Note: the added account here is dns-ad01.SAMDOM.EXAMPLE.COM, not dns-ad01 root@ad01:/var/lib/samba/bind-dns# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/SAMDOM.EXAMPLE.COM.zone /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead logger.warn("DNS records will be automatically created") DNS records will be automatically created DNS partitions already exist Adding dns-ad01.SAMDOM.EXAMPLE.COM account BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf manually. See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS Then update bind config to add dlz.. and restart bind9 test with samba_dnsupdate root@ad01:/var/lib/samba/bind-dns# samba_dnsupdate --all-names dns_tkey_gssnegotiate: TKEY is unacceptable dns_tkey_gssnegotiate: TKEY is unacceptable ... So, I think that the user with a fqdn instead of just hostname is wrong, so I edit sam.ldb root@ad01:~# ldbrename CN=dns-ad01.SAMDOM.EXAMPLE.COM,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM then edit the resulting record: ldbedit CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM and make the following changes: -description: DNS Service Account for ad01.SAMDOM.EXAMPLE.COM -sAMAccountName: dns-ad01.SAMDOM.EXAMPLE.COM -servicePrincipalName: DNS/ad01.SAMDOM.EXAMPLE.COM.samdom.example.com +description: DNS Service Account for ad01 +sAMAccountName: dns-ad01 +servicePrincipalName: DNS/ad01.samdom.example.com and now samba_dnsupdate works.... root@ad01:~# samba_dnsupdate --all-names root@ad01:~# Why is samba_upgradedns using a fully qualified domain name instead of just the hostname when it creates the DNS account? The workaround above is not permanent of course because I think some changes are required in secrets.ldb so that things can get renewed.... hostname appears to return the correct values on the server... root@ad01:~# hostname ad01 root@ad01:~# hostname -s ad01 root@ad01:~# hostname -f ad01.samdom.example.com
I lost some hourse on the same issue., My BIND9_DLZ backend was unable to update DNS records with "Dns tkey negotiategss: TKEY is unacceptable" errors on "samba_dnsupdate" and update requests from clients. I did follow the instructions in <https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable> and re-created both the complete BIND9_DLZ configuration as well as removing the dns-user before re-enabling the BIND9_DLZ backend. I was sure there is something wrong with the keytab for BIND9 to access AD. However the keytab was properly created each time I ran "samba_upgradedns --dns-backend=BIND9_DLZ". After a while I have noticed the user created was called "dns-host.DOMAIN.tld" instead of "dns-host" as it should. Well I did not expect this to matter if the user used by BIND9_DLZ would be the "dns-host.DOMAIN.tld" user too. Turned out BIND9_DLZ still will use "dns-host" and therefore failing to authenticate. I also found a workaround for the issue. I updated the samba provision python module. On my system I had to edit "/usr/lib/python3.10/site-packages/samba/provision/__init__.py". Line 2460 reads as follows: names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "") However the replace will not work as dNSHostName containing the hostname with uppercase letters (host.DOMAIN.tld) while names.dnsdomain has ben converted to lowercasee just a few lines above. I decided to update the line to be case-insensitive (converting all to lowercase) as follows: names.hostname = str(res4[0]["dNSHostName"]).lower().replace("." + names.dnsdomain, "") After this I did run another "samba_upgradedns --dns-backend=BIND9_DLZ" and it created "dns-host" user. However I still need to find a bug why this user is not properly added to DnsAdmins group so I fixed this manually. After this my BIND9_DLZ was working fine.
In fact I could not find any code which is adding the user to DnsAdmins group. The samba_upgradedns ttol is creating the group (DnsAdmins as well as DnsUpdateProxy) if it does not exist and it creates the user in line 589: setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { "DNSDOMAIN": dnsdomain, "DOMAINDN": domaindn, "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')).decode('utf8'), "HOSTNAME" : hostname, "DNSNAME" : dnsname } ) But I can't see how it adds it to the appropriate group. So currently I am left with re-adding the "dns-host" user to DnsAdmins group manually after creation.
Correction, the line index in my report was wrong. The offending line is at line 258. The code to add the user to the "DnsAdmins" groups seems to be missing as confirmed: <https://lists.samba.org/archive/samba/2022-September/242005.html>