James Atwell
2021-Sep-13 15:47 UTC
[Samba] bind9 permissions and dns_tkey_gssnegotiate: TKEY is unacceptable problems
Hi Carlos, ????? I have not read that link. However I disabled apparmor entirely. I was able to get the internal DNS to work correctly by removing netplan.? I plan to switch back to bind and see if it's fixed as well with the removal of netplan. On 9/11/2021 7:21 PM, Carlos Jesus wrote:> Having had this problem recently myself, have you read > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable > <https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable> > > However, in my case, apparmor was on the way. The solution was this > https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration > <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration> > > Best regards > Carlos > > James Atwell via samba <samba at lists.samba.org > <mailto:samba at lists.samba.org>> escreveu no dia quarta, 8/09/2021 ?(s) > 20:51: > > Hello, > > ?????? Unable to resolve bind9 permissions and dns_tkey_gssnegotiate: > TKEY is unacceptable problem. This is a new DC joined to existing > domain. First the important information out the way. > > OS = Ubuntu 20.04.3 LTS > > Samba Version = 4.14.7 (self compiled ./configure, make, make install) > > smb.conf > > # Global parameters > [global] > ???????? netbios name = PFDC4 > ???????? realm = DOMAIN.LOCAL // I Know > ???????? server role = active directory domain controller > ???????? workgroup = DOMAIN > ???????? dns forwarder = 8.8.8.8 208.67.222.222 > ???????? server services = -dns > ???????? log file = /usr/local/samba/var/log.samba > ???????? log level = 1 auth_audit:3 auth_json_audit:3 > ???????? debug timestamp = Yes > ???????? debug uid = Yes > ???????? debug pid = Yes > > [sysvol] > ???????? path = /usr/local/samba/var/locks/sysvol > ???????? read only = No > > [netlogon] > ???????? path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > ???????? read only = No > > > -rw-r--r-- 1 root root 1123 Sep? 7 13:51 /etc/named.conf > > -rw-r--r-- 1 root named 92 Sep? 3 15:42 /etc/krb5.conf > > ls -la /usr/local/samba/bind-dns/ > > drwxrwx---? 3 root bind? 4096 Sep? 8 15:16 . > drwxr-xr-x 12 root root? 4096 Sep? 3 15:40 .. > drwxrwx---? 3 root bind? 4096 Sep? 8 14:36 dns > -rw-r-----? 2 root named? 466 Sep? 8 14:36 dns.keytab > -rw-r--r--? 1 root root? 1012 Sep? 8 14:36 named.conf > -rw-r--r--? 1 root root? 2055 Sep? 8 14:36 named.txt > > > cat /etc/named.conf > > include "/usr/local/samba/bind-dns/named.conf"; > > # Global Configuration Options > options { > > ???? auth-nxdomain yes; > ???? directory "/var/named"; > ???? notify no; > ???? empty-zones-enable no; > ???? tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > ???? minimal-responses yes; > > ???? # IP addresses and network ranges allowed to query the DNS > server: > ???? allow-query { > ???????? 127.0.0.1; > 172.16.0.0/16 <http://172.16.0.0/16>; > ???? }; > > ???? # IP addresses and network ranges allowed to run recursive > queries: > ???? # (Zones not served by this DNS server) > ???? allow-recursion { > ???????? 127.0.0.1; > ???????? 172.16.0.0./16; > ???? }; > > ???? # Forward queries that can not be answered from own zones > ???? # to these DNS servers: > ???? forwarders { > ???????? 8.8.8.8; > ???????? 8.8.4.4; > ???? }; > > ???? # Disable zone transfers > ???? allow-transfer { > ???????? none; > ???? }; > ??}; > > # Root Servers > # (Required for recursive DNS queries) > zone "." { > ??? type hint; > ??? file "named.root"; > }; > > # localhost zone > zone "localhost" { > ???? type master; > ???? file "master/localhost.zone"; > }; > > # 127.0.0. zone. > zone "0.0.127.in-addr.arpa" { > ???? type master; > ???? file "master/0.0.127.zone"; > }; > > > cat /usr/local/samba/bind-dns/named.conf > > dlz "AD DNS Zone" { > > ???? # For BIND 9.16.x > ????? database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so"; > }; > > cat /etc/bind/named.conf.options > > options { > ???????? directory "/var/cache/bind"; > ???????? version "0.0.7"; > ???????? notify no; > ???????? empty-zones-enable no; > ???????? allow-query { 127.0.0.1; 172.16.0.0/16 > <http://172.16.0.0/16>; }; > ???????? allow-recursion { 172.16.0.0/16 <http://172.16.0.0/16>; > 127.0.0.1/32 <http://127.0.0.1/32>; }; > ???????? forwarders { 8.8.8.8; 8.8.4.4; }; > ???????? allow-transfer { none; }; > ???????? dnssec-validation no; > ???????? listen-on port 53 { 172.16.232.18; 127.0.0.1; }; > ???????? tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > ???????? minimal-responses yes; > ???????? listen-on-v6 { any; }; > }; > > > If I missed anything let me know.? I used the wiki for guidance. > Bind9 > initially would not start. Would give me permission issues when > starting. I solved this by disabling apparmor.? After updating all > the > config files and changing ownership to user named(where mentioned > in the > wiki), bind9 failed to start.? Again permission problems. Bind was > unable to read config files in /usr/local/samba/bind-dns. I changed > ownership from root:named back to root:bind and bind9 would start. > > I ran "samba_dnsupdate --all-names --verbose" and several dns updates > got created.? Ran the command again and received > dns_tkey_gssnegotiate: > TKEY is unacceptable issue.? Tried the wiki to torubleshoot and yet I > still have the issue. When running samba-tool drs showrepl, the newly > created DC has no outbound neighbors. I'm sure it's due to my DNS > issues. If I have learned anything with Samba, it's get DNS working > correctly or I will have problems.? What am I missing? Why won't > bind9 > start with the user named? I assume I need to resolve this first > before > attempting to resolve the TKEY issue.? The internal DNS btw will not > work either. I get BADSIG[NOTAUTH] issue. Thanks for your time. > > > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > <https://lists.samba.org/mailman/options/samba> >