Problem: samba_dnsupdate is not able to update dns entries




samba_dnsupdate --verbose shows the following messages:

need update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig MASTER.schein.ig 389
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig MASTER.schein.ig 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig MASTER.schein.ig 389 (add)
Successfully obtained Kerberos ticket to DNS/master.schein.ig as MASTER$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig. 900 IN SRV 0 100 389 MASTER.schein.ig.

dns_tkey_negotiategss: TKEY is unacceptable

You may have found this article:


Check the keytab:
ktutil -k /var/lib/samba/private/dns.keytab list


Vno  Type                     Principal                       Aliases
  1  des-cbc-crc              DNS/  
  1  des-cbc-crc              dns-master@SCHEIN.PT            
  1  des-cbc-md5              DNS/  
  1  des-cbc-md5              dns-master@SCHEIN.PT            
  1  arcfour-hmac-md5         DNS/  
  1  arcfour-hmac-md5         dns-master@SCHEIN.PT            
  1  aes128-cts-hmac-sha1-96  DNS/  
  1  aes128-cts-hmac-sha1-96  dns-master@SCHEIN.PT            
  1  aes256-cts-hmac-sha1-96  DNS/  
  1  aes256-cts-hmac-sha1-96  dns-master@SCHEIN.PT

and check the dns-user:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=dns-master dn
# record 1
dn: CN=dns-master,CN=Users,DC=schein,DC=pt

# Referral
ref: ldap://,DC=schein,DC=pt

# Referral
ref: ldap://,DC=schein,DC=pt

# Referral
ref: ldap://,DC=schein,DC=pt

# returned 4 records
# 1 entries
# 3 referrals


If the user is missing or the keytab is corrupt or incomplete run
univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst
It creates the user/or sets the password if the user already exists and then updates the ServicePrincipal in samba

closed #2

unlisted #3

listed #4