Dns tkey negotiategss: TKEY is unacceptable: Difference between revisions
Mmuehlfeld (talk | contribs) (Initial version of the 'Dns tkey negotiategss: TKEY is unacceptable' documentation) |
m (→Introduction) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
This documentation describes |
This documentation describes how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller: |
||
# samba_dnsupdate --verbose |
# samba_dnsupdate --verbose |
||
Line 19: | Line 19: | ||
Failed nsupdate: 1 |
Failed nsupdate: 1 |
||
Failed update of 20 entries |
Failed update of 20 entries |
||
= Check dns.keytab content = |
= Check dns.keytab content = |
Revision as of 14:31, 28 November 2014
Introduction
This documentation describes how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller:
# samba_dnsupdate --verbose ... ... ... dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com. dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Failed update of 20 entries
Check dns.keytab content
Make sure, that your dns.keytab isn't empty or contains wrong entries.
# klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- --------------------------------------------------------------------------
The correct output contains several entries - each with the hostname, where this file is from:
# klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM 1 dns-DC1@SAMDOM.EXAMPLE.COM 1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM 1 dns-DC1@SAMDOM.EXAMPLE.COM 1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM 1 dns-DC1@SAMDOM.EXAMPLE.COM 1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM 1 dns-DC1@SAMDOM.EXAMPLE.COM 1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM 1 dns-DC1@SAMDOM.EXAMPLE.COM
To recreate the dns.keytab, remove the file and the corresponding account:
# rm /usr/local/samba/private/dns.keytab # samba-tool user delete dns-DC1 # The account is always named 'dns-yourHostname'
Recreate the account and keytab by following the steps described in Check for existing DNS-hostname account
Check for existing DNS-hostname account
For every DC, that was provisioned with BIND9_DLZ backend, there must be an existing account inside the AD, with the name "dns-hostname" (e. g. dns-DC1, dns-MYSERVER, ...).
- Recreate the account by running the following command on the host, whose account is missing:
# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-DC1 account See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
- Whenever you run this command, the used BIND9_DLZ module is reset to version 9.8! If you're running BIND 9.9, you have to disable the 9.8 module and enable the one for 9.9 in /usr/local/samba/private/named.conf again.
dlz "AD DNS Zone" { # For BIND 9.8.0 # database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9.so"; # For BIND 9.9.0 database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9_9.so"; };
- Restart BIND.
Note: If you run a version where Bug #10882 isn't fixed, you have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account isn't created.
# samba_upgradedns --dns-backend=SAMBA_INTERNAL Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Finished upgrading DNS
# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-DC1 account See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
Check file permissions
BIND must be able to read the following files:
- /usr/local/samba/private/dns.keytab
# chown root:named /usr/local/samba/private/dns.keytab # chmod 640 /usr/local/samba/private/dns.keytab
- /etc/krb5.conf
# chown root:root /etc/krb5.conf # chmod 644 /etc/krb5.conf
Testing
To test, if DNS updates are working, run the following command (output shortened for a better readability):
# samba_dnsupdate --verbose IPs: ['10.99.0.2'] ... ... ... Looking for DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.samdom.example.com. Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 Failed to find matching DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.default-first-site-name._sites.samdom.example.com. Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 Calling nsupdate for A samdom.example.com 10.99.0.2 Outgoing update query: ... ... ... Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.
The output ends like the example above, if everything was working. Otherwise you would see 'Failed update of n entries' errors.