samba - Aug 2022 - Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision

Can you run this script..
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
and post the content.  
Thanks, 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens Matthew
> Schumacher via samba
> Verzonden: vrijdag 5 augustus 2022 21:52
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but
> stuck on check_spn_alias_collision
> 
> Hello all,
> 
> When trying to run samba_dnsupdate I get "dns_tkey_gssnegotiate: TKEY
is
> unacceptable"  I see the webpage about this at
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacce
> ptable
> and when verifying my keytab file I get a number of accounts:
> 
> klist -k /var/lib/samba/bind-dns/dns.keytab
> Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>     1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
>     1 dns-dc-2-wsll at AD.DOMAIN.NET
>     1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
>     1 dns-dc-2-wsll at AD.DOMAIN.NET
>     1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
>     1 dns-dc-2-wsll at AD.DOMAIN.NET
> 
> I decided I would cleanup and try again so I:
> 
> rm /usr/local/samba/private/dns.keytab
> then
> samba-tool user delete dns-dc-2-wsll
> 
> Which seems to work, as I get
> 
> Deleted user dns-dc-2-wsll
> 
> But then when I reset the dns settings with:
> 
> samba_upgradedns --dns-backend=BIND9_DLZ
> 
> I see:
> 
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/AD.DOMAIN.NET.zone (normal)
> DNS partitions already exist Adding dns-dc-2-wsll account
> check_spn_alias_collision: trying to add SPN
'DNS/dc-2-wsll.ad.domain.net'
> on 'CN=dns-dc-2-wsll,CN=Users,DC=ad,DC=domain,DC=net' when
'host/dc-
> 2-wsll.ad.domain.net' is on 'CN=dc-2-wsll,OU=Domain
> Controllers,DC=ad,DC=domain,DC=net'
> See /var/lib/samba/bind-dns/named.conf for an example configuration
> include file for BIND and /var/lib/samba/bind-dns/named.txt for further
> documentation required for secure DNS updates Finished upgrading DNS
> 
> I'm trying to figure out how to clean this up and reset DNS so I can
get it
> work.  Any ideas?
> 
> Matt
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> Can you run this script..
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> and post the content.
> Thanks,
>
> Greetz,
>
> Louis
>
>
Hi Louis,

I can't post the output of that script due to it showing a lot of 
internal information, but I can say :

--------------------------------------------------------------------
Hostname, dns, realm, etc is all fine.

There are only two interfaces lo0, eth0 and are configured correctly.

/etc/hosts has loopback and the IP address followed by short name and 
FQDN for this host

*/etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I 
think this is the problem*)*

Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok

'kinit Administrator' checked successfully.

Samba is running as an AD DC

/etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and looks fine

/etc/nsswitch.conf shows "files ldap" since I use nss-pam-ldap on this
host to resolve UID and GUI in AD

/etc/samba/smb.conf shows

[global]
 ?? ?netbios name = dc-2
 ?? ?realm = AD.DOMAIN.NET
 ?? ?server role = active directory domain controller
 ?? ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
 ?? ?workgroup = AD
 ?? ?idmap_ldb:userfc2307? = yes
 ?? ?tls enabled? = yes
 ?? ?tls keyfile? = /etc/ssl/certs/dc-2.pem
 ?? ?tls certfile = /etc/ssl/certs/dc-2.pem
 ?? ?tls cafile?? = /etc/ssl/certs/dc-2.pem
 ?? ?ntlm auth = mschapv2-and-ntlmv2-only

[sysvol]
 ?? ?path = /var/lib/samba/sysvol
 ?? ?read only = No

[netlogon]
 ?? ?path = /var/lib/samba/sysvol/ad.domain.net/scripts
 ?? ?read only = No

This DC is not being used as a fileserver

Detected bind DLZ enabled..

Time verified ok, within the allowed 300sec margin.
Time offset is currently : -1 seconds

Packages are missing because I don't have dpkg.? Distro is slackware, I 
compiled samba myself.
--------------------------------------------------------------------

Given the above, let me include my /etc/named.conf

--------------------------------------------------------------------
options {
 ?? ?directory "/var/named";
 ?? ?/*
 ?? ? * If there is a firewall between you and nameservers you want
 ?? ? * to talk to, you might need to uncomment the query-source
 ?? ? * directive below.? Previous versions of BIND always asked
 ?? ? * questions using port 53, but BIND 8.1 uses an unprivileged
 ?? ? * port by default.
 ?? ? */
 ?? ?// query-source address * port 53;

 ?? ?tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
 ?? ?minimal-responses yes;

//????? forwarders {
//????????????? x.x.x.x;
//????? };

};

//
// a caching only nameserver config
//
zone "." IN {
 ?? ?type hint;
 ?? ?file "caching-example/named.root";
};

zone "localhost" IN {
 ?? ?type master;
 ?? ?file "caching-example/localhost.zone";
 ?? ?allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
 ?? ?type master;
 ?? ?file "caching-example/named.local";
 ?? ?allow-update { none; };
};

include "/var/lib/samba/bind-dns/named.conf";
--------------------------------------------------------------------


Looking at the DNS servers in /etc/resolve.conf it occurred to me that 
using the loopback address wouldn't work, so I removed that, and it 
updated the dns against another domain controller without issue.

So, my question.? Is there any reason the local bind server with the DLZ 
plugin can't take kerberos authenticated updates?? Any thoughts on how 
to debug this?

Also,? samba_dnsupdate? --use-samba-tool works just fine, so, can I 
configure samba to use that internally when calling samba-dnsupdate with?

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

Any disadvantages of doing it that way?

Thanks for the help!
Matt