Latest revision as of 11:31, 28 December 2020

Introduction

On a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ DNS back end, dynamic DNS updates can with the dns_tkey_negotiategss: TKEY is unacceptable error. For example:

# samba_dnsupdate --verbose
...
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 20 entries

This documentation describes how to debug and fix fix the problem.

Verifying the dns.keytab File Content

The binddns dir was changed at Samba 4.8.0 from /usr/local/samba/private/dns to /usr/local/samba/bind-dns/dns. Ensure you use the correct path in the following commands.

List the keys in the /usr/local/samba/private/dns.keytab file. The keytab file must list multiple Kerberos principals for the host. For example:

# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   ...

If no Kerberos principals are listed:

Remove the keytab file:

# rm /usr/local/samba/private/dns.keytab

Remove the account, BIND uses on this domain controller (DC), to connect to the Active Directory (AD). For example, to delete the account for the DC1 domain controller, enter:

# samba-tool user delete dns-DC1

Recreate the keytab file file and the AD account for the DC. For details, see Verifying That the BIND AD Account Exists for the DC.

Verifying That the BIND AD Account Exists for the DC

For each Samba domain controller (DC) using the BIND9_DLZ DNS back end, a dedicated account must exist, to enable BIND to access the AD.

For example, to verify if the account exists in AD for the DC1 domain controller, enter:

# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-DC1' dn
# record 1
dn: CN=dns-DC1,CN=Users,DC=samdom,DC=example,DC=com

If the account is not found:

Reset the DNS settings:

# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created	
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

If the account creation failed, change temporarily the DNS back end. For details, see Temporarily Changing the DNS Back End.
Bug #10882

Verify that the correct BIND9_DLZ module for your BIND version is enabled. For details, see Configuring the BIND9_DLZ Module.

Restart BIND.

Temporarily Changing the DNS Back End

If recreating the BIND Active Directory (AD) account for the domain controller (DC) failed, temporarily change the DNS back end:

Change the DNS back end to SAMBA_INTERNAL:

# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS

Change the DNS back end back to BIND9_DLZ:

# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Restart BIND.

Verifying File Permissions

Verify that BIND is able to read the Kerberos keytab and /etc/krb5.conf file. For details, see Setting up Dynamic DNS Updates Using Kerberos.

BIND must be able to write to the temporary directory. For details, which temporary folder your BIND installation uses, see the BIND and your operating system's documentation

Testing Dynamic DNS Updates

For details, see Testing Dynamic DNS Updates.

Anonymous

Search

Navigation

Navigation

Wiki tools

Wiki tools

Difference between revisions of "Dns tkey negotiategss: TKEY is unacceptable"

Namespaces

Page actions

Latest revision as of 11:31, 28 December 2020

Contents

Introduction

Verifying the dns.keytab File Content

Verifying That the BIND AD Account Exists for the DC

Temporarily Changing the DNS Back End

Verifying File Permissions

Testing Dynamic DNS Updates

@@ Line 1: / Line 1: @@
 = Introduction =
-This documentation describes how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller:
+On a Samba Active Directory (AD) domain controller (DC) using the <code>BIND9_DLZ</code> DNS back end, dynamic DNS updates can with the <code>dns_tkey_negotiategss: TKEY is unacceptable</code> error. For example:
   # samba_dnsupdate --verbose
   ...
-  ...
+  '''dns_tkey_negotiategss: TKEY is unacceptable'''
- ...
- dns_tkey_negotiategss: TKEY is unacceptable
   Failed nsupdate: 1
   Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
@@ Line 20: / Line 18: @@
   Failed update of 20 entries
-= Check dns.keytab content =
+This documentation describes how to debug and fix fix the problem.
-Make sure that your dns.keytab isn't empty or contains wrong entries.
+= Verifying the dns.keytab File Content =
+{{Imbox
+| type = note
+| text = The binddns dir was changed at Samba 4.8.0 from <code>/usr/local/samba/private/dns</code> to <code>/usr/local/samba/bind-dns/dns</code>. Ensure you use the correct path in the following commands.
+}}
- # klist -k /usr/local/samba/private/dns.keytab
- Keytab name: FILE:/usr/local/samba/private/dns.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
-The correct output contains several entries - each with the hostname of the DC:
+List the keys in the <code>/usr/local/samba/private/dns.keytab</code> file. The keytab file must list multiple Kerberos principals for the host. For example:
   # klist -k /usr/local/samba/private/dns.keytab
@@ Line 37: / Line 40: @@
 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
 dns-DC1@SAMDOM.EXAMPLE.COM
-DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
+     ...
-dns-DC1@SAMDOM.EXAMPLE.COM
-DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
+If no Kerberos principals are listed:
-dns-DC1@SAMDOM.EXAMPLE.COM
-DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
-dns-DC1@SAMDOM.EXAMPLE.COM
-DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
-dns-DC1@SAMDOM.EXAMPLE.COM
-To recreate the dns.keytab, remove the file and the corresponding account:
+* Remove the keytab file:
   # rm /usr/local/samba/private/dns.keytab
- # samba-tool user delete dns-DC1            # The account is always named 'dns-yourHostname'
-Recreate the account and keytab by following the steps described in [[#Check_for_existing_DNS-hostname_account|Check for existing DNS-hostname account]]
+* Remove the account, BIND uses on this domain controller (DC), to connect to the Active Directory (AD). For example, to delete the account for the <code>DC1</code> domain controller, enter:
+ # samba-tool user delete dns-DC1
+* Recreate the keytab file file and the AD account for the DC. For details, see [[#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC|Verifying That the BIND AD Account Exists for the DC]].
-= Check for existing DNS-hostname account =
-Every DC provisioned with the BIND9_DLZ backend must have an account existing inside the AD, with the name "dns-hostname" (e. g. dns-DC1, dns-MYSERVER, ...).
+= Verifying That the BIND AD Account Exists for the DC =
-* Recreate the account by running the following command on the host, whose account is missing:
+For each Samba domain controller (DC) using the <code>BIND9_DLZ</code> DNS back end, a dedicated account must exist, to enable BIND to access the AD.
+For example, to verify if the account exists in AD for the <code>DC1</code> domain controller, enter:
+ # ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-DC1' dn
+ # record 1
+ dn: CN=dns-DC1,CN=Users,DC=samdom,DC=example,DC=com
+If the account is not found:
+* Reset the DNS settings:
   # samba_upgradedns --dns-backend=BIND9_DLZ
   Reading domain information
   DNS accounts already exist
   No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
   DNS records will be automatically created
   DNS partitions already exist
   '''Adding dns-DC1 account'''
@@ Line 70: / Line 82: @@
   Finished upgrading DNS
-* On earlier versions of Samba 4, When you run this command the BIND9_DLZ module is reset to version 9.8! If you're running BIND 9.9, you may have to disable the 9.8 module and enable the one for 9.9 in /usr/local/samba/private/named.conf again.
+{{Imbox
+| type = note
+| text = If the account creation failed, change temporarily the DNS back end. For details, see [[#Temporarily_Changing_the_DNS_Back_End|Temporarily Changing the DNS Back End]].<br />
+  [https://bugzilla.samba.org/show_bug.cgi?id=10882 Bug #10882]
+}}
- dlz "AD DNS Zone" {
+* Verify that the correct <code>BIND9_DLZ</code> module for your BIND version is enabled. For details, see [[BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_Module|Configuring the BIND9_DLZ Module]].
-     # For BIND 9.8.0
-     # database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9.so";
-     # For BIND 9.9.0
-     database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9_9.so";
- };
 * Restart BIND.
-'''NOTE:''' Until [https://bugzilla.samba.org/show_bug.cgi?id=10882 Bug #10882] is fixed, you will have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account will not be created.
-'''= Change DNS backend ='''
+= Temporarily Changing the DNS Back End =
+If recreating the BIND Active Directory (AD) account for the domain controller (DC) failed, temporarily change the DNS back end:
+* Change the DNS back end to <code>SAMBA_INTERNAL</code>:
   # samba_upgradedns --dns-backend=SAMBA_INTERNAL
@@ Line 93: / Line 109: @@
   DNS partitions already exist
   Finished upgrading DNS
+* Change the DNS back end back to <code>BIND9_DLZ</code>:
   # samba_upgradedns --dns-backend=BIND9_DLZ
@@ Line 105: / Line 123: @@
   Finished upgrading DNS
-= Check file permissions =
+* Restart BIND.
-BIND must be able to read the following files:
-* /usr/local/samba/private/dns.keytab
- # chown root:named /usr/local/samba/private/dns.keytab
- # chmod 640 /usr/local/samba/private/dns.keytab
-* /etc/krb5.conf
- # chown root:root /etc/krb5.conf
+= Verifying File Permissions =
- # chmod 644 /etc/krb5.conf
-BIND must be able to write to /var/tmp
+* Verify that BIND is able to read the Kerberos keytab and <code>/etc/krb5.conf</code> file. For details, see [[BIND9_DLZ_DNS_Back_End#Setting_up_Dynamic_DNS_Updates_Using_Kerberos|Setting up Dynamic DNS Updates Using Kerberos]].
+* BIND must be able to write to the temporary directory. For details, which temporary folder your BIND installation uses, see the BIND and your operating system's documentation
+= Testing Dynamic DNS Updates =
+For details, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]].
- # chmod 1777 /var/tmp
-= Testing =
-To test, if DNS updates are working, run the following command (output shortened for a better readability):
- # samba_dnsupdate --verbose
- IPs: ['10.99.0.2']
- ...
- ...
- ...
- Looking for DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.samdom.example.com.
- Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
- Failed to find matching DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
- Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.default-first-site-name._sites.samdom.example.com.
- Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
- Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
- Calling nsupdate for A samdom.example.com 10.99.0.2
- Outgoing update query:
- ...
- ...
- ...
- Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
- Outgoing update query:
- ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
- ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
- ;; UPDATE SECTION:
- _gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.
-The output ends like the example above, if everything was working. Otherwise you would see 'Failed update of n entries' errors.
+----
+[[Category:Active Directory]]
+[[Category:DNS]]

Anonymous

Search

Navigation

Wiki tools

Page tools

Categories

Difference between revisions of "Dns tkey negotiategss: TKEY is unacceptable"

Latest revision as of 11:31, 28 December 2020

Contents

Introduction

Verifying the dns.keytab File Content

Verifying That the BIND AD Account Exists for the DC

Temporarily Changing the DNS Back End

Verifying File Permissions

Testing Dynamic DNS Updates