Web lists-archives.com

Re: [Samba] BIND9_DLZ: TKEY is unacceptable - depending on the name server




On Sat, 30 Jun 2018 16:01:10 +0200 (CEST)
Peter Serbe via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Dear Samba experts, 
> 
> Since a couple of days I am trying to fix my domain. 
> I have each two ADDCs on raspis on two sites. One is running on
> Raspian and works fine. The other three are on Gentoo and something
> is broken there. When I point the name resolution in resolv.conf to
> the Raspian machine the dynamic updates are just working fine:
> 
> 
> # horus /srv/samba/demoshare # samba_dnsupdate --verbose
> --all-names # IPs:
> ['192.168.41.25'] # force update: A horus.samdom.com
> 192.168.41.25 # force update: NS samdom.com
> horus.samdom.com # force update: NS _msdcs.samdom.com
> horus.samdom.com # force update: A samdom.com
> 192.168.41.25 # .....
> # 29 DNS updates and 0 DNS deletes
> needed # Successfully obtained Kerberos ticket to
> DNS/charon.samdom.com as HORUS$ # update(nsupdate): A
> horus.samdom.com 192.168.41.25 # Calling nsupdate for A
> horus.samdom.com 192.168.41.25 (add) # Successfully obtained Kerberos
> ticket to DNS/charon.samdom.com as HORUS$ # Outgoing update
> query: # ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
> 0 # ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL:
> 0 # ;; UPDATE
> SECTION: # horus.samdom.com.    900     IN      A
> 192.168.41.25
> # # update(nsupdate): NS samdom.com
> horus.samdom.com # .....
> 
> 
> Now I edit resolv.conf to point to the ADDC charon at 192.168.11.205, 
> and the Kerberos ticket is now obtained by DNS/horus.samdom.com,
> which is actually on of the Gentoo machines, and even though it
> states the Ticket was granted successfully, the update fails.
> 
> 
> # horus ~ # samba_dnsupdate --verbose --all-names
> # IPs: ['192.168.41.25']
> # force update: A horus.samdom.com 192.168.41.25
> # .....
> # 29 DNS updates and 0 DNS deletes needed
> # Successfully obtained Kerberos ticket to DNS/horus.samdom.com as
> HORUS$ # update(nsupdate): A horus.samdom.com 192.168.41.25
> # Calling nsupdate for A horus.samdom.com 192.168.41.25 (add)
> # Successfully obtained Kerberos ticket to DNS/horus.samdom.com as
> HORUS$ # Outgoing update query:
> # ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> # ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> # ;; UPDATE SECTION:
> # horus.samdom.com.    900     IN      A       192.168.41.25
> # 
> # dns_tkey_gssnegotiate: TKEY is unacceptable
> # Failed nsupdate: 1
> # update(nsupdate): NS samdom.com horus.samdom.com
> # .....
> 
> 
> Needless to say, that tried to generate new keytabs. I demoted
> machines and re-joined them, but the issue persists. Actually there
> is samba-4.8.3 on all machines, and the ldb/tdb/tevent/talloc in the
> same version as bundled with samba-4.8.3. Raspbian has a pretty old
> Bind  9.10.3-P4. On Gentoo I tried 9.11.3 and 9.11.2_p1. 
> 
> What I need first is a tip for an efficient setting for debugging it. 
> Is there a way to have a look on the granted tickets? There must be 
> some difference. 
> 

I think you have run into the 'whoever creates the dns records owns
them' problem. Only the owner of a dns record can update that record
and if you look carefully, you are trying to update the same records
from both machines. Try pointing the /etc/resolv.conf nameserver on
each DC to itself. If all else fails, you could also try adding
'--use-samba-tool' to the command.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba