Difference between revisions of "Dns tkey negotiategss: TKEY is unacceptable"

m (Check file permissions: Bind must be able to write files to /var/tmp in order to update dns (this is the normal setting, but an install we did had incorrect permissions on /var/tmp which cost quite a bit of time troubleshooting.)
(Rewrote page. Removed duplicated content, better explanations, reprased text, clearer instructions)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
This documentation describes how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller:
+
On a Samba Active Directory (AD) domain controller (DC) using the <code>BIND9_DLZ</code> DNS back end, dynamic DNS updates can with the <code>dns_tkey_negotiategss: TKEY is unacceptable</code> error. For example:
  
 
  # samba_dnsupdate --verbose
 
  # samba_dnsupdate --verbose
 
  ...
 
  ...
  ...
+
  '''dns_tkey_negotiategss: TKEY is unacceptable'''
...
 
dns_tkey_negotiategss: TKEY is unacceptable
 
 
  Failed nsupdate: 1
 
  Failed nsupdate: 1
 
  Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
 
  Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Line 20: Line 18:
 
  Failed update of 20 entries
 
  Failed update of 20 entries
  
= Check dns.keytab content =
+
This documentation describes how to debug and fix fix the problem.
  
Make sure that your dns.keytab isn't empty or contains wrong entries.
 
  
# klist -k /usr/local/samba/private/dns.keytab
 
Keytab name: FILE:/usr/local/samba/private/dns.keytab
 
KVNO Principal
 
---- --------------------------------------------------------------------------
 
  
The correct output contains several entries - each with the hostname of the DC:
+
 
 +
 
 +
= Verifying the dns.keytab File Content =
 +
 
 +
List the keys in the <code>/usr/local/samba/private/dns.keytab</code> file. The keytab file must list multiple Kerberos principals for the host. For example:
  
 
  # klist -k /usr/local/samba/private/dns.keytab
 
  # klist -k /usr/local/samba/private/dns.keytab
Line 37: Line 34:
 
     1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
 
     1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
 
     1 dns-DC1@SAMDOM.EXAMPLE.COM
 
     1 dns-DC1@SAMDOM.EXAMPLE.COM
     1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
+
     ...
    1 dns-DC1@SAMDOM.EXAMPLE.COM
+
 
    1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
+
If no Kerberos principals are listed:
    1 dns-DC1@SAMDOM.EXAMPLE.COM
 
    1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
 
    1 dns-DC1@SAMDOM.EXAMPLE.COM
 
    1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
 
    1 dns-DC1@SAMDOM.EXAMPLE.COM
 
  
To recreate the dns.keytab, remove the file and the corresponding account:
+
* Remove the keytab file:
  
 
  # rm /usr/local/samba/private/dns.keytab
 
  # rm /usr/local/samba/private/dns.keytab
# samba-tool user delete dns-DC1            # The account is always named 'dns-yourHostname'
 
  
Recreate the account and keytab by following the steps described in [[#Check_for_existing_DNS-hostname_account|Check for existing DNS-hostname account]]
+
* Remove the account, BIND uses on this domain controller (DC), to connect to the Active Directory (AD). For example, to delete the account for the <code>DC1</code> domain controller, enter:
  
= Check for existing DNS-hostname account =
+
# samba-tool user delete dns-DC1
  
Every DC provisioned with the BIND9_DLZ backend must have an account existing inside the AD, with the name "dns-hostname" (e. g. dns-DC1, dns-MYSERVER, ...).
+
* Recreate the keytab file file and the AD account for the DC. For details, see [[#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC|Verifying That the BIND AD Account Exists for the DC]].
  
* Recreate the account by running the following command on the host, whose account is missing:
 
  
 +
 +
 +
 +
= Verifying That the BIND AD Account Exists for the DC =
 +
 +
For each Samba domain controller (DC) using the <code>BIND9_DLZ</code> DNS back end, a dedicated account must exist, to enable BIND to access the AD.
 +
 +
For example, to verify if the account exists in AD for the <code>DC1</code> domain controller, enter:
 +
 +
# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-DC1' dn
 +
# record 1
 +
dn: CN=dns-DC1,CN=Users,DC=samdom,DC=example,DC=com
 +
 +
If the account is not found:
 +
 +
* Reset the DNS settings:
 
  # samba_upgradedns --dns-backend=BIND9_DLZ
 
  # samba_upgradedns --dns-backend=BIND9_DLZ
 
  Reading domain information
 
  Reading domain information
 
  DNS accounts already exist
 
  DNS accounts already exist
 
  No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
 
  No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
  DNS records will be automatically created
+
  DNS records will be automatically created
 
  DNS partitions already exist
 
  DNS partitions already exist
 
  '''Adding dns-DC1 account'''
 
  '''Adding dns-DC1 account'''
Line 70: Line 76:
 
  Finished upgrading DNS
 
  Finished upgrading DNS
  
* On earlier versions of Samba 4, When you run this command the BIND9_DLZ module is reset to version 9.8! If you're running BIND 9.9, you may have to disable the 9.8 module and enable the one for 9.9 in /usr/local/samba/private/named.conf again.
+
{{Imbox
 +
| type = note
 +
| text = If the account creation failed, change temporarily the DNS back end. For details, see [[#Temporarily_Changing_the_DNS_Back_End|Temporarily Changing the DNS Back End]].<br />
 +
  [https://bugzilla.samba.org/show_bug.cgi?id=10882 Bug #10882]
 +
}}
  
dlz "AD DNS Zone" {
+
* Verify that the correct <code>BIND9_DLZ</code> module for your BIND version is enabled. For details, see [[BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_Module|Configuring the BIND9_DLZ Module]].
    # For BIND 9.8.0
 
    # database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9.so";
 
 
    # For BIND 9.9.0
 
    database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9_9.so";
 
};
 
  
 
* Restart BIND.
 
* Restart BIND.
  
'''NOTE:''' Until [https://bugzilla.samba.org/show_bug.cgi?id=10882 Bug #10882] is fixed, you will have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account will not be created.
 
  
'''= Change DNS backend ='''
+
 
 +
 
 +
 
 +
= Temporarily Changing the DNS Back End =
 +
 
 +
If recreating the BIND Active Directory (AD) account for the domain controller (DC) failed, temporarily change the DNS back end:
 +
 
 +
* Change the DNS back end to <code>SAMBA_INTERNAL</code>:
  
 
  # samba_upgradedns --dns-backend=SAMBA_INTERNAL
 
  # samba_upgradedns --dns-backend=SAMBA_INTERNAL
Line 93: Line 103:
 
  DNS partitions already exist
 
  DNS partitions already exist
 
  Finished upgrading DNS
 
  Finished upgrading DNS
 +
 +
* Change the DNS back end back to <code>BIND9_DLZ</code>:
  
 
  # samba_upgradedns --dns-backend=BIND9_DLZ
 
  # samba_upgradedns --dns-backend=BIND9_DLZ
Line 105: Line 117:
 
  Finished upgrading DNS
 
  Finished upgrading DNS
  
= Check file permissions =
+
* Restart BIND.
 +
 
 +
 
  
BIND must be able to read the following files:
 
  
* /usr/local/samba/private/dns.keytab
 
  
# chown root:named /usr/local/samba/private/dns.keytab
+
= Verifying File Permissions =
# chmod 640 /usr/local/samba/private/dns.keytab
 
  
* /etc/krb5.conf
+
* Verify that BIND is able to read the Kerberos keytab and <code>/etc/krb5.conf</code> file. For details, see [[BIND9_DLZ_DNS_Back_End#Setting_up_Dynamic_DNS_Updates_Using_Kerberos|Setting up Dynamic DNS Updates Using Kerberos]].
  
# chown root:root /etc/krb5.conf
+
* BIND must be able to write to the temporary directory. For details, which temporary folder your BIND installation uses, see the BIND and your operating system's documentation
# chmod 644 /etc/krb5.conf
 
  
BIND must be able to write to /var/tmp
 
  
# chmod 1777 /var/tmp
 
  
= Testing =
 
  
To test, if DNS updates are working, run the following command (output shortened for a better readability):
 
  
# samba_dnsupdate --verbose
+
= Testing Dynamic DNS Updates =
IPs: ['10.99.0.2']
 
...
 
...
 
...
 
Looking for DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.samdom.example.com.
 
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
 
Failed to find matching DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
 
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.default-first-site-name._sites.samdom.example.com.
 
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
 
Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
 
Calling nsupdate for A samdom.example.com 10.99.0.2
 
Outgoing update query:
 
...
 
...
 
...
 
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
 
Outgoing update query:
 
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
 
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 
;; UPDATE SECTION:
 
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.
 
  
The output ends like the example above, if everything was working. Otherwise you would see 'Failed update of n entries' errors.
+
For details, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]].

Revision as of 18:51, 18 November 2016

Introduction

On a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ DNS back end, dynamic DNS updates can with the dns_tkey_negotiategss: TKEY is unacceptable error. For example:

# samba_dnsupdate --verbose
...
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 20 entries

This documentation describes how to debug and fix fix the problem.



Verifying the dns.keytab File Content

List the keys in the /usr/local/samba/private/dns.keytab file. The keytab file must list multiple Kerberos principals for the host. For example:

# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   ...

If no Kerberos principals are listed:

  • Remove the keytab file:
# rm /usr/local/samba/private/dns.keytab
  • Remove the account, BIND uses on this domain controller (DC), to connect to the Active Directory (AD). For example, to delete the account for the DC1 domain controller, enter:
# samba-tool user delete dns-DC1



Verifying That the BIND AD Account Exists for the DC

For each Samba domain controller (DC) using the BIND9_DLZ DNS back end, a dedicated account must exist, to enable BIND to access the AD.

For example, to verify if the account exists in AD for the DC1 domain controller, enter:

# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-DC1' dn
# record 1
dn: CN=dns-DC1,CN=Users,DC=samdom,DC=example,DC=com

If the account is not found:

  • Reset the DNS settings:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created	
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
  • Restart BIND.



Temporarily Changing the DNS Back End

If recreating the BIND Active Directory (AD) account for the domain controller (DC) failed, temporarily change the DNS back end:

  • Change the DNS back end to SAMBA_INTERNAL:
# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
  • Change the DNS back end back to BIND9_DLZ:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
  • Restart BIND.



Verifying File Permissions

  • BIND must be able to write to the temporary directory. For details, which temporary folder your BIND installation uses, see the BIND and your operating system's documentation



Testing Dynamic DNS Updates

For details, see Testing Dynamic DNS Updates.