Dns tkey negotiategss: TKEY is unacceptable: Difference between revisions
Mmuehlfeld (talk | contribs) (Initial version of the 'Dns tkey negotiategss: TKEY is unacceptable' documentation) |
Rayk sland (talk | contribs) m (Removed a comma, so that sentence made sense.) |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
On a Samba Active Directory (AD) domain controller (DC) using the <code>BIND9_DLZ</code> DNS back end, dynamic DNS updates can with the <code>dns_tkey_negotiategss: TKEY is unacceptable</code> error. For example: |
|||
This documentation describes solutions how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller: |
|||
# samba_dnsupdate --verbose |
# samba_dnsupdate --verbose |
||
... |
... |
||
'''dns_tkey_negotiategss: TKEY is unacceptable''' |
|||
... |
|||
... |
|||
dns_tkey_negotiategss: TKEY is unacceptable |
|||
Failed nsupdate: 1 |
Failed nsupdate: 1 |
||
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 |
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 |
||
Line 20: | Line 18: | ||
Failed update of 20 entries |
Failed update of 20 entries |
||
This documentation describes how to debug and fix fix the problem. |
|||
= Check dns.keytab content = |
|||
= Verifying the dns.keytab File Content = |
|||
{{Imbox |
|||
| type = note |
|||
| text = The binddns dir was changed at Samba 4.8.0 from <code>/usr/local/samba/private/dns</code> to <code>/usr/local/samba/bind-dns/dns</code>. Ensure you use the correct path in the following commands. |
|||
}} |
|||
# klist -k /usr/local/samba/private/dns.keytab |
|||
Keytab name: FILE:/usr/local/samba/private/dns.keytab |
|||
KVNO Principal |
|||
---- -------------------------------------------------------------------------- |
|||
List the keys in the <code>/usr/local/samba/private/dns.keytab</code> file. The keytab file must list multiple Kerberos principals for the host. For example: |
|||
The correct output contains several entries - each with the hostname, where this file is from: |
|||
# klist -k /usr/local/samba/private/dns.keytab |
# klist -k /usr/local/samba/private/dns.keytab |
||
Line 41: | Line 40: | ||
1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM |
1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM |
||
1 dns-DC1@SAMDOM.EXAMPLE.COM |
1 dns-DC1@SAMDOM.EXAMPLE.COM |
||
... |
|||
1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM |
|||
1 dns-DC1@SAMDOM.EXAMPLE.COM |
|||
If no Kerberos principals are listed: |
|||
1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM |
|||
1 dns-DC1@SAMDOM.EXAMPLE.COM |
|||
1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM |
|||
1 dns-DC1@SAMDOM.EXAMPLE.COM |
|||
1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM |
|||
1 dns-DC1@SAMDOM.EXAMPLE.COM |
|||
* Remove the keytab file: |
|||
# rm /usr/local/samba/private/dns.keytab |
# rm /usr/local/samba/private/dns.keytab |
||
# samba-tool user delete dns-DC1 # The account is always named 'dns-yourHostname' |
|||
* Remove the account BIND uses on this domain controller (DC), to connect to the Active Directory (AD). For example, to delete the account for the <code>DC1</code> domain controller, enter: |
|||
Recreate the account and keytab by following the steps described in [[#Check_for_existing_DNS-hostname_account|Check for existing DNS-hostname account]] |
|||
# samba-tool user delete dns-DC1 |
|||
* Recreate the keytab file file and the AD account for the DC. For details, see [[#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC|Verifying That the BIND AD Account Exists for the DC]]. |
|||
= Check for existing DNS-hostname account = |
|||
For every DC, that was provisioned with BIND9_DLZ backend, there must be an existing account inside the AD, with the name "dns-hostname" (e. g. dns-DC1, dns-MYSERVER, ...). |
|||
= Verifying That the BIND AD Account Exists for the DC = |
|||
* Recreate the account by running the following command on the host, whose account is missing: |
|||
For each Samba domain controller (DC) using the <code>BIND9_DLZ</code> DNS back end, a dedicated account must exist, to enable BIND to access the AD. |
|||
For example, to verify if the account exists in AD for the <code>DC1</code> domain controller, enter: |
|||
# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-DC1' dn |
|||
# record 1 |
|||
dn: CN=dns-DC1,CN=Users,DC=samdom,DC=example,DC=com |
|||
If the account is not found: |
|||
* Reset the DNS settings: |
|||
# samba_upgradedns --dns-backend=BIND9_DLZ |
# samba_upgradedns --dns-backend=BIND9_DLZ |
||
Reading domain information |
Reading domain information |
||
DNS accounts already exist |
DNS accounts already exist |
||
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone |
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone |
||
DNS records will be automatically created |
DNS records will be automatically created |
||
DNS partitions already exist |
DNS partitions already exist |
||
'''Adding dns-DC1 account''' |
'''Adding dns-DC1 account''' |
||
Line 78: | Line 82: | ||
Finished upgrading DNS |
Finished upgrading DNS |
||
{{Imbox |
|||
* Whenever you run this command, the used BIND9_DLZ module is reset to version 9.8! If you're running BIND 9.9, you have to disable the 9.8 module and enable the one for 9.9 in /usr/local/samba/private/named.conf again. |
|||
| type = note |
|||
| text = If the account creation failed, change temporarily the DNS back end. For details, see [[#Temporarily_Changing_the_DNS_Back_End|Temporarily Changing the DNS Back End]].<br /> |
|||
[https://bugzilla.samba.org/show_bug.cgi?id=10882 Bug #10882] |
|||
}} |
|||
* Verify that the correct <code>BIND9_DLZ</code> module for your BIND version is enabled. For details, see [[BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_Module|Configuring the BIND9_DLZ Module]]. |
|||
dlz "AD DNS Zone" { |
|||
# For BIND 9.8.0 |
|||
# database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9.so"; |
|||
# For BIND 9.9.0 |
|||
database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9_9.so"; |
|||
}; |
|||
* Restart BIND. |
* Restart BIND. |
||
'''Note:''' If you run a version where [https://bugzilla.samba.org/show_bug.cgi?id=10882 Bug #10882] isn't fixed, you have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account isn't created. |
|||
= Temporarily Changing the DNS Back End = |
|||
If recreating the BIND Active Directory (AD) account for the domain controller (DC) failed, temporarily change the DNS back end: |
|||
* Change the DNS back end to <code>SAMBA_INTERNAL</code>: |
|||
# samba_upgradedns --dns-backend=SAMBA_INTERNAL |
# samba_upgradedns --dns-backend=SAMBA_INTERNAL |
||
Line 99: | Line 109: | ||
DNS partitions already exist |
DNS partitions already exist |
||
Finished upgrading DNS |
Finished upgrading DNS |
||
* Change the DNS back end back to <code>BIND9_DLZ</code>: |
|||
# samba_upgradedns --dns-backend=BIND9_DLZ |
# samba_upgradedns --dns-backend=BIND9_DLZ |
||
Line 111: | Line 123: | ||
Finished upgrading DNS |
Finished upgrading DNS |
||
* Restart BIND. |
|||
= Check file permissions = |
|||
= Verifying File Permissions = |
|||
BIND must be able to read the following files: |
|||
* Verify that BIND is able to read the Kerberos keytab and <code>/etc/krb5.conf</code> file. For details, see [[BIND9_DLZ_DNS_Back_End#Setting_up_Dynamic_DNS_Updates_Using_Kerberos|Setting up Dynamic DNS Updates Using Kerberos]]. |
|||
* /usr/local/samba/private/dns.keytab |
|||
* BIND must be able to write to the temporary directory. For details, which temporary folder your BIND installation uses, see the BIND and your operating system's documentation |
|||
# chown root:named /usr/local/samba/private/dns.keytab |
|||
# chmod 640 /usr/local/samba/private/dns.keytab |
|||
* /etc/krb5.conf |
|||
# chown root:root /etc/krb5.conf |
|||
# chmod 644 /etc/krb5.conf |
|||
= Testing Dynamic DNS Updates = |
|||
For details, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]]. |
|||
= Testing = |
|||
To test, if DNS updates are working, run the following command (output shortened for a better readability): |
|||
# samba_dnsupdate --verbose |
|||
IPs: ['10.99.0.2'] |
|||
... |
|||
... |
|||
... |
|||
Looking for DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.samdom.example.com. |
|||
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 |
|||
Failed to find matching DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 |
|||
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.default-first-site-name._sites.samdom.example.com. |
|||
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 |
|||
Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 |
|||
Calling nsupdate for A samdom.example.com 10.99.0.2 |
|||
Outgoing update query: |
|||
... |
|||
... |
|||
... |
|||
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 |
|||
Outgoing update query: |
|||
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 |
|||
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 |
|||
;; UPDATE SECTION: |
|||
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com. |
|||
---- |
|||
The output ends like the example above, if everything was working. Otherwise you would see 'Failed update of n entries' errors. |
|||
[[Category:Active Directory]] |
|||
[[Category:DNS]] |
Latest revision as of 20:07, 1 November 2023
Introduction
On a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ
DNS back end, dynamic DNS updates can with the dns_tkey_negotiategss: TKEY is unacceptable
error. For example:
# samba_dnsupdate --verbose ... dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com. dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Failed update of 20 entries
This documentation describes how to debug and fix fix the problem.
Verifying the dns.keytab File Content
The binddns dir was changed at Samba 4.8.0 from /usr/local/samba/private/dns to /usr/local/samba/bind-dns/dns . Ensure you use the correct path in the following commands. |
List the keys in the /usr/local/samba/private/dns.keytab
file. The keytab file must list multiple Kerberos principals for the host. For example:
# klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM 1 dns-DC1@SAMDOM.EXAMPLE.COM ...
If no Kerberos principals are listed:
- Remove the keytab file:
# rm /usr/local/samba/private/dns.keytab
- Remove the account BIND uses on this domain controller (DC), to connect to the Active Directory (AD). For example, to delete the account for the
DC1
domain controller, enter:
# samba-tool user delete dns-DC1
- Recreate the keytab file file and the AD account for the DC. For details, see Verifying That the BIND AD Account Exists for the DC.
Verifying That the BIND AD Account Exists for the DC
For each Samba domain controller (DC) using the BIND9_DLZ
DNS back end, a dedicated account must exist, to enable BIND to access the AD.
For example, to verify if the account exists in AD for the DC1
domain controller, enter:
# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-DC1' dn # record 1 dn: CN=dns-DC1,CN=Users,DC=samdom,DC=example,DC=com
If the account is not found:
- Reset the DNS settings:
# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-DC1 account See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
If the account creation failed, change temporarily the DNS back end. For details, see Temporarily Changing the DNS Back End. Bug #10882 |
- Verify that the correct
BIND9_DLZ
module for your BIND version is enabled. For details, see Configuring the BIND9_DLZ Module.
- Restart BIND.
Temporarily Changing the DNS Back End
If recreating the BIND Active Directory (AD) account for the domain controller (DC) failed, temporarily change the DNS back end:
- Change the DNS back end to
SAMBA_INTERNAL
:
# samba_upgradedns --dns-backend=SAMBA_INTERNAL Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Finished upgrading DNS
- Change the DNS back end back to
BIND9_DLZ
:
# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-DC1 account See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
- Restart BIND.
Verifying File Permissions
- Verify that BIND is able to read the Kerberos keytab and
/etc/krb5.conf
file. For details, see Setting up Dynamic DNS Updates Using Kerberos.
- BIND must be able to write to the temporary directory. For details, which temporary folder your BIND installation uses, see the BIND and your operating system's documentation
Testing Dynamic DNS Updates
For details, see Testing Dynamic DNS Updates.