Author Topic: Recovering from TKEY unacceptable and DNS-Samba problems (inc nsupdate errors)  (Read 1842 times)

nickpiggott

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +8/-0
    • View Profile
After a very difficult upgrade from 6.2 to 7.0, I was facing a problem where Bind and Samba were not properly connected, so DNS updates between them failed (and ultimated disrupted replication between DCs because they DNS zones became incorrectly populated). Restarting the dns module and/or the samba module failed with errors.

I noted several things I need to check and fix, so I'll list them here to help anyone who comes down with the same problems.

A lot of the problems are because the user "bind" cannot access the "dns.keytab", but this is silently failing. You just see "TKEY is unacceptable" errors or "Update: REFUSED" errors.

Check the reference to the dns.key tab shown in /etc/bind/named.conf.options. It should be pointing to /var/lib/samba/private/dns.keytab
Check the access rights to the /var/lib/samba/private folder. It must be readable by "bind" (or "named") - you may have to
Code: [Select]
chmod o=rx /var/lib/samba/privateCheck that the /var/lib/samba/private/dns.keytab file is set to group "bind" (or "named") and with permissions r-x. Permissions for other users should be --- (not allowed access)

If that doesn't fix your problem, you can recreate the DNS update user, but you must follow all these steps

If there is a /var/lib/samba/private/dns.keytab file, delete it
use samba-tool to to delete any existing DNS update user -
Code: [Select]
sudo samba-tool user delete dns-{domain controller name}follow this guide to recreate the user and keytab - https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Temporarily_Changing_the_DNS_Back_End
add the newly created user to the DnsAdmins group -
Code: [Select]
sudo samba-tool group addmembers "DnsAdmins" dns-{domain controller name}as above, check that dns.keytab is readable by the bind user

Finally, if you're seeing errors relating to "nsupdate -l -t10 {filename}" check that you
  • Have disabled IPv6 on the machine OR
  • Have enabled bind to respond on IPv6. You'll need to copy /usr/share/zentyal/stubs/dns/bind9.mas to /etc/zentyal/stubs/bind9.mas and then edit that file to remove the "-4" from the OPTIONS line
(this last issue is because nsupdate -l tries to contact locahost, which if IPv6 is enabled, tries :::53, not 127.0.0.1:53)

Then you can check that things are working with
Code: [Select]
sudo samba_dnsupdate --verboseand
Code: [Select]
sudo nsupdate -lthen type "help" and "quit" to make sure it's connected

I hope this saves someone a day or so trying to work out why the DNS module is throwing errors in Zentyal.