Dns tkey negotiategss: TKEY is unacceptable

From SambaWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Introduction

This documentation describes how to locate and fix „dns_tkey_negotiategss: TKEY is unacceptable“ problems of DNS updates on a BIND9_DLZ Domain Controller:

# samba_dnsupdate --verbose
...
...
...
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 20 entries

Check dns.keytab content

Make sure that your dns.keytab isn't empty or contains wrong entries.

# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------

The correct output contains several entries - each with the hostname of the DC:

# klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM
   1 DNS/dc1.samdom.example.com@SAMDOM.EXAMPLE.COM
   1 dns-DC1@SAMDOM.EXAMPLE.COM

To recreate the dns.keytab, remove the file and the corresponding account:

# rm /usr/local/samba/private/dns.keytab
# samba-tool user delete dns-DC1            # The account is always named 'dns-yourHostname'

Recreate the account and keytab by following the steps described in Check for existing DNS-hostname account

Check for existing DNS-hostname account

Every DC provisioned with the BIND9_DLZ backend must have an account existing inside the AD, with the name "dns-hostname" (e. g. dns-DC1, dns-MYSERVER, ...).

  • Recreate the account by running the following command on the host, whose account is missing:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
  • On earlier versions of Samba 4, When you run this command the BIND9_DLZ module is reset to version 9.8! If you're running BIND 9.9, you may have to disable the 9.8 module and enable the one for 9.9 in /usr/local/samba/private/named.conf again.
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9.so"; 

    # For BIND 9.9.0
    database "dlopen /usr/src/samba-4.2.0rc1/bin/modules/bind9/dlz_bind9_9.so";
};
  • Restart BIND.

NOTE: Until Bug #10882 is fixed, you will have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account will not be created.

= Change DNS backend =

# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Check file permissions

BIND must be able to read the following files:

  • /usr/local/samba/private/dns.keytab
# chown root:named /usr/local/samba/private/dns.keytab
# chmod 640 /usr/local/samba/private/dns.keytab
  • /etc/krb5.conf
# chown root:root /etc/krb5.conf
# chmod 644 /etc/krb5.conf



Testing

To test, if DNS updates are working, run the following command (output shortened for a better readability):

# samba_dnsupdate --verbose
IPs: ['10.99.0.2']
...
...
...
Looking for DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.samdom.example.com.
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
Failed to find matching DNS entry SRV _gc._tcp.samdom.example.com dc1.samdom.example.com 3268
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268 as _gc._tcp.default-first-site-name._sites.samdom.example.com.
Checking 0 100 3268 dc1.samdom.example.com. against SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Failed to find matching DNS entry SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Calling nsupdate for A samdom.example.com 10.99.0.2
Outgoing update query:
...
...
...
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.samdom.example.com dc1.samdom.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.samdom.example.com. 900 IN SRV 0 100 3268 dc1.samdom.example.com.

The output ends like the example above, if everything was working. Otherwise you would see 'Failed update of n entries' errors.