I'm going to post something I had put in a different thread.
I've gone through many Zentyal version upgrades on this server and am having the DNS issue.
My initial error message was
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
dns-vdc01@INTERNAL.DOMAIN.COM's Password:
Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
dns-vdc01@INTERNAL.DOMAIN.COM's Password:
Command output: .
What I found was that the user account (dns-
[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.
This seemed to remove the
Error output: Password has expired error, but now started to show the problem that other members here are having.
2017/06/14 00:15:38 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 00:15:39 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 00:15:41 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED
Command output: .
Exit value: 2
2017/06/14 00:15:41 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED
Command output: .
Exit value: 2
I've tried multiple ways to resolve this error using recommendations here and the Samba wiki, but nothing has really worked and I STILL end up with the REFUSED error or the other error mentioned.
2017/06/14 01:55:23 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 01:55:24 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 01:55:25 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable
Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable
Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/Ym0eh3Z4y8.cmd 2> /var/lib/zentyal/tmp/stderr', 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8', 256, 'ARRAY(0x8ae78a0)', 'ARRAY(0x435f558)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/DNS.pm line 923
EBox::DNS::_postServiceHook('EBox::DNS=HASH(0x8997970)', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 941
EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0x8997970)', 'restart', 1, 'restartModules', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 960
eval {...} at /usr/share/perl5/EBox/Module/Service.pm line 959
EBox::Module::Service::restartService('EBox::DNS=HASH(0x8997970)', 'restartModules', 1) called at /usr/share/perl5/EBox/Util/Init.pm line 121
eval {...} at /usr/share/perl5/EBox/Util/Init.pm line 119
EBox::Util::Init::moduleAction('dns', 'restartService', 'start') called at /usr/share/perl5/EBox/Util/Init.pm line 87
EBox::Util::Init::start at /usr/bin/zs line 35
main::main at /usr/bin/zs line 82
2017/06/14 01:55:25 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable
Command output: .
Exit value: 1
2017/06/14 01:55:25 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable
Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable
I even followed
THESE INSTRUCTIONS on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run
samba_upgradedns --dns-backend=BIND9_DLZ to reprovision the user account and dns.keytab file from scratch. It still failed.
This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.
I will say that a fresh install of Zentyal isn't giving me this issue NOW, but who knows if it will after a certain amount of time. I'd also say that removing and reinstalling the DNS module also appeared to solve the issue for me. However that is REALLY NOT IDEAL. If you have to remove the DNS module you also have to remove the Domain Controller and File Sharing module. That means you'd remove all your domain joined computers, users, GPO, and so on. So the only other option I can think of right now would be a transfer of FSMO roles to a new Samba4 server.