Problem: samba_dnsupdate is not able to update dns entries

Knowledge Base Community
, ,
#1

Problem:

samba_dnsupdate --verbose shows the following messages:

need update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig MASTER.schein.ig 389
[...]
Failed nsupdate: 1
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig MASTER.schein.ig 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig MASTER.schein.ig 389 (add)
Successfully obtained Kerberos ticket to DNS/master.schein.ig as MASTER$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.schein.ig. 900 IN SRV 0 100 389 MASTER.schein.ig.

dns_tkey_negotiategss: TKEY is unacceptable

You may have found this article:
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

Investigation:

Check the keytab:
ktutil -k /var/lib/samba/private/dns.keytab list

/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal                       Aliases
  1  des-cbc-crc              DNS/master.schein.pt@SCHEIN.PT  
  1  des-cbc-crc              dns-master@SCHEIN.PT            
  1  des-cbc-md5              DNS/master.schein.pt@SCHEIN.PT  
  1  des-cbc-md5              dns-master@SCHEIN.PT            
  1  arcfour-hmac-md5         DNS/master.schein.pt@SCHEIN.PT  
  1  arcfour-hmac-md5         dns-master@SCHEIN.PT            
  1  aes128-cts-hmac-sha1-96  DNS/master.schein.pt@SCHEIN.PT  
  1  aes128-cts-hmac-sha1-96  dns-master@SCHEIN.PT            
  1  aes256-cts-hmac-sha1-96  DNS/master.schein.pt@SCHEIN.PT  
  1  aes256-cts-hmac-sha1-96  dns-master@SCHEIN.PT

and check the dns-user:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=dns-master dn
# record 1
dn: CN=dns-master,CN=Users,DC=schein,DC=pt

# Referral
ref: ldap://schein.pt/CN=Configuration,DC=schein,DC=pt

# Referral
ref: ldap://schein.pt/DC=DomainDnsZones,DC=schein,DC=pt

# Referral
ref: ldap://schein.pt/DC=ForestDnsZones,DC=schein,DC=pt

# returned 4 records
# 1 entries
# 3 referrals

Solution:

If the user is missing or the keytab is corrupt or incomplete run
univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst
It creates the user/or sets the password if the user already exists and then updates the ServicePrincipal in samba

#2
#3
#4
Mastodon