samba - Nov 2020 - dnsupdate failed with TKEY is unaceptable

Rommel Rodriguez Toiracrommelrt at nauta.cu
On 18/11/2020 17:34, Rommel Rodriguez Toirac via samba wrote:>?? > In my
network I have a samba 4.11.4 as Active Directory Domain Controller installed in
CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed
samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following
the wiki.samba.org guide I have joined it as a domain controller to my
network.Have you compiled Samba yourself ?>? ? When I check the local DNS
service I get the following:> # host -t A gtm.onat.gob.cu localhost> Using
domain server:> Name: localhost> Address: 127.0.0.1#53> Aliases:>
gtm.onat.gob.cu has address 192.168.41.17>? ? (It only solves the IP of the
samba 4.11.4 AD-DC not his as well, do not know if this is a problem)>???
>??? >? ? When I check the status of the named.service service it seems
that everything is fine:> # systemctl status named.service -l>>?
????????? ??18541 /usr/sbin/named -u named -c /etc/named.conf> nov 18
12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from
'/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
command channel listening on 127.0.0.1#953> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from
'/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
command channel listening on ::1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu
named[18541]: managed-keys-zone: loaded serial 0> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial
2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone
localhost/IN: loaded serial 2013050101> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: running> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain
(DNS).It doesn't look like bind can find the DNS zones in AD, so can you
post your named.conf and smb.confRowland?Hello;thanks for write back;?It is
/etc/named.conf and /etc/samba/smb.conf# cat /etc/named.conf
??????????????????????# Global Configuration Options options { ???auth-nxdomain
yes; ???version "Parametro no soportado"; ???directory
"/var/named"; ???notify no; ???empty-zones-enable no;
???dnssec-validation no; ???dnssec-enable no; ???dnssec-lookaside no;
???listen-on-v6 { none; }; ???listen-on port 53 { 192.168.41.18; 127.0.0.1; };
???# IP addresses and network ranges allowed to query the DNS server:
???allow-query { ???????127.0.0.1; ???????192.168.41.0/24; ???};
???allow-query-cache { ???????127.0.0.1; ???????192.168.41.0/24; ???}; ???# IP
addresses and network ranges allowed to run recursive queries: ???# (Zones not
served by this DNS server) ???allow-recursion { ???????127.0.0.1;
???????192.168.41.0/24; ???}; ???# Forward queries that can not be answered from
own zones ???# to these DNS servers: ???forwarders { ???????10.10.8.2; ???};
???# Disable zone transfers ????allow-transfer { ???????none; ???};
?????tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
??minimal-responses yes; }; # Root Servers # (Required for recursive DNS
queries) #zone "." { # ??type hint; # ??file "named.root";
#}; # localhost zone zone "localhost" { ???type master; ???file
"master/localhost.zone"; }; # 127.0.0. zone. zone
"0.0.127.in-addr.arpa" { ???type master; ???file
"master/0.0.127.zone"; }; include
"/usr/local/samba/bind-dns/named.conf";
# cat /etc/samba/smb.conf ?# Global parameters [global] ???????netbios name =
GTMAD1 ???????realm = GTM.ONAT.GOB.CU ???????server role = active directory
domain controller ???????server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ???????workgroup = ATGTM00
???????idmap_ldb:use rfc2307 ?= yes [sysvol] ???????path =
/usr/local/samba/var/locks/sysvol ???????read only = No [netlogon] ???????path =
/usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts ???????read only =
No-- Rommel Rodriguez Toirac?rommelrt at nauta.cu

On 18/11/2020 19:34, Rommel Rodriguez Toirac via samba
wrote:
> Rommel Rodriguez Toiracrommelrt at nauta.cu
> On 18/11/2020 17:34, Rommel Rodriguez Toirac via samba wrote:>?? > In
my network I have a samba 4.11.4 as Active Directory Domain Controller installed
in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have recently installed
samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu - 192.168.41.18) and following
the wiki.samba.org guide I have joined it as a domain controller to my
network.Have you compiled Samba yourself ?>? ? When I check the local DNS
service I get the following:> # host -t A gtm.onat.gob.cu localhost> Using
domain server:> Name: localhost> Address: 127.0.0.1#53> Aliases:>
gtm.onat.gob.cu has address 192.168.41.17>? ? (It only solves the IP of the
samba 4.11.4 AD-DC not his as well, do not know if this is a problem)>???
>??? >? ? When I check the status of the named.service service it seems
that everything is fine:> # systemctl status named.service -l>>?
????????? ??18541 /usr/sbin/named -u named -c /etc/named.conf> nov 18
12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from
'/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
command channel listening on 127.0.0.1#953> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from
'/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
command channel listening on ::1#953> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu
named[18541]: managed-keys-zone: loaded serial 0> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: zone 0.0.127.in-addr.arpa/IN: loaded serial
2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone
localhost/IN: loaded serial 2013050101> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: all zones loaded> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu named[18541]: running> nov 18 12:02:02
gtmad1.gtm.onat.gob.cu systemd[1]: Started Berkeley Internet Name Domain
(DNS).It doesn't look like bind can find the DNS zones in AD, so can you
post your named.conf and smb.confRowland?Hello;thanks for write back;?It is
/etc/named.conf and /etc/samba/smb.conf# cat /etc/named.conf
??????????????????????# Global Configuration Options options { ???auth-nxdomain
yes; ???version "Parametro no soportado"; ???directory
"/var/named"; ???notify no; ???empty-zones-enable no;
???dnssec-validation no; ???dnssec-enable no; ???dnssec-lookaside no;
???listen-on-v6 { none; }; ???listen-on port 53 { 192.168.41.18; 127.0.0.1; };
???# IP addresses and network ranges allowed to query the DNS server:
???allow-query { ???????127.0.0.1; ???????192.168.41.0/24; ???};
???allow-query-cache { ???????127.0.0.1; ???????192.168.41.0/24; ???}; ???# IP
addresses and network ranges allowed to run recursive queries: ???# (Zones not
served by this DNS server) ???allow-recursion { ???????127.0.0.1;
???????192.168.41.0/24; ???}; ???# Forward queries that can not be answered from
own zones ???# to these DNS servers: ???forwarders { ???????10.10.8.2; ???};
???# Disable zone transfers ????allow-transfer { ???????none; ???};
?????tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
??minimal-responses yes; }; # Root Servers # (Required for recursive DNS
queries) #zone "." { # ??type hint; # ??file "named.root";
#}; # localhost zone zone "localhost" { ???type master; ???file
"master/localhost.zone"; }; # 127.0.0. zone. zone
"0.0.127.in-addr.arpa" { ???type master; ???file
"master/0.0.127.zone"; }; include
"/usr/local/samba/bind-dns/named.conf";
> # cat /etc/samba/smb.conf ?# Global parameters [global] ???????netbios name
= GTMAD1 ???????realm = GTM.ONAT.GOB.CU ???????server role = active directory
domain controller ???????server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ???????workgroup = ATGTM00
???????idmap_ldb:use rfc2307 ?= yes [sysvol] ???????path =
/usr/local/samba/var/locks/sysvol ???????read only = No [netlogon] ???????path =
/usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts ???????read only =
No-- Rommel Rodriguez Toirac?rommelrt at nauta.cu
No, sorry but I refuse to try and decipher the mess above, can you 
please post again, but this time in plain text and readable format.

Rowland

El 18 de noviembre de 2020 14:41:57 GMT-05:00, Rowland penny via samba <samba
at lists.samba.org> escribi?:
>On 18/11/2020 19:34, Rommel Rodriguez Toirac via samba wrote:
>> Rommel Rodriguez Toiracrommelrt at nauta.cu
>> On 18/11/2020 17:34, Rommel Rodriguez Toirac via samba wrote:>??
> In
>my network I have a samba 4.11.4 as Active Directory Domain Controller
>installed in CentOS 7 (gtmad.gtm.onat.gob.cu - 192.168.41.17). I have
>recently installed samba 4.13.2 in CentOS 8 (gtmad1.gtm.onat.gob.cu -
>192.168.41.18) and following the wiki.samba.org guide I have joined it
>as a domain controller to my network.Have you compiled Samba yourself
>?>? ? When I check the local DNS service I get the following:> # host
>-t A gtm.onat.gob.cu localhost> Using domain server:> Name:
localhost>
>Address: 127.0.0.1#53> Aliases:> gtm.onat.gob.cu has address
>192.168.41.17>? ? (It only solves the IP of the samba 4.11.4 AD-DC not
>his as well, do not know if this is a problem)>??? >??? >? ? When I
>check the status of the named.service service it seems that everything
>is fine:> # systemctl status named.service -l>>? ????????? ??18541
>/usr/sbin/named -u named -c /etc/named.conf> nov 18 12:02:
>02 gtmad1
>.gtm.onat.gob.cu named[18541]: configuring command channel from
>'/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu
named[18541]:
>command channel listening on 127.0.0.1#953> nov 18 12:02:02
>gtmad1.gtm.onat.gob.cu named[18541]: configuring command channel from
>'/etc/rndc.key'> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu
named[18541]:
>command channel listening on ::1#953> nov 18 12:02:02
>gtmad1.gtm.onat.gob.cu named[18541]: managed-keys-zone: loaded serial
>0> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: zone
>0.0.127.in-addr.arpa/IN: loaded serial 2013050101> nov 18 12:02:02
>gtmad1.gtm.onat.gob.cu named[18541]: zone localhost/IN: loaded serial
>2013050101> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]: all
>zones loaded> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu named[18541]:
>running> nov 18 12:02:02 gtmad1.gtm.onat.gob.cu systemd[1]: Started
>Berkeley Internet Name Domain (DNS).It doesn't look like bind can find
>the DNS zones in AD, so can you post your named.conf and 
>smb.confR
>owland?Hello;thanks for write back;?It is /etc/named.conf and
>/etc/samba/smb.conf# cat /etc/named.conf ??????????????????????# Global
>Configuration Options options { ???auth-nxdomain yes; ???version
>"Parametro no soportado"; ???directory "/var/named";
???notify no;
>???empty-zones-enable no; ???dnssec-validation no; ???dnssec-enable no;
>???dnssec-lookaside no; ???listen-on-v6 { none; }; ???listen-on port 53
>{ 192.168.41.18; 127.0.0.1; }; ???# IP addresses and network ranges
>allowed to query the DNS server: ???allow-query { ???????127.0.0.1;
>???????192.168.41.0/24; ???}; ???allow-query-cache { ???????127.0.0.1;
>???????192.168.41.0/24; ???}; ???# IP addresses and network ranges
>allowed to run recursive queries: ???# (Zones not served by this DNS
>server) ???allow-recursion { ???????127.0.0.1; ???????192.168.41.0/24;
>???}; ???# Forward queries that can no
>t be answ
>ered from own zones ???# to these DNS servers: ???forwarders {
>???????10.10.8.2; ???}; ???# Disable zone transfers ????allow-transfer
>{ ???????none; ???}; ?????tkey-gssapi-keytab
>"/usr/local/samba/private/dns.keytab"; ??minimal-responses yes; };
#
>Root Servers # (Required for recursive DNS queries) #zone "." { #
>??type hint; # ??file "named.root"; #}; # localhost zone zone
>"localhost" { ???type master; ???file
"master/localhost.zone"; }; #
>127.0.0. zone. zone "0.0.127.in-addr.arpa" { ???type master;
???file
>"master/0.0.127.zone"; }; include
>"/usr/local/samba/bind-dns/named.conf";
>> # cat /etc/samba/smb.conf ?# Global parameters [global]
>???????netbios name = GTMAD1 ???????realm = GTM.ONAT.GOB.CU
>???????server role = active directory domain controller ???????server
>services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
>ntp_signd, kcc, dnsupdate ???????workgroup = ATGTM00
>???????idmap_ldb:use rfc2307 ?= yes [sysvol] ???????path
>/usr/local/samba/var/locks/sysvol ???????read only = No [netlogon]
>???????path = /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts
>???????read only = No-- Rommel Rodriguez Toirac?rommelrt at nauta.cu
>
>No, sorry but I refuse to try and decipher the mess above, can you 
>please post again, but this time in plain text and readable format.
>
>Rowland

 Sorry, I change the email client, I hope now is clear.


Hello;

thanks for write back;

?It is /etc/named.conf and /etc/samba/smb.conf

# cat /etc/named.conf ??????????????????????
# Global Configuration Options 
options { 

???auth-nxdomain yes; 
???version "Parametro no soportado"; 
???directory "/var/named"; 
???notify no; 
???empty-zones-enable no; 
???dnssec-validation no; 
???dnssec-enable no; 
???dnssec-lookaside no; 
???listen-on-v6 { none; }; 
???listen-on port 53 { 192.168.41.18; 127.0.0.1; }; 

???# IP addresses and network ranges allowed to query the DNS server: 
???allow-query { 
???????127.0.0.1; 
???????192.168.41.0/24; 
???}; 
???allow-query-cache { 
???????127.0.0.1; 
???????192.168.41.0/24; 
???}; 

???# IP addresses and network ranges allowed to run recursive queries: 
???# (Zones not served by this DNS server) 
???allow-recursion { 
???????127.0.0.1; 
???????192.168.41.0/24; 
???}; 

???# Forward queries that can not be answered from own zones 
???# to these DNS servers: 
???forwarders { 
???????10.10.8.2; 
???}; 

???# Disable zone transfers ?
???allow-transfer { 
???????none; 
???}; 
???
??tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; 
??minimal-responses yes; 

}; 

# Root Servers 
# (Required for recursive DNS queries) 
#zone "." { 
# ??type hint; 
# ??file "named.root"; 
#}; 

# localhost zone 
zone "localhost" { 
???type master; 
???file "master/localhost.zone"; 
}; 

# 127.0.0. zone. 
zone "0.0.127.in-addr.arpa" { 
???type master; 
???file "master/0.0.127.zone"; 
}; 

include "/usr/local/samba/bind-dns/named.conf"; 



# cat /etc/samba/smb.conf ?

# Global parameters 
[global] 
???????netbios name = GTMAD1 
???????realm = GTM.ONAT.GOB.CU 
???????server role = active directory domain controller 
???????server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
???????workgroup = ATGTM00 
???????idmap_ldb:use rfc2307 ?= yes 

[sysvol] 
???????path = /usr/local/samba/var/locks/sysvol 
???????read only = No 

[netlogon] 
???????path = /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts 
???????read only = No




-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu