I've installed Samba 4.09 on ubuntu with bind 9.8.1-P1, the former compiled
from git source and the latter installed from apt-get. I'm migrating from an
existing Windows 2008 SBS domain controller that I want to retire (and be
Windows free on the server side), and have followed the instructions on the
Samba wiki for setting up Bind and migrating.
When I run a samba_dnsupate -verbose -all-names as per the wiki, all updates
result in a "dns_tkey_negotiategss: TKEY is unacceptable". Syslog produces the
following:
Sep 6 12:21:32 newdc samba[7735]: [2013/09/06 12:21:32.189272, 0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Sep 6 12:21:32 newdc samba[7735]: ../source4/dsdb/dns/dns_update.c:294:
Failed DNS update - NT_STATUS_IO_TIMEOUT
Sep 6 12:23:29 newdc named[7690]: samba b9_putrr: unhandled record type 0
The same TKEY error occurred when I attempt a manual nsupdate. What's odd is
that the updates actually appear in the Windows DNS manager when I use nsupdate
or samba-tool to add entries. This works for both the new samba DC and the
existing windows DC. I was going to chalk this up to gremlins and move on with
life, but when I attempt to transfer or seize the naming role, from either
samba or the existing Windows DC, I get:
sudo /usr/local/samba/bin/samba-tool fsmo transfer --role=naming -Uadministrator
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_GENERAL_FAILURE
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 268, in run
transfer_role(self.outf, role, samdb)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 53, in transfer_role
samdb.modify(m)
I believe these are related, but I cannot get the TKEY error resolved and have
attempted every trick I've been able to find on this mailing list. I've tried
the following based on days of googling:
1. Verified that apparmor isn't causing problems by setting the following in
it's config:
# Samba 4 support
/usr/local/samba/private/** rkw,
/usr/local/samba/private/dns.keytab rk,
/usr/local/samba/private/dns/** rkw,
/etc/krb5.conf r,
/usr/local/samba/etc/smb.conf r,
#Samba 4 BIND libraries
/usr/local/samba/lib/bind9/dlz_bind9.so rm,
/usr/local/samba/lib/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
# with libdlz_bind9, named needs to access /var/tmp/DNS-${HOSTNAME}_xxx ticke$
/var/tmp/** krw,
/tmp/** krw,
2. Regenerated the dns.keytab
3. Ensured that the new DC is listed as the SOA record in the DNS for
mydomain.local
4. Added the requested config to my named.com:
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
#tried with and without the line below, no difference
tkey-domain "MYDOMAIN.LOCAL";
5. Attempted to transfer and seize roles from both Windows and Samba
I've run out of ideas here, and would appreciate any help or additional things
to attempt. If I cannot seize the naming role, shutting down the windows box
results in syslog being flooded with "Can't contact OLDDC.mydomain.local"-type
errors. I want to rid the domain of all memories of SBS so I'm worried that not
migrating the naming role will keep some dependency in place.
Thanks for any help!
Kind Regards,
Pat
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
