On 18/11/2020 19:27, Rommel Rodriguez Toirac wrote:> > ?It is /etc/named.conf and /etc/samba/smb.conf > > > # cat /etc/named.conf > > > ??tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > > > include "/usr/local/samba/bind-dns/named.conf"; >OK, does the /usr/local/samba/bind-dns directory exist ? if it does, is the 'named.conf. file in there, set up to use your Bind9 version ? Also the dns.keytab should also exist in the same directory (there is bug report about this not happening on newly joined DC's), so if it doesn't exist, copy it from '/usr/local/samba/private' keeping the same permissions. Update the 'tkey-gssapi-keytab' path to reflect the change. Rowland
Rommel Rodriguez Toirac
2020-Nov-18 20:49 UTC
[Samba] dnsupdate failed with TKEY is unaceptable
El 18 de noviembre de 2020 15:16:09 GMT-05:00, Rowland penny via samba <samba at lists.samba.org> escribi?:>On 18/11/2020 19:27, Rommel Rodriguez Toirac wrote: >> >> ?It is /etc/named.conf and /etc/samba/smb.conf >> >> >> # cat /etc/named.conf >> >> >> ??tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; >> >> >> include "/usr/local/samba/bind-dns/named.conf"; >> >OK, does the /usr/local/samba/bind-dns directory exist ? > >if it does, is the 'named.conf. file in there, set up to use your Bind9 > >version ? > >Also the dns.keytab should also exist in the same directory (there is >bug report about this not happening on newly joined DC's), so if it >doesn't exist, copy it from '/usr/local/samba/private' keeping the same > >permissions. Update the 'tkey-gssapi-keytab' path to reflect the >change. > >RowlandYes, the directory asked exist and is pointing to my named version: [root at gtmad1 ]#?ls /usr/local/samba/bind-dns/ dns??dns.keytab ?named.conf ?named.txt [root at gtmad1 ]# cat /usr/local/samba/bind-dns/named.conf ? # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/usr/local/samba/bind-dns/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { ???# For BIND 9.8.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; ???# For BIND 9.9.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; ???# For BIND 9.10.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so"; ???# For BIND 9.11.x ????database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so"; ???# For BIND 9.12.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so"; ???# For BIND 9.14.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so"; ???# For BIND 9.16.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so"; }; [root at gtmad1 ] named -V BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Extended Support Version) <id:ad4df16> running on Linux x86_64 5.4.34-1-pve #1 SMP PVE 5.4.34-2 (Thu, 07 May 2020 10:02:02 +0200) built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with -libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '- -disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/ redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/ usr/lib64/pkgconfig:/usr/share/pkgconfig' compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5) compiled with OpenSSL version: OpenSSL 1.1.1c FIPS ?28 May 2019 linked to OpenSSL version: OpenSSL 1.1.1c FIPS ?28 May 2019 compiled with libxml2 version: 2.9.7 linked to libxml2 version: 20907 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled default paths: ?named configuration: ?/etc/named.conf ?rndc configuration: ??/etc/rndc.conf ?DNSSEC root key: ?????/etc/bind.keys ?nsupdate session key: /var/run/named/session.key ?named PID file: ??????/var/run/named/named.pid ?named lock file: ?????/var/run/named/named.lock ?geoip-directory: ?????/usr/share/GeoIP -- Rommel Rodriguez Toirac rommelrt at nauta.cu
Rommel Rodriguez Toirac
2020-Nov-19 19:14 UTC
[Samba] dnsupdate failed with TKEY is unaceptable
Hello all; any other ideas or tests to do to determine what is the cause of why dnsupdate does not work on the newly installed domain controller samba 4.13.2? Rommel Rodriguez Toirac El 18 de noviembre de 2020 15:16:09 GMT-05:00, Rowland penny via samba <samba at lists.samba.org> escribi?:>On 18/11/2020 19:27, Rommel Rodriguez Toirac wrote: >> >> ?It is /etc/named.conf and /etc/samba/smb.conf >> >> >> # cat /etc/named.conf >> >> >> ??tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; >> >> >> include "/usr/local/samba/bind-dns/named.conf"; >> >OK, does the /usr/local/samba/bind-dns directory exist ? > >if it does, is the 'named.conf. file in there, set up to use your Bind9 > >version ? > >Also the dns.keytab should also exist in the same directory (there is >bug report about this not happening on newly joined DC's), so if it >doesn't exist, copy it from '/usr/local/samba/private' keeping the same > >permissions. Update the 'tkey-gssapi-keytab' path to reflect the >change. > >RowlandYes, the directory asked exist and is pointing to my named version: [root at gtmad1 ]#?ls /usr/local/samba/bind-dns/ dns??dns.keytab ?named.conf ?named.txt [root at gtmad1 ]# cat /usr/local/samba/bind-dns/named.conf ? # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/usr/local/samba/bind-dns/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { ???# For BIND 9.8.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; ???# For BIND 9.9.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; ???# For BIND 9.10.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so"; ???# For BIND 9.11.x ????database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so"; ???# For BIND 9.12.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so"; ???# For BIND 9.14.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so"; ???# For BIND 9.16.x ???# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so"; }; [root at gtmad1 ] named -V BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Extended Support Version) <id:ad4df16> running on Linux x86_64 5.4.34-1-pve #1 SMP PVE 5.4.34-2 (Thu, 07 May 2020 10:02:02 +0200) built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with -libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '- -disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/ redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/ usr/lib64/pkgconfig:/usr/share/pkgconfig' compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5) compiled with OpenSSL version: OpenSSL 1.1.1c FIPS ?28 May 2019 linked to OpenSSL version: OpenSSL 1.1.1c FIPS ?28 May 2019 compiled with libxml2 version: 2.9.7 linked to libxml2 version: 20907 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled default paths: ?named configuration: ?/etc/named.conf ?rndc configuration: ??/etc/rndc.conf ?DNSSEC root key: ?????/etc/bind.keys ?nsupdate session key: /var/run/named/session.key ?named PID file: ??????/var/run/named/named.pid ?named lock file: ?????/var/run/named/named.lock ?geoip-directory: ?????/usr/share/GeoIP -- Rommel Rodriguez Toirac rommelrt at nauta.cu
Rommel Rodriguez Toirac
2020-Nov-20 13:35 UTC
[Samba] dnsupdate failed with TKEY is unaceptable
El 20 de noviembre de 2020 2:22:45 GMT-05:00, "L.P.H. van Belle" <belle at bazuin.nl> escribi?:>I suggest you read : >https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable >Hello; I read the URL sugessted. There exist a Kerberos principal; there exist the bind AD account and the files permission in /usr/local/samba/private/dns.keytab are correct. This are the result of commands suggested to run: ?[root at gtmad1 samba]# klist -k /usr/local/samba/private/dns.keytab ? Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- ??1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU ??1 dns-gtmad1 at GTM.ONAT.GOB.CU ??1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU ??1 dns-gtmad1 at GTM.ONAT.GOB.CU ??1 DNS/gtmad1.gtm.onat.gob.cu at GTM.ONAT.GOB.CU ??1 dns-gtmad1 at GTM.ONAT.GOB.CU [root at gtmad1 samba]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-GTMAD1' dn # record 1 dn: CN=dns-gtmad1,CN=Users,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # Referral ref: ldap://gtm.onat.gob.cu/DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu # returned 4 records # 1 entries # 3 referrals [root at gtmad1 samba]# ls -l /usr/local/samba/private/dns.keytab -rw-r----- 2 root named 517 nov 17 15:09 /usr/local/samba/private/dns.keytab [root at gtmad1 samba]# cat /etc/named.conf named.conf ??????named.conf_back ?? [root at gtmad1 samba]# cat /etc/named.conf # Global Configuration Options options { ???auth-nxdomain yes; ???version "Parametro no soportado"; ???directory "/var/named"; ???notify no; ???empty-zones-enable no; ???dnssec-validation no; ???dnssec-enable no; ???dnssec-lookaside no; ???listen-on-v6 { none; }; ???listen-on port 53 { 192.168.41.18; 127.0.0.1; }; ???# IP addresses and network ranges allowed to query the DNS server: ???allow-query { ???????127.0.0.1; ???????192.168.41.0/24; ???}; ???allow-query-cache { ???????127.0.0.1; ???????192.168.41.0/24; ???}; ???# IP addresses and network ranges allowed to run recursive queries: ???# (Zones not served by this DNS server) ???allow-recursion { ???????127.0.0.1; ???????192.168.41.0/24; ???}; ???# Forward queries that can not be answered from own zones ???# to these DNS servers: ???forwarders { ???????10.10.8.2; ???}; ???# Disable zone transfers ? ???allow-transfer { ???????none; ???}; ??? ??tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; ??minimal-responses yes; }; # Root Servers # (Required for recursive DNS queries) #zone "." { # ??type hint; # ??file "named.root"; #}; # localhost zone zone "localhost" { ???type master; ???file "master/localhost.zone"; }; # 127.0.0. zone. zone "0.0.127.in-addr.arpa" { ???type master; ???file "master/0.0.127.zone"; }; include "/usr/local/samba/bind-dns/named.conf"; -- Rommel Rodriguez Toirac rommelrt at nauta.cu