samba - Aug 2022 - Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision

On Mon, 2022-08-08 at 08:40 -0700, Matthew Schumacher via samba
wrote:
> On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> > Can you run this script..
> >
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> > and post the content.
> > Thanks,
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> Hi Louis,
> 
> I can't post the output of that script due to it showing a lot of 
> internal information, but I can say :
Did you miss this:

Please check this and if required, sanitise it.
> 
> --------------------------------------------------------------------
> Hostname, dns, realm, etc is all fine.
> 
> There are only two interfaces lo0, eth0 and are configured correctly.
> 
> /etc/hosts has loopback and the IP address followed by short name
> and 
> FQDN for this host
> 
> */etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I 
> think this is the problem*)*
You should be using the DC's ipaddress as the nameserver.
> 
> Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok
> 
> 'kinit Administrator' checked successfully.
> 
> Samba is running as an AD DC
> 
> /etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and
> looks fine
> 
> /etc/nsswitch.conf shows "files ldap" since I use nss-pam-ldap on
> this 
> host to resolve UID and GUI in AD
> 
> /etc/samba/smb.conf shows
> 
> [global]
>      netbios name = dc-2
>      realm = AD.DOMAIN.NET
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>      workgroup = AD
>      idmap_ldb:userfc2307  = yes
>      tls enabled  = yes
>      tls keyfile  = /etc/ssl/certs/dc-2.pem
>      tls certfile = /etc/ssl/certs/dc-2.pem
>      tls cafile   = /etc/ssl/certs/dc-2.pem
>      ntlm auth = mschapv2-and-ntlmv2-only
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/ad.domain.net/scripts
>      read only = No
> 
> This DC is not being used as a fileserver
> 
> Detected bind DLZ enabled..
> 
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : -1 seconds
> 
> Packages are missing because I don't have dpkg.  Distro is slackware,
> I 
> compiled samba myself.
You could use winbind instead of ldap, but you would probably need to
create the required links.
> --------------------------------------------------------------------
> 
> Given the above, let me include my /etc/named.conf
> 
> --------------------------------------------------------------------
> options {
>      directory "/var/named";
>      /*
>       * If there is a firewall between you and nameservers you want
>       * to talk to, you might need to uncomment the query-source
>       * directive below.  Previous versions of BIND always asked
>       * questions using port 53, but BIND 8.1 uses an unprivileged
>       * port by default.
>       */
>      // query-source address * port 53;
> 
>      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>      minimal-responses yes;
> 
> //      forwarders {
> //              x.x.x.x;
> //      };
You need to set the 'forwarders'
> 
> };
> 
> //
> // a caching only nameserver config
> //
> zone "." IN {
>      type hint;
>      file "caching-example/named.root";
> };
> 
> zone "localhost" IN {
>      type master;
>      file "caching-example/localhost.zone";
>      allow-update { none; };
> };
> 
> zone "0.0.127.in-addr.arpa" IN {
>      type master;
>      file "caching-example/named.local";
>      allow-update { none; };
> };
> 
> include "/var/lib/samba/bind-dns/named.conf";
> --------------------------------------------------------------------
> 
> 
> Looking at the DNS servers in /etc/resolve.conf it occurred to me
> that 
> using the loopback address wouldn't work, so I removed that, and it 
> updated the dns against another domain controller without issue.
> 
> So, my question.  Is there any reason the local bind server with the
> DLZ 
> plugin can't take kerberos authenticated updates?  Any thoughts on
> how 
> to debug this?
Are you sure it isn't working now that you have fixed /etc/resolv.conf
?
> 
> Also,  samba_dnsupdate  --use-samba-tool works just fine, so, can I 
> configure samba to use that internally when calling samba-dnsupdate
> with?
> 
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> 
> Any disadvantages of doing it that way?
None what so ever.

Rowland

On 8/8/22 9:02 AM, Rowland Penny via samba wrote:
>
>> I can't post the output of that script due to it showing a lot of
>> internal information, but I can say :
> Did you miss this:
>
> Please check this and if required, sanitise it.
Apologies, I did miss that.
>> */etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I
>> think this is the problem*)*
> You should be using the DC's ipaddress as the nameserver.
>
Roger.
> You could use winbind instead of ldap, but you would probably need to
> create the required links.
I may look at that, but have a lot of history with ldap with a number of 
other things like radius and web apps using ldap as well. I don't think 
this is related.
>> --------------------------------------------------------------------
>>
>> Given the above, let me include my /etc/named.conf
>>
>> --------------------------------------------------------------------
>> options {
>>       directory "/var/named";
>>       /*
>>        * If there is a firewall between you and nameservers you want
>>        * to talk to, you might need to uncomment the query-source
>>        * directive below.  Previous versions of BIND always asked
>>        * questions using port 53, but BIND 8.1 uses an unprivileged
>>        * port by default.
>>        */
>>       // query-source address * port 53;
>>
>>       tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
>>       minimal-responses yes;
>>
>> //      forwarders {
>> //              x.x.x.x;
>> //      };
> You need to set the 'forwarders'
What would I set this to the public DNS server?? I looked at the wiki 
(https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End) and it talks 
about putting a DNS server in front of BIND9_DLZ to handle everything 
but domain related queries, but if this is on the DC itself, then does 
forwarding queries to the public name server accomplish the same goals?? 
Looking at the DNS servers in /etc/resolve.conf it occurred to
me
>> that
>> using the loopback address wouldn't work, so I removed that, and it
>> updated the dns against another domain controller without issue.
>>
>> So, my question.  Is there any reason the local bind server with the
>> DLZ
>> plugin can't take kerberos authenticated updates?  Any thoughts on
>> how
>> to debug this?
> Are you sure it isn't working now that you have fixed /etc/resolv.conf
> ?
Yes, I'm sure.? If I delete this host from 
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net, then with the 
IP of this host listed first in /etc/resolv.conf call samba_dnsupdate 
--verbose I get:

1 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc-2.ad.domain.net as DC-2$
update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net 
dc-2.ad.domain.net 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net 
dc-2.ad.domain.net 389 (add)
Successfully obtained Kerberos ticket to DNS/dc-2.ad.domain.net as DC-2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net. 900 IN SRV 0 
100 389 dc-2.ad.domain.net.

dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 1 entries

If I remove the local samba host from the first nameserver record in 
/etc/resolv.conf and allow the first record to be an actual windows DC I 
get:

1 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/ktchdc.ad.domain.net as DC-2$
update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net 
dc-2.ad.domain.net 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net 
dec-2.ad.domain.net 389 (add)
Successfully obtained Kerberos ticket to DNS/ktchdc.ad.domain.net as DC-2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ad.domain.net. 900 IN SRV 0 
100 389 dc-2.admin.aptalaska.net.

I started looking into enabling debug on the bind side and added this to 
my named.conf

logging {
 ??????? channel default_file {
 ??????????????? file "/var/log/named.log" size 10m;
 ??????????????? severity debug;
 ??????????????? print-time yes;
 ??????????????? print-severity yes;
 ??????????????? print-category yes;
 ??????? };
 ??????? category default{ default_file; };
};

But still don't see anything in the log related to kerberos auth.

Looking at my packet sniffer I see:

Transmission Control Protocol, Src Port: 53, Dst Port: 58987, Seq: 1, 
Ack: 1651, Len: 107
Domain Name System (response)
 ??? Length: 105
 ??? Transaction ID: 0x43ce
 ??? Flags: 0x8080 Standard query response, No error
 ??? Questions: 1
 ??? Answer RRs: 1
 ??? Authority RRs: 0
 ??? Additional RRs: 0
 ??? Queries
 ??????? 1951668233.sig-dc-2.ad.domain.net: type TKEY, class ANY
 ??????????? Name: 1951668233.dc-2.ad.domain.net
 ??????????? [Name Length: 49]
 ??????????? [Label Count: 5]
 ??????????? Type: TKEY (Transaction Key) (249)
 ??????????? Class: ANY (0x00ff)
 ??? Answers
 ??????? 1951668233.sig-dc-2.ad.domain.net: type TKEY, class ANY
 ??????????? Name: 1951668233.dc-2.ad.domain.net
 ??????????? Type: TKEY (Transaction Key) (249)
 ??????????? Class: ANY (0x00ff)
 ??????????? Time to live: 0 (0 seconds)
 ??????????? Data length: 26
 ??????????? Algorithm name: gss-tsig
 ??????????? Signature Inception: (0)Dec 31, 1969 16:00:00.000000000 PST
 ??????????? Signature Expiration: (0)Dec 31, 1969 16:00:00.000000000 PST
 ??????????? Mode: GSSAPI (3)
 ??????????? Error: Key not recognized (17)
 ??????????? Key Size: 0
 ??????????? Other Size: 0
 ??? [Request In: 189]
 ??? [Time: 0.000930000 seconds]


Looking at /var/lib/samba/bind-dns/dns.keytab I see that the timestamp 
hasn't changed for 3 days.? Is that right?? Does this file stay fairly 
static?
>> Also,  samba_dnsupdate  --use-samba-tool works just fine, so, can I
>> configure samba to use that internally when calling samba-dnsupdate
>> with?
>>
>> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>>
>> Any disadvantages of doing it that way?
> None what so ever.
>
> Rowland
>
>
Don't the workstations use kerberos against the name server to update 
their IP addresses?? If so, wouldn't that break if I just reverted to 
using --use-samba-tool?

Thanks for the help!

Matt

Good Morning, 

Remove these flat file zone configs, these are in de AD-DC DNS setup also.
> zone "." IN {
> zone "localhost" IN {
> zone "0.0.127.in-addr.arpa" IN {
Enable-ing forwarders are not obligated, if not setup the root servers in de
AD-DC DNS will be used.

But back to your problem.. 

stop samba winbind on this DC. 
use samba tool to remove the DC 
use samba tool remove dead server to clean more *( on DC1). 
Use any DNS manager/command to remove any A or PTR record of DC2 in the DNS
on DC1 
Remove left overs in the "Sites in AD" *( on DC1).

Cleanup all folders of samba. 
check it again, now only when you 100% sure its gone. 

rejoin. *(with  IP DC1 first in resolv.conf) 
reboot *( with IP DC1 first in resolv.conf) 
check everything...  
now, fix resolv, *( IP DC2 first in resolv.conf, then DC1 ip.)
Reboot *( or.. use.. 

samba_upgradedns --dns-backend=BIND9_DLZ && samba_upgradedns
--dns-backend=SAMBA_INTERNAL && samba_upgradedns --dns-backend=BIND9_DLZ

That's what I would do, but its key everything is gone of the old server in
the DNS on DC1. 
Seen this before and in general it took me more time to fix it then a
re-join. 

Hope that it helps, 

greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens Rowland Penny
via
> samba
> Verzonden: maandag 8 augustus 2022 18:03
> Aan: samba at lists.samba.org
> CC: Rowland Penny <rpenny at samba.org>
> Onderwerp: Re: [Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable
> but stuck on check_spn_alias_collision
> 
> On Mon, 2022-08-08 at 08:40 -0700, Matthew Schumacher via samba wrote:
> > On 8/8/22 5:00 AM, L. van Belle via samba wrote:
> > > Can you run this script..
> > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-
> collect
> > > -debug-info.sh
> > > and post the content.
> > > Thanks,
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > Hi Louis,
> >
> > I can't post the output of that script due to it showing a lot of
> > internal information, but I can say :
> 
> Did you miss this:
> 
> Please check this and if required, sanitise it.
> 
> >
> > --------------------------------------------------------------------
> > Hostname, dns, realm, etc is all fine.
> >
> > There are only two interfaces lo0, eth0 and are configured correctly.
> >
> > /etc/hosts has loopback and the IP address followed by short name and
> > FQDN for this host
> >
> > */etc/resolve.conf is 127.0.0.1 and then the other DNS servers* *(*I
> > think this is the problem*)*
> 
> You should be using the DC's ipaddress as the nameserver.
> 
> >
> > Kerberos SRV _kerberos._tcp.ad.domain.net record(s) verified ok
> >
> > 'kinit Administrator' checked successfully.
> >
> > Samba is running as an AD DC
> >
> > /etc/krb5.conf is a COPY of /var/lib/samba/private/krb5.conf and looks
> > fine
> >
> > /etc/nsswitch.conf shows "files ldap" since I use
nss-pam-ldap on this
> > host to resolve UID and GUI in AD
> >
> > /etc/samba/smb.conf shows
> >
> > [global]
> >      netbios name = dc-2
> >      realm = AD.DOMAIN.NET
> >      server role = active directory domain controller
> >      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> >      workgroup = AD
> >      idmap_ldb:userfc2307  = yes
> >      tls enabled  = yes
> >      tls keyfile  = /etc/ssl/certs/dc-2.pem
> >      tls certfile = /etc/ssl/certs/dc-2.pem
> >      tls cafile   = /etc/ssl/certs/dc-2.pem
> >      ntlm auth = mschapv2-and-ntlmv2-only
> >
> > [sysvol]
> >      path = /var/lib/samba/sysvol
> >      read only = No
> >
> > [netlogon]
> >      path = /var/lib/samba/sysvol/ad.domain.net/scripts
> >      read only = No
> >
> > This DC is not being used as a fileserver
> >
> > Detected bind DLZ enabled..
> >
> > Time verified ok, within the allowed 300sec margin.
> > Time offset is currently : -1 seconds
> >
> > Packages are missing because I don't have dpkg.  Distro is
slackware,
> > I compiled samba myself.
> 
> You could use winbind instead of ldap, but you would probably need to
> create the required links.
> 
> > --------------------------------------------------------------------
> >
> > Given the above, let me include my /etc/named.conf
> >
> > --------------------------------------------------------------------
> > options {
> >      directory "/var/named";
> >      /*
> >       * If there is a firewall between you and nameservers you want
> >       * to talk to, you might need to uncomment the query-source
> >       * directive below.  Previous versions of BIND always asked
> >       * questions using port 53, but BIND 8.1 uses an unprivileged
> >       * port by default.
> >       */
> >      // query-source address * port 53;
> >
> >      tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
> >      minimal-responses yes;
> >
> > //      forwarders {
> > //              x.x.x.x;
> > //      };
> 
> You need to set the 'forwarders'
> 
> >
> > };
> >
> > //
> > // a caching only nameserver config
> > //
> > zone "." IN {
> >      type hint;
> >      file "caching-example/named.root"; };
> >
> > zone "localhost" IN {
> >      type master;
> >      file "caching-example/localhost.zone";
> >      allow-update { none; };
> > };
> >
> > zone "0.0.127.in-addr.arpa" IN {
> >      type master;
> >      file "caching-example/named.local";
> >      allow-update { none; };
> > };
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> > --------------------------------------------------------------------
> >
> >
> > Looking at the DNS servers in /etc/resolve.conf it occurred to me that
> > using the loopback address wouldn't work, so I removed that, and
it
> > updated the dns against another domain controller without issue.
> >
> > So, my question.  Is there any reason the local bind server with the
> > DLZ plugin can't take kerberos authenticated updates?  Any
thoughts on
> > how to debug this?
> 
> Are you sure it isn't working now that you have fixed /etc/resolv.conf
?
> 
> >
> > Also,  samba_dnsupdate  --use-samba-tool works just fine, so, can I
> > configure samba to use that internally when calling samba-dnsupdate
> > with?
> >
> > dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> >
> > Any disadvantages of doing it that way?
> 
> None what so ever.
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba