Difference between revisions of "Dns tkey negotiategss: TKEY is unacceptable"

m (Introduction)
m (Check dns.keytab content: grammar)
Line 22: Line 22:
 
= Check dns.keytab content =
 
= Check dns.keytab content =
  
Make sure, that your dns.keytab isn't empty or contains wrong entries.
+
Make sure that your dns.keytab isn't empty or contains wrong entries.
  
 
  # klist -k /usr/local/samba/private/dns.keytab
 
  # klist -k /usr/local/samba/private/dns.keytab
Line 29: Line 29:
 
  ---- --------------------------------------------------------------------------
 
  ---- --------------------------------------------------------------------------
  
The correct output contains several entries - each with the hostname, where this file is from:
+
The correct output contains several entries - each with the hostname of the DC:
  
 
  # klist -k /usr/local/samba/private/dns.keytab
 
  # klist -k /usr/local/samba/private/dns.keytab
Line 52: Line 52:
  
 
Recreate the account and keytab by following the steps described in [[#Check_for_existing_DNS-hostname_account|Check for existing DNS-hostname account]]
 
Recreate the account and keytab by following the steps described in [[#Check_for_existing_DNS-hostname_account|Check for existing DNS-hostname account]]
 
 
 
 
  
 
= Check for existing DNS-hostname account =
 
= Check for existing DNS-hostname account =

Revision as of 08:14, 23 October 2015

Introduction

This documentation describes how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller:

# samba_dnsupdate --verbose
...
...
...
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 20 entries

Check dns.keytab content

Make sure that your dns.keytab isn't empty or contains wrong entries.

# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------

The correct output contains several entries - each with the hostname of the DC:

# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM

To recreate the dns.keytab, remove the file and the corresponding account:

# rm /usr/local/samba/private/dns.keytab
# samba-tool user delete dns-DC1            # The account is always named 'dns-yourHostname'

Recreate the account and keytab by following the steps described in Check for existing DNS-hostname account

Check for existing DNS-hostname account

For every DC, that was provisioned with BIND9_DLZ backend, there must be an existing account inside the AD, with the name "dns-hostname" (e. g. dns-DC1, dns-MYSERVER, ...).

  • Recreate the account by running the following command on the host, whose account is missing:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
  • Whenever you run this command, the used BIND9_DLZ module is reset to version 9.8! If you're running BIND 9.9, you have to disable the 9.8 module and enable the one for 9.9 in /usr/local/samba/private/named.conf again.
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9.so"; 

    # For BIND 9.9.0
    database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9_9.so";
};
  • Restart BIND.

Note: If you run a version where Bug #10882 isn't fixed, you have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account isn't created.

# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS



Check file permissions

BIND must be able to read the following files:

  • /usr/local/samba/private/dns.keytab
# chown root:named /usr/local/samba/private/dns.keytab
# chmod 640 /usr/local/samba/private/dns.keytab
  • /etc/krb5.conf
# chown root:root /etc/krb5.conf
# chmod 644 /etc/krb5.conf



Testing

To test, if DNS updates are working, run the following command (output shortened for a better readability):

# samba_dnsupdate --verbose
IPs: ['10.99.0.2']
...
...
...
Looking for DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.samdom.example.com.
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
Failed to find matching DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.default-first-site-name._sites.samdom.example.com.
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Calling nsupdate for A samdom.example.com 10.99.0.2
Outgoing update query:
...
...
...
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.

The output ends like the example above, if everything was working. Otherwise you would see 'Failed update of n entries' errors.