Web lists-archives.com

[Samba] Samba as AD travails




Many (many) hours later, I'm finally throwing in the towel and seeking help.

I have read everything I can find on the internet to no avail to get past
my issues.  I have to say, I'm very disappointed in the general quality and
fragmentation of information on this topic.   Samba isn't a turn-key
solution as an AD by any stretch of the imagination.  I've run the gamut so
far with issues that internet digging has (mostly) resolved.

I had this essentially all working with the internal DNS....until that
corrupted with strange error messages about undotted things that
essentially broke it.

And so, on to bind.  I've got plenty of experience with that, should be
fairly easy, right?  ha

Another 5-6 hours later, I'm stuck at what seems to be the same brick wall
many people end up with...TKEY is unacceptable.   Along with that, RSAT is
essentially non-functional with the AD Users/Computers working sporadically
and the DNS never having connected once to named  (always denied).  klist
never works after a reboot....always requires another init, even though the
keytab in /var/lib/samba/private is good

I simply have no idea where to go from here.  I've done everything on the
Wiki 2-3 times.  I've rebuilt from the start twice.  Every time I end up in
the exact same place.

I'm looking for ideas.  I've updated permissions on all the files mentioned
anywhere on the internet in /var/lib/samba.    Kerberos works fine except
for the aforementioned post-boot absence of a ticket.

Here are some files to start with

=========================================
smb.conf:
=========================================
[global]
        workgroup = HEATHFAM
        realm = HEATHFAM.COM <http://heathfam.com/>
        netbios name = SAMBA-AD
        server role = active directory domain controller
        allow dns updates = nonsecure
#       dns forwarder = 8.8.8.8
#       dns forwarder = 10.0.2.10
        idmap_ldb:use rfc2307 = yes
        server services = rpc, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, s3fs
        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

        username map = /etc/samba/user.map

[netlogon]
        path = /var/lib/samba/sysvol/heathfam.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

=========================================
named.conf.local
=========================================
zone "heathfam.com" {
    type master;
    file "/var/lib/bind/zones/db.heathfam.com"; # zone file path
    allow-update { 10.0.2.0/24; };
};

zone "2.0.10.in-addr.arpa" {
    type master;
    file "/var/lib/bind/zones/db.10.0.2";  # 10.128.2.0/16 subnet
    allow-update { 10.0.2.0/24; };
};

=========================================
named.conf.options
=========================================
acl "trusted" {
        127.0.0.1;
        10.0.2.0/24;
};

options {
        directory "/var/cache/bind";

        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

        //==========================================================
==============
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See
https://www.isc.org/bind-keys
        //==========================================================
==============
        dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
        listen-on { 10.0.2.4; };

    notify no;
    empty-zones-enable no;

    # IP addresses and network ranges allowed to query the DNS server:
    allow-query {
        127.0.0.1;
        10.0.2.0/24;
    };

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion { trusted; };

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {
        10.0.2.10;
        8.8.8.8;
    };

    # Disable zone transfers
    allow-transfer {
        127.0.0.1;
        10.0.2.0/24;
    };
 };

=========================================
bottom of /etc/apparmor.d/usr.sbin.named
=========================================
# Samba4 DLZ and Active Directory Zones (default source installation)
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/ rw,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/tmp/** rwmk,
}


=========================================
output of samba_dnsupdate
=========================================

oot@samba-ad:/etc/apparmor.d# samba_dnsupdate --verbose
IPs: ['10.0.2.4']
Looking for DNS entry A samba-ad.heathfam.com 10.0.2.4 as
samba-ad.heathfam.com.
Looking for DNS entry A heathfam.com 10.0.2.4 as heathfam.com.
Failed to find DNS entry A heathfam.com 10.0.2.4
Looking for DNS entry SRV _ldap._tcp.heathfam.com samba-ad.heathfam.com 389
as _ldap._tcp.heathfam.com.
Checking 0 0 389 samba-ad.heathfam.com. against SRV _ldap._tcp.heathfam.com
samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 389 as _ldap._tcp.dc._msdcs.heathfam.com.
Checking 0 0 389 samba-ad.heathfam.com. against SRV _ldap._tcp.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4-
9165-b0073b4f4cfe.domains._msdcs.heathfam.com samba-ad.heathfam.com 389 as
_ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4-
9165-b0073b4f4cfe.domains._msdcs.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _kerberos._tcp.heathfam.com samba-ad.heathfam.com 88
as _kerberos._tcp.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.heathfam.com
samba-ad.heathfam.com 88
Looking for DNS entry SRV _kerberos._udp.heathfam.com samba-ad.heathfam.com 88
as _kerberos._udp.heathfam.com.
Checking 0 0 88 samba-ad.heathfam.com. against SRV _kerberos._
udp.heathfam.com samba-ad.heathfam.com 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 88 as _kerberos._tcp.dc._msdcs.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 88
Looking for DNS entry SRV _kpasswd._tcp.heathfam.com samba-ad.heathfam.com 464
as _kpasswd._tcp.heathfam.com.
Failed to find DNS entry SRV _kpasswd._tcp.heathfam.com
samba-ad.heathfam.com 464
Looking for DNS entry SRV _kpasswd._udp.heathfam.com samba-ad.heathfam.com 464
as _kpasswd._udp.heathfam.com.
Failed to find DNS entry SRV _kpasswd._udp.heathfam.com
samba-ad.heathfam.com 464
Looking for DNS entry CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
msdcs.heathfam.com samba-ad.heathfam.com as 5abed772-459b-4b4f-8fc0-
83526ca15b42._msdcs.heathfam.com.
Failed to find DNS entry CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
msdcs.heathfam.com samba-ad.heathfam.com
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 88 as _kerberos._tcp.Default-First-
Site-Name._sites.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 88 as _kerberos._tcp.Default-First-
Site-Name._sites.dc._msdcs.heathfam.com.
Failed to find DNS entry SRV _kerberos._tcp.Default-First-
Site-Name._sites.dc._msdcs.heathfam.com samba-ad.heathfam.com 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com
samba-ad.heathfam.com 389 as _ldap._tcp.pdc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com
samba-ad.heathfam.com 389
Looking for DNS entry A gc._msdcs.heathfam.com 10.0.2.4 as gc._
msdcs.heathfam.com.
Failed to find DNS entry A gc._msdcs.heathfam.com 10.0.2.4
Looking for DNS entry SRV _gc._tcp.heathfam.com samba-ad.heathfam.com 3268
as _gc._tcp.heathfam.com.
Failed to find DNS entry SRV _gc._tcp.heathfam.com samba-ad.heathfam.com
 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.heathfam.com
samba-ad.heathfam.com 3268 as _ldap._tcp.gc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.gc._msdcs.heathfam.com
samba-ad.heathfam.com 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 3268 as
_gc._tcp.Default-First-Site-Name._sites.heathfam.com.
Failed to find DNS entry SRV _gc._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
msdcs.heathfam.com samba-ad.heathfam.com 3268 as
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.com.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
msdcs.heathfam.com samba-ad.heathfam.com 3268
Looking for DNS entry A DomainDnsZones.heathfam.com
<http://domaindnszones.heathfam.com/> 10.0.2.4 as
DomainDnsZones.heathfam.com <http://domaindnszones.heathfam.com/>.
Failed to find DNS entry A DomainDnsZones.heathfam.com
<http://domaindnszones.heathfam.com/> 10.0.2.4
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389
Looking for DNS entry A ForestDnsZones.heathfam.com
<http://forestdnszones.heathfam.com/> 10.0.2.4 as
ForestDnsZones.heathfam.com <http://forestdnszones.heathfam.com/>.
Failed to find DNS entry A ForestDnsZones.heathfam.com
<http://forestdnszones.heathfam.com/> 10.0.2.4
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 as
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/>.
Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389
Calling nsupdate for A heathfam.com 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
heathfam.com.           900     IN      A       10.0.2.4

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.1ebfe405-6e9f-49d4-
9165-b0073b4f4cfe.domains._msdcs.heathfam.com samba-ad.heathfam.com 389
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs.heathfam.com.
900 IN SRV 0 100 389 samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.heathfam.com samba-ad.heathfam.com 88
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.heathfam.com. 900 IN     SRV     0 100 88
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.heathfam.com
samba-ad.heathfam.com 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.heathfam.com. 900 IN SRV 0 100 88
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._tcp.heathfam.com samba-ad.heathfam.com 464
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.heathfam.com. 900 IN      SRV     0 100 464
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._udp.heathfam.com samba-ad.heathfam.com 464
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.heathfam.com. 900 IN      SRV     0 100 464
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
msdcs.heathfam.com samba-ad.heathfam.com (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
5abed772-459b-4b4f-8fc0-83526ca15b42._msdcs.heathfam.com. 900 IN CNAME
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN SRV 0 100
389 samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com. 900 IN
SRV 0 100 389 samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN SRV 0
100 88 samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._
msdcs.heathfam.com samba-ad.heathfam.com 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com. 900
IN SRV 0 100 88 samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.heathfam.com
samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.heathfam.com. 900 IN SRV  0 100 389
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for A gc._msdcs.heathfam.com 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.heathfam.com. 900     IN      A       10.0.2.4

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.heathfam.com samba-ad.heathfam.com 3268
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.heathfam.com.  900     IN      SRV     0 100 3268
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.heathfam.com
samba-ad.heathfam.com 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.heathfam.com. 900 IN SRV   0 100 3268
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._
sites.heathfam.com samba-ad.heathfam.com 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN SRV 0 100 3268
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
msdcs.heathfam.com samba-ad.heathfam.com 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.com. 900 IN
SRV 0 100 3268 samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for A DomainDnsZones.heathfam.com
<http://domaindnszones.heathfam.com/> 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.heathfam.com <http://domaindnszones.heathfam.com/>. 900 IN
  A       10.0.2.4

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.heathfam.com
<http://tcp.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/> samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com
<http://sites.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for A ForestDnsZones.heathfam.com
<http://forestdnszones.heathfam.com/> 10.0.2.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.heathfam.com <http://forestdnszones.heathfam.com/>. 900 IN
  A       10.0.2.4

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.heathfam.com
<http://tcp.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/> samba-ad.heathfam.com 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com
<http://sites.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 389
samba-ad.heathfam.com.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 23 entries
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba