Web lists-archives.com

Re: [Samba] Samba as AD travails




Hai, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Jared Heath via samba
> Verzonden: woensdag 27 september 2017 5:50
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Samba as AD travails
> 
> Many (many) hours later, I'm finally throwing in the towel 
> and seeking help.

Ok, here is its.. At least lets give it a try.  ;-) 

> 
> I have read everything I can find on the internet to no avail 
> to get past my issues.  I have to say, I'm very disappointed 
> in the general quality and
> fragmentation of information on this topic.   Samba isn't a turn-key
> solution as an AD by any stretch of the imagination.  I've 
> run the gamut so far with issues that internet digging has 
> (mostly) resolved.
> 
> I had this essentially all working with the internal 
> DNS....until that corrupted with strange error messages about 
> undotted things that essentially broke it.
> 
> And so, on to bind.  I've got plenty of experience with that, 
> should be fairly easy, right?  ha
> 
> Another 5-6 hours later, I'm stuck at what seems to be the 
> same brick wall
> many people end up with...TKEY is unacceptable.   
This should help, if not, can you explain why not? What did you encounter? 
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable 
And 
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration 


> Along with that, RSAT is
> essentially non-functional with the AD Users/Computers 
> working sporadically and the DNS never having connected once 
> to named  (always denied).  
Did you setup the SePrivileges? 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege 


> klist never works after a 
> reboot....always requires another init, even though the 
> keytab in /var/lib/samba/private is good

Dhcp IP?  Is resolvconf installed?  
Is /etc/resolv.conf , nameserver pointing as first to its own dns. 

> 
> I simply have no idea where to go from here.  I've done 
> everything on the Wiki 2-3 times.  I've rebuilt from the 
> start twice.  Every time I end up in the exact same place.
> 
> I'm looking for ideas.  I've updated permissions on all the 
> files mentioned
> anywhere on the internet in /var/lib/samba.    Kerberos works 
> fine except
> for the aforementioned post-boot absence of a ticket.

Last, can you also tell with OS is used? 
And post the content of. 
/etc/hosts
/etc/resolv.conf 

> 
> Here are some files to start with
> 
> =========================================
> smb.conf:
> =========================================
> [global]
>         workgroup = HEATHFAM
>         realm = HEATHFAM.COM <http://heathfam.com/>
>         netbios name = SAMBA-AD
>         server role = active directory domain controller
>         allow dns updates = nonsecure
> #       dns forwarder = 8.8.8.8
> #       dns forwarder = 10.0.2.10
>         idmap_ldb:use rfc2307 = yes
>         server services = rpc, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate, s3fs
>         tls enabled  = yes
>         tls keyfile  = tls/key.pem
>         tls certfile = tls/cert.pem
>         tls cafile   = tls/ca.pem
> 
>         username map = /etc/samba/user.map
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/heathfam.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

I suggest also to remove the comment behind REALM. 

Ok, now is see more here, remove these 2 zone's from bind. 
The heathfam.com zone is mananged by samba+bind9_dlz
If you provisioned with BIND9_FLATFILE, then i suggest reprovision with BIND9_DLZ.

> 
> =========================================
> named.conf.local
> =========================================
> zone "heathfam.com" {
>     type master;
>     file "/var/lib/bind/zones/db.heathfam.com"; # zone file path
>     allow-update { 10.0.2.0/24; };
> };
> 
> zone "2.0.10.in-addr.arpa" {
>     type master;
>     file "/var/lib/bind/zones/db.10.0.2";  # 10.128.2.0/16 subnet
>     allow-update { 10.0.2.0/24; };
> };

^^^^^^^^^^^^^^^^^^^^^ those 2 remove them.  


> 
> =========================================
> named.conf.options
> =========================================
> acl "trusted" {
>         127.0.0.1;
>         10.0.2.0/24;
> };
> 
> options {
>         directory "/var/cache/bind";
> 
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> 
>         //==========================================================
> ==============
>         // If BIND logs error messages about the root key 
> being expired,
>         // you will need to update your keys.  See 
> https://www.isc.org/bind-keys
>         //==========================================================
> ==============
>         dnssec-validation no;
> 
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on { 10.0.2.4; };
> 
>     notify no;
>     empty-zones-enable no;
> 
>     # IP addresses and network ranges allowed to query the DNS server:
>     allow-query {
>         127.0.0.1;
>         10.0.2.0/24;
>     };
> 
>     # IP addresses and network ranges allowed to run 
> recursive queries:
>     # (Zones not served by this DNS server)
>     allow-recursion { trusted; };
> 
>     # Forward queries that can not be answered from own zones
>     # to these DNS servers:
>     forwarders {
>         10.0.2.10;
>         8.8.8.8;
>     };
> 
>     # Disable zone transfers
>     allow-transfer {
>         127.0.0.1;
>         10.0.2.0/24;
>     };
>  };
> 
> =========================================
> bottom of /etc/apparmor.d/usr.sbin.named 
> =========================================
> # Samba4 DLZ and Active Directory Zones (default source installation)
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/ rw,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/tmp/** rwmk,
> }
> 
> 
> =========================================
> output of samba_dnsupdate
> =========================================
> 
> oot@samba-ad:/etc/apparmor.d# samba_dnsupdate --verbose
> IPs: ['10.0.2.4']
> Looking for DNS entry A samba-ad.heathfam.com 10.0.2.4 as 
> samba-ad.heathfam.com.
> Looking for DNS entry A heathfam.com 10.0.2.4 as heathfam.com.
> Failed to find DNS entry A heathfam.com 10.0.2.4 Looking for 
> DNS entry SRV _ldap._tcp.heathfam.com samba-ad.heathfam.com 
> 389 as _ldap._tcp.heathfam.com.
> Checking 0 0 389 samba-ad.heathfam.com. against SRV 
> _ldap._tcp.heathfam.com samba-ad.heathfam.com 389 Looking for 
> DNS entry SRV _ldap._tcp.dc._msdcs.heathfam.com 
> samba-ad.heathfam.com 389 as _ldap._tcp.dc._msdcs.heathfam.com.
> Checking 0 0 389 samba-ad.heathfam.com. against SRV 
> _ldap._tcp.dc._ msdcs.heathfam.com samba-ad.heathfam.com 389 
> Looking for DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4- 
> 9165-b0073b4f4cfe.domains._msdcs.heathfam.com 
> samba-ad.heathfam.com 389 as 
> _ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs
> .heathfam.com.
> Failed to find DNS entry SRV _ldap._tcp.1ebfe405-6e9f-49d4- 
> 9165-b0073b4f4cfe.domains._msdcs.heathfam.com 
> samba-ad.heathfam.com 389 Looking for DNS entry SRV 
> _kerberos._tcp.heathfam.com samba-ad.heathfam.com 88 as 
> _kerberos._tcp.heathfam.com.
> Failed to find DNS entry SRV _kerberos._tcp.heathfam.com 
> samba-ad.heathfam.com 88 Looking for DNS entry SRV 
> _kerberos._udp.heathfam.com samba-ad.heathfam.com 88 as 
> _kerberos._udp.heathfam.com.
> Checking 0 0 88 samba-ad.heathfam.com. against SRV 
> _kerberos._ udp.heathfam.com samba-ad.heathfam.com 88 Looking 
> for DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com
> samba-ad.heathfam.com 88 as _kerberos._tcp.dc._msdcs.heathfam.com.
> Failed to find DNS entry SRV _kerberos._tcp.dc._msdcs.heathfam.com
> samba-ad.heathfam.com 88
> Looking for DNS entry SRV _kpasswd._tcp.heathfam.com 
> samba-ad.heathfam.com 464 as _kpasswd._tcp.heathfam.com.
> Failed to find DNS entry SRV _kpasswd._tcp.heathfam.com 
> samba-ad.heathfam.com 464 Looking for DNS entry SRV 
> _kpasswd._udp.heathfam.com samba-ad.heathfam.com 464 as 
> _kpasswd._udp.heathfam.com.
> Failed to find DNS entry SRV _kpasswd._udp.heathfam.com 
> samba-ad.heathfam.com 464 Looking for DNS entry CNAME 
> 5abed772-459b-4b4f-8fc0-83526ca15b42._
> msdcs.heathfam.com samba-ad.heathfam.com as 
> 5abed772-459b-4b4f-8fc0- 83526ca15b42._msdcs.heathfam.com.
> Failed to find DNS entry CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
> msdcs.heathfam.com samba-ad.heathfam.com Looking for DNS 
> entry SRV _ldap._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.heathfam.com.
> Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 389 Looking for DNS 
> entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._
> msdcs.heathfam.com samba-ad.heathfam.com 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.com.
> Failed to find DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._
> msdcs.heathfam.com samba-ad.heathfam.com 389 Looking for DNS 
> entry SRV _kerberos._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 88 as 
> _kerberos._tcp.Default-First- Site-Name._sites.heathfam.com.
> Failed to find DNS entry SRV _kerberos._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 88 Looking for DNS 
> entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._
> msdcs.heathfam.com samba-ad.heathfam.com 88 as 
> _kerberos._tcp.Default-First- Site-Name._sites.dc._msdcs.heathfam.com.
> Failed to find DNS entry SRV _kerberos._tcp.Default-First- 
> Site-Name._sites.dc._msdcs.heathfam.com samba-ad.heathfam.com 
> 88 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com
> samba-ad.heathfam.com 389 as _ldap._tcp.pdc._msdcs.heathfam.com.
> Failed to find DNS entry SRV _ldap._tcp.pdc._msdcs.heathfam.com
> samba-ad.heathfam.com 389
> Looking for DNS entry A gc._msdcs.heathfam.com 10.0.2.4 as 
> gc._ msdcs.heathfam.com.
> Failed to find DNS entry A gc._msdcs.heathfam.com 10.0.2.4 
> Looking for DNS entry SRV _gc._tcp.heathfam.com 
> samba-ad.heathfam.com 3268 as _gc._tcp.heathfam.com.
> Failed to find DNS entry SRV _gc._tcp.heathfam.com 
> samba-ad.heathfam.com
>  3268
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.heathfam.com 
> samba-ad.heathfam.com 3268 as _ldap._tcp.gc._msdcs.heathfam.com.
> Failed to find DNS entry SRV 
> _ldap._tcp.gc._msdcs.heathfam.com samba-ad.heathfam.com 3268 
> Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 3268 as 
> _gc._tcp.Default-First-Site-Name._sites.heathfam.com.
> Failed to find DNS entry SRV _gc._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 3268 Looking for DNS 
> entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._
> msdcs.heathfam.com samba-ad.heathfam.com 3268 as 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.com.
> Failed to find DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.gc._
> msdcs.heathfam.com samba-ad.heathfam.com 3268 Looking for DNS 
> entry A DomainDnsZones.heathfam.com 
> <http://domaindnszones.heathfam.com/> 10.0.2.4 as 
> DomainDnsZones.heathfam.com <http://domaindnszones.heathfam.com/>.
> Failed to find DNS entry A DomainDnsZones.heathfam.com 
> <http://domaindnszones.heathfam.com/> 10.0.2.4 Looking for 
> DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com
> <http://tcp.domaindnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 as _ldap._tcp.DomainDnsZones.heathfam.com
> <http://tcp.domaindnszones.heathfam.com/>.
> Failed to find DNS entry SRV _ldap._tcp.DomainDnsZones.heathfam.com
> <http://tcp.domaindnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._
> sites.DomainDnsZones.heathfam.com
> <http://sites.domaindnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com
> <http://sites.domaindnszones.heathfam.com/>.
> Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
> sites.DomainDnsZones.heathfam.com
> <http://sites.domaindnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 Looking for DNS entry A 
> ForestDnsZones.heathfam.com 
> <http://forestdnszones.heathfam.com/> 10.0.2.4 as 
> ForestDnsZones.heathfam.com <http://forestdnszones.heathfam.com/>.
> Failed to find DNS entry A ForestDnsZones.heathfam.com 
> <http://forestdnszones.heathfam.com/> 10.0.2.4 Looking for 
> DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com
> <http://tcp.forestdnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 as _ldap._tcp.ForestDnsZones.heathfam.com
> <http://tcp.forestdnszones.heathfam.com/>.
> Failed to find DNS entry SRV _ldap._tcp.ForestDnsZones.heathfam.com
> <http://tcp.forestdnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.heathfam.com
> <http://sites.forestdnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com
> <http://sites.forestdnszones.heathfam.com/>.
> Failed to find DNS entry SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.heathfam.com
> <http://sites.forestdnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 Calling nsupdate for A heathfam.com 
> 10.0.2.4 (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> heathfam.com.           900     IN      A       10.0.2.4
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.1ebfe405-6e9f-49d4- 
> 9165-b0073b4f4cfe.domains._msdcs.heathfam.com 
> samba-ad.heathfam.com 389
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.1ebfe405-6e9f-49d4-9165-b0073b4f4cfe.domains._msdcs
> .heathfam.com.
> 900 IN SRV 0 100 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _kerberos._tcp.heathfam.com 
> samba-ad.heathfam.com 88
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _kerberos._tcp.heathfam.com. 900 IN     SRV     0 100 88
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.heathfam.com
> samba-ad.heathfam.com 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _kerberos._tcp.dc._msdcs.heathfam.com. 900 IN SRV 0 100 88 
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _kpasswd._tcp.heathfam.com 
> samba-ad.heathfam.com 464
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _kpasswd._tcp.heathfam.com. 900 IN      SRV     0 100 464
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _kpasswd._udp.heathfam.com 
> samba-ad.heathfam.com 464
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _kpasswd._udp.heathfam.com. 900 IN      SRV     0 100 464
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for CNAME 5abed772-459b-4b4f-8fc0-83526ca15b42._
> msdcs.heathfam.com samba-ad.heathfam.com (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> 5abed772-459b-4b4f-8fc0-83526ca15b42._msdcs.heathfam.com. 900 
> IN CNAME samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 389 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.heathfam.com. 900 
> IN SRV 0 100
> 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._
> msdcs.heathfam.com samba-ad.heathfam.com 389 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.heathfam.c
> om. 900 IN SRV 0 100 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 88 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.heathfam.com. 
> 900 IN SRV 0 100 88 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._
> msdcs.heathfam.com samba-ad.heathfam.com 88 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.heathf
> am.com. 900 IN SRV 0 100 88 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.heathfam.com
> samba-ad.heathfam.com 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.pdc._msdcs.heathfam.com. 900 IN SRV  0 100 389 
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for A gc._msdcs.heathfam.com 10.0.2.4 
> (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> gc._msdcs.heathfam.com. 900     IN      A       10.0.2.4
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _gc._tcp.heathfam.com 
> samba-ad.heathfam.com 3268
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _gc._tcp.heathfam.com.  900     IN      SRV     0 100 3268
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.heathfam.com 
> samba-ad.heathfam.com 3268 (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.gc._msdcs.heathfam.com. 900 IN SRV   0 100 3268
> samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._
> sites.heathfam.com samba-ad.heathfam.com 3268 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _gc._tcp.Default-First-Site-Name._sites.heathfam.com. 900 IN 
> SRV 0 100 3268 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.gc._
> msdcs.heathfam.com samba-ad.heathfam.com 3268 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.heathfam.c
> om. 900 IN SRV 0 100 3268 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for A DomainDnsZones.heathfam.com 
> <http://domaindnszones.heathfam.com/> 10.0.2.4 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> DomainDnsZones.heathfam.com 
> <http://domaindnszones.heathfam.com/>. 900 IN
>   A       10.0.2.4
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.heathfam.com
> <http://tcp.domaindnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.DomainDnsZones.heathfam.com
> <http://tcp.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 
> 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.DomainDnsZones.heathfam.com
> <http://sites.domaindnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.heathfam.com
> <http://sites.domaindnszones.heathfam.com/>. 900 IN SRV 0 100 
> 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for A ForestDnsZones.heathfam.com 
> <http://forestdnszones.heathfam.com/> 10.0.2.4 (add) Outgoing 
> update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> ForestDnsZones.heathfam.com 
> <http://forestdnszones.heathfam.com/>. 900 IN
>   A       10.0.2.4
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.heathfam.com
> <http://tcp.forestdnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.heathfam.com
> <http://tcp.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 
> 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.heathfam.com
> <http://sites.forestdnszones.heathfam.com/> 
> samba-ad.heathfam.com 389 (add) Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; 
> UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.heathfam.com
> <http://sites.forestdnszones.heathfam.com/>. 900 IN SRV 0 100 
> 389 samba-ad.heathfam.com.
> 
> dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 
> 1 Failed update of 23 entries
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

So few hints see how far your getting. 

Greetz, 

Louis



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba