Bug 13995 - Dynamic DNS with BIND9_DLZ error : TLEY is unacceptable
Summary: Dynamic DNS with BIND9_DLZ error : TLEY is unacceptable
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.10.4
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-15 21:07 UTC by FabioSilvero (dead mail address)
Modified: 2021-01-11 15:19 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description FabioSilvero (dead mail address) 2019-06-15 21:07:37 UTC
OS : Raspbian Stretch
Samba version : 4.10.4
BIND9 version :9.11.5-P4-5~bpo9+1-Debian (Extended Support Version)

Hi team,

I am unable to perform DNS Updates with the dhcp-dyndns.sh script.

I have the DNS AD account and its keytab with the right content (I recreated them just in case, still happening)

I read that nsupdate only supports HMAC-MD5 encyption, so I modified my krb5.conf file and regenerate a dns.keytab by using samba_upgradedns with specifying BIND_DLZ. Still no luck..

I verified permissions, but all seems alright to me.

Any ideas ? 

Thanks !

#### File Outputs

# tail /var/log/syslog

Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[1] = add
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[2] = 10.10.10.10
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[3] = aa:bb:cc:dd:ee:ff
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[4] = hostname
Jun 15 22:44:20 garuda root: DHCP-DNS Update failed: 11
Jun 15 22:44:20 garuda dhcpd[2133]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816
Jun 15 22:44:20 garuda dhcpd[2133]: reuse_lease: lease age 412 (secs) under 25% threshold, reply with unaltered, existing lease for 10.10.10.10
Jun 15 22:44:20 garuda dhcpd[2133]: DHCPREQUEST for 10.10.10.10 from aa:bb:cc:dd:ee:ff (hostname) via eth0
Jun 15 22:44:20 garuda dhcpd[2133]: DHCPACK on 10.10.10.10 to aa:bb:cc:dd:ee:ff (hostname) via eth0

# samba_dnsupdate --verbose --all-names

IPs: ['10.10.10.1']
force update: A dc1.example.com 10.10.10.1
force update: NS example.com dc1.example.com
force update: NS _msdcs.example.com dc1.example.com
force update: A example.com 10.10.10.1
force update: SRV _ldap._tcp.example.com dc1.example.com 389
force update: SRV _ldap._tcp.dc._msdcs.example.com dc1.example.com 389
force update: SRV _ldap._tcp.d4e80749-ea98-46e6-9f89-8a14439c2960.domains._msdcs.example.com dc1.example.com 389
force update: SRV _kerberos._tcp.example.com dc1.example.com 88
force update: SRV _kerberos._udp.example.com dc1.example.com 88
force update: SRV _kerberos._tcp.dc._msdcs.example.com dc1.example.com 88
force update: SRV _kpasswd._tcp.example.com dc1.example.com 464
force update: SRV _kpasswd._udp.example.com dc1.example.com 464
force update: CNAME cc6e40c6-3abb-4aa2-976c-f5ac1beee921._msdcs.example.com dc1.example.com
force update: SRV _ldap._tcp.HomeSweetHome._sites.example.com dc1.example.com 389
force update: SRV _ldap._tcp.HomeSweetHome._sites.dc._msdcs.example.com dc1.example.com 389
force update: SRV _kerberos._tcp.HomeSweetHome._sites.example.com dc1.example.com 88
force update: SRV _kerberos._tcp.HomeSweetHome._sites.dc._msdcs.example.com dc1.example.com 88
force update: SRV _ldap._tcp.pdc._msdcs.example.com dc1.example.com 389
force update: A gc._msdcs.example.com 10.10.10.1
force update: SRV _gc._tcp.example.com dc1.example.com 3268
force update: SRV _ldap._tcp.gc._msdcs.example.com dc1.example.com 3268
force update: SRV _gc._tcp.HomeSweetHome._sites.example.com dc1.example.com 3268
force update: SRV _ldap._tcp.HomeSweetHome._sites.gc._msdcs.example.com dc1.example.com 3268
force update: A DomainDnsZones.example.com 10.10.10.1
force update: SRV _ldap._tcp.DomainDnsZones.example.com dc1.example.com 389
force update: SRV _ldap._tcp.HomeSweetHome._sites.DomainDnsZones.example.com dc1.example.com 389
force update: A ForestDnsZones.example.com 10.10.10.1
force update: SRV _ldap._tcp.ForestDnsZones.example.com dc1.example.com 389
force update: SRV _ldap._tcp.HomeSweetHome._sites.ForestDnsZones.example.com dc1.example.com 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc1.example.com as dc1$
update(nsupdate): A dc1.example.com 10.10.10.1
Calling nsupdate for A dc1.example.com 10.10.10.1 (add)
Successfully obtained Kerberos ticket to DNS/dc1.example.com as dc1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc1.example.com.      900     IN      A       10.10.10.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 29 entries

# klist -kte /usr/local/samba/private/dns.keytab

Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (des-cbc-crc)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (des-cbc-crc)
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (des-cbc-md5)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (des-cbc-md5)
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (arcfour-hmac)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (arcfour-hmac)
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 15/06/2019 22:25:25 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   1 15/06/2019 22:25:25 dns-dc1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)

The LDAP request for the account dns-dc1 : 

# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-dc1' dn  
# record 1                                                                                                    
dn: CN=dns-dc1,CN=Users,DC=example,DC=com                                                                   
                                                                                                              
# Referral                                                                                                    
ref: ldap://example.com/CN=Configuration,DC=example,DC=com                                                      
                                                                                                              
# Referral                                                                                                    
ref: ldap://example.com/DC=DomainDnsZones,DC=example,DC=com                                                     
                                                                                                              
# Referral                                                                                                    
ref: ldap://example.com/DC=ForestDnsZones,DC=example,DC=com                                                     
                                                                                                              
# returned 4 records                                                                                          
# 1 entries                                                                                                   
# 3 referrals    


#### Permissions

Permissions for samba root folder and its subfolders :

# ls -lat /usr/local/samba/
total 48
drwxr-x---   3 bind bind  4096 juin  15 22:51 bind-dns
drwxr-xr-x+  8 root bind  4096 juin  15 22:29 private
drwxrwsr-x  12 root staff 4096 juin  15 22:28 ..
drwxr-sr-x   3 root staff 4096 juin  15 21:04 etc
drwxr-sr-x   2 root staff 4096 juin  15 20:54 bin
drwxr-sr-x   2 root staff 4096 juin  15 20:54 sbin
drwxr-sr-x  18 root staff 4096 juin  15 20:54 lib
drwxr-sr-x   7 root staff 4096 juin  15 20:39 include
drwxr-sr-x   8 root staff 4096 juil. 21  2018 var
drwxr-sr-x   5 root staff 4096 juil. 21  2018 share
drwxr-xr-x+ 12 root staff 4096 juil. 21  2018 .
drwxr-sr-x   3 root staff 4096 juil. 21  2018 libexec

And private folder perms :
# ls -lat /usr/local/samba/private/
total 11244
drwx--S---   2 root root     4096 juin  15 22:52 msg.sock
-rw-------   1 root root    12288 juin  15 22:34 schannel_store.tdb
drwxr-xr-x+  8 root bind     4096 juin  15 22:29 .
srwxrwxrwx   1 root root        0 juin  15 22:29 ldapi
drwxr-s---   2 root root     4096 juin  15 22:29 ldap_priv
-rw-------   1 root root     4792 juin  15 22:29 netlogon_creds_cli.tdb
drwxr-x---+  2 root bind     4096 juin  15 22:25 sam.ldb.d
-rw-------   1 root root  1286144 juin  15 22:25 secrets.ldb
-rw-r-----   2 root bind      732 juin  15 22:25 dns.keytab
drwxr-x---+  2 root bind     4096 juin  15 19:36 dns
-rw-------   1 root root  1609728 juin  15 16:24 idmap.ldb
drwxr-sr-x   2 root root     4096 juil. 21  2018 tls
-rw-------   1 root root     1717 juil. 21  2018 dns_update_cache
drwxr-sr-x   2 root root     4096 juil. 21  2018 smbd.tmp
-rw-------   1 root root   430080 juil. 21  2018 secrets.tdb
-rw-------   1 root root     1067 juil. 21  2018 secrets.keytab
-rw-r--r--   1 root root     3663 juil. 21  2018 dns_update_list
-rw-r--r--   1 root root      955 juil. 21  2018 spn_update_list
-rw-r--r--   1 root root       91 juil. 21  2018 krb5.conf
-rw-rw----   1 root bind  4247552 juil. 21  2018 sam.ldb
-rw-------   1 root root  1286144 juil. 21  2018 privilege.ldb
-rw-------   1 root root  1286144 juil. 21  2018 hklm.ldb
-rw-------   1 root root  1286144 juil. 21  2018 share.ldb
-rw-------   1 root root       16 juil. 21  2018 encrypted_secrets.key
drwxr-xr-x+ 12 root staff    4096 juil. 21  2018 ..

bind-dns folder permissions : 

# ls -lat /usr/local/samba/bind-dns/
total 28
drwxr-x---   3 bind bind  4096 juin  15 23:00 .
-rw-r--r--   1 root root   830 juin  15 22:25 named.conf
-rw-r--r--   1 root root  2096 juin  15 22:25 named.txt
drwxrwx---   3 root bind  4096 juin  15 22:25 dns
-rw-r-----   2 root bind   732 juin  15 22:25 dns.keytab
-r--r--r--   1 root root   219 juin  15 21:05 named.conf.update
-rw-------   1 root root     0 juin  15 21:02 dns.keytabox1mq7g3XXXXXX
-rw-------   1 root root     0 juin  15 21:02 dns.keytabq9z2m444XXXXXX
drwxr-xr-x+ 12 root staff 4096 juil. 21  2018 .

krb5.conf permissions : 

# ls -l /etc/krb5.conf
-rw-r--r-- 1 root bind 132 juin  15 22:22 /etc/krb5.conf

##### CONFIGURATION FILES

# cat /etc/krb5.conf

[libdefaults]
        default_realm = HYRULE.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true
        default_tgs_enctypes = arcfour-hmac-md5

# cat /etc/bind/named.conf.options
options {
    tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
}
Comment 1 Rowland Penny 2021-01-11 15:19:45 UTC
Sorry but I have just become aware of this. I am closing this bug because this is the wrong place for problems with my script. The correct place is the samba mailing list. If you are still having problems, please post to the mailing list.