etc/resolv.conf search SUBDOM.EXAMPLE.COM ##nameserver 192.168.0.41 nameserver 192.168.0.42 root at DC01:~# cat /etc/krb5.conf [libdefaults] default_realm = SUBDOM.EXAMPLE.COM>>>>>>>>>>>>>>>> snipped for brevity <<<<<<<<<<<<<<<<[realms] SUBDOM.EXAMPLE.COM = { kdc = DC01 kdc = DC1 kdc = DC2 admin_server = DC1 root at DC2:~# samba_dnsupdate --verbose ?all-names/**//*<<< updates correctly*/ update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM DC2.SUBDOM.EXAMPLE.COM 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.SUBDOM.EXAMPLE.COM DC2.SUBDOM.EXAMPLE.COM 389 (add) Successfully obtained Kerberos ticket to DNS/DC2.SUBDOM.EXAMPLE.COM as DC2$ A reminder, DC2 is NOT joined with the subdomain, yet. And now the weird part, if I change DC01 /etc/bind/named.conf.options to .../private/dns.ketab (for testing purposes), DC1 (joined with DC01) samba_dnsupdate --verbose ?all-names _will fail_ with "dns_tkey_gssnegotiate: TKEY is unacceptable" and the "Successfully obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as _DC1$_." (Notice that DC1 is "acquiring password" password from itself.) When I change the DC01 ".../private/dns-keytab" _back to_ "....bind-dns/dns.keytab" DC1 will then "samba_dnsupdate --verbose ?all-names" correctly BUT, "Successfully obtained Kerberos ticket to DNS/DC1.SUBDOM.EXAMPLE.COM as _DC01$_." <<<<< goes back to acquiring password from DC01(zero one). At no time does DC01 complete samba_dnsupdate correctly. The confusion of two (2)? dns.keytab files is causing (I could be wrong but,) issues with my subdomain. It appears to me (and I could be wrong) that the two files are causing problems and I am not quite clear just how but, the two files are at issue? Why would a change on one DC cause the other to behave differently? And then change the "change" back, correct the issue with the other DC? Why has one installation not created a ".../bind-dns/dns.keytab" file and yet the other has? I followed the same "steps" during installation on both. -- Bob Wooden
On 06/07/2020 16:05, Robert E. Wooden via samba wrote:> > Why has one installation not created a ".../bind-dns/dns.keytab" file > and yet the other has? > > I followed the same "steps" during installation on both. >I am coming to the conclusion that if you upgrade from one major Samba version to another, then upgrading in place isn't really a good idea. I would demote the original DC and either reinstall the OS or at the very least totally remove Samba. Then install the new major Samba release and rejoin as a DC. Each DC should use its own ipaddress for its first nameserver and each DC should use this /etc/krb5.conf file: [libdefaults] ??? default_realm = SUBDOM.EXAMPLE.COM ??? dns_lookup_kdc = true ??? dns_lookup_realm = false You do not require anything else! Rowland