similar to: DC2: TKEY is unacceptable, Failed DNS update?

Hi Mathias, thanks for the hint. My interpretation so far was that complex involves managing any data in addition to what the AD is supposed to manage anyway. Anyway, I tried to follow your advice, but not to success so far. On Ubuntu 16.04, bind is running under the user bind instead of root, and app armor is active. I figured out how to change both and bind starts successfully and answers

Hi Mathias, Once more: Thanks for your support and guidance! Actually I reconfigured only the first DC initially, assuming that the second join asks me as does the initial one - wrong assumption. My take is the tools could be improved, e.g. : join of DC2 adds DNS record of DC2 to DC1 and verifies it is replicated before claiming success... looking in all the tools and logs for errors is tedious at

Hi, Are you using Samba's internal DNS or Bind? If you are using Bind9_DLZ as dns-backend it should be a right issue on files used by Bind itself (ie private/dns.keytab, private/named.conf, private/dns or private/dns/* and of course private itself). If you are running internal DNS as backend, you can change that parameter into smb.conf: from: allow dns updates = secure only (default, not

So you have 2 DC using BIND9_DLZ as dns backend, they both answer DNS from clients. Am I right? If yes, how are configured your client DNS resolvers? Resolver on clients should be aiming one of your DC (or the two of them in case of DC downtime). NOTE: "should" only because you could make clients using your company DNS servers as resolvers if these DNS servers knows how to forward

Hi Marc, I appreciate that you reply, but I got it resolved by following the advice of Mathias. I was aware of the links below, however the first is about using the BIND9_DLZ backend, and at the time I experienced the issue I was using the internal one. Marc & Mathias, The 2nd link that Marc references is about a DC should not use itself for DNS queries is exactly the opposite of your

Hello Samba-ers, I tried to continue my Samba setup after a long pause doing other stuff. To recall, I want to run two Samba DCs for one domain as virtual machines on two Windows systems (I switched from VirtualBox to Hyper V, which helps to run them automatically at system startup, but I don´t think that really matters). Both DCs shall use themselves as DNS server as the VPN in between is

I'm having trouble with nsupdates.  I'm getting TKEY is unacceptable. I'm using Fedora 29, with its packages: [root at dc2 kwhite]# rpm -qa | grep samba samba-4.9.4-1.fc29.x86_64 samba-dc-bind-dlz-4.9.4-1.fc29.x86_64 samba-common-4.9.4-1.fc29.noarch samba-libs-4.9.4-1.fc29.x86_64 samba-dc-libs-4.9.4-1.fc29.x86_64 samba-winbind-4.9.4-1.fc29.x86_64 samba-common-libs-4.9.4-1.fc29.x86_64

Hello, we have the following problem with a ADDC Sernet 4.7.6-11 on CentOS 7.4. We have two DCs, replication is working fine. We use bind9 as dns-backend. When we do a "samba_dnsupdate --all-names" we get the following messages: ------------------- [root at dc1 ~]# samba_dnsupdate --all-names dns_tkey_negotiategss: TKEY is unacceptable dns_tkey_negotiategss: TKEY is unacceptable

To regenerate dns.keytab I expect you only need to relaunch samba_upgradedns --dns-backend=BIND9_DLZ. If I'm wrong (it happens quiet often) you would have to first launch: samba_upgradedns --dns-backend=SAMBA_INTERNAL and then samba_upgradedns --dns-backend=BIND9_DLZ Here you should have a dns.keytab. Now, right issues: dns related files in samba/private must be accessible to the UNIX user

On 06/07/2020 16:05, Robert E. Wooden via samba wrote: > > Why has one installation not created a ".../bind-dns/dns.keytab" file > and yet the other has? > > I followed the same "steps" during installation on both. > I am coming to the conclusion that if you upgrade from one major Samba version to another, then upgrading in place isn't really a good

> -----Ursprüngliche Nachricht----- > Von: Rowland penny [mailto:rpenny at samba.org] > Gesendet: Sonntag, 5. Juni 2016 17:46 > An: Jo <j.o.l at live.com> > Cc: 'samba' <samba at lists.samba.org> > Betreff: Re: AW: [Samba] inconsistent DNS information, windows domain > member issues.. > > On 05/06/16 13:43, Jo wrote: > >> Your DCs really

Hi everyone, I'm testing with a Samba4 AD network, and I have some problems with DNS on the second DC, with which I could use a bit of your help. I have an AD with two DC's, both Samba 4.2.3. On the first DC, samba_dnsupdate works fine. With stock 4.2.3 I get the error "TSIG error with server: tsig verify failure" but the DNS updates succeed anyway, and after applying

L.P.H. van Belle writes: > check the rights on : > /var/lib/samba/private/dns.keytab 640 root:bind > /var/lib/samba/private/dns 750 root:bind > /var/lib/samba/private/sam.ldb.d 750 root:bind I'm using the internal DNS on both DC's, so I guess bind access rights aren't the issue. Thanks for your answer though :) Regards, Roel > >-----Oorspronkelijk

> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland penny > Gesendet: Sonntag, 5. Juni 2016 12:49 > An: samba at lists.samba.org > Betreff: Re: [Samba] inconsistent DNS information, windows domain > member issues.. > > On 05/06/16 10:05, Jo wrote: > > I joined a Windows 10 Pro system to my (still

L.P.H. van Belle writes: > is the time in sync on your servers ? Yes it is. I managed to make it work by specifying the primary DC as nameserver in /etc/resolv.conf of the secondary DC. As soon as I do that, samba_dnsupdate works on the secondary. When I change it back to use the local Samba as resolver, it no longer works. So it is a DNS issue (possibly related to replication

On 7/3/2020 9:50 AM, Rowland penny via samba wrote: > I thought I explained that, but lets try again ;-) > > Originally, Samba used /var/lib/samba/private for the dns.keytab and > other dns files. This was then found to be possibly insecure, so it > was decided to use /var/lib/samba/bind-dns instead. When you upgrade > the Samba packages, the old files are not removed, but the

I joined a Windows 10 Pro system to my (still experimental) domain. The windows system actually hosts DC2 as a VM, and another Windows (Server 2008 R2) at another location hosts DC1 also as a VM. The two locations are connected via a VPN, both systems run only when needed. The windows system does not directly use DC2 for DNS but instead talks to a DNS resolver that delegates the samba Domain to

I've installed Samba 4.09 on ubuntu with bind 9.8.1-P1, the former compiled from git source and the latter installed from apt-get. I'm migrating from an existing Windows 2008 SBS domain controller that I want to retire (and be Windows free on the server side), and have followed the instructions on the Samba wiki for setting up Bind and migrating. When I run a samba_dnsupate -verbose

Hello $LIST, i setup a new clean domain to examine the feature of updating/creating PTR records. When i call ipconfig /registerdns on the client i get this entry in the windows eventlog (sorry german) Fehler beim Registrieren der Hostressourceneinträge (A oder AAAA) für den Netzwerkadapter mit den folgenden Einstellungen: Adaptername: {2A467E48-624B-4CCF-9B7D-9BA5629D8117}

On Thu, 2016-05-26 at 17:32 +0200, Jo wrote: > Hi Marc, > I appreciate that you reply, but I got it resolved by following the > advice of Mathias. I was aware of the links below, however the first > is about using the BIND9_DLZ backend, and at the time I experienced > the issue I was using the internal one. > Marc & Mathias, > The 2nd link that Marc references is about a