I've installed Samba 4.09 on ubuntu with bind 9.8.1-P1, the former compiled 
from git source and the latter installed from apt-get. I'm migrating from an 
existing Windows 2008 SBS domain controller that I want to retire (and be 
Windows free on the server side), and have followed the instructions on the 
Samba wiki for setting up Bind and migrating.

When I run a samba_dnsupate -verbose -all-names as per the wiki, all updates 
result in a "dns_tkey_negotiategss: TKEY is unacceptable". Syslog produces the 
following:

Sep  6 12:21:32 newdc samba[7735]: [2013/09/06 12:21:32.189272,  0] 
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Sep  6 12:21:32 newdc samba[7735]:   ../source4/dsdb/dns/dns_update.c:294: 
Failed DNS update - NT_STATUS_IO_TIMEOUT
Sep  6 12:23:29 newdc named[7690]: samba b9_putrr: unhandled record type 0

The same TKEY error occurred when I attempt a manual nsupdate. What's odd is 
that the updates actually appear in the Windows DNS manager when I use nsupdate 
or samba-tool to add entries. This works for both the new samba DC and the 
existing windows DC. I was going to chalk this up to gremlins and move on with 
life, but when I attempt to transfer or seize the naming role, from either 
samba or the existing Windows DC, I get:

sudo /usr/local/samba/bin/samba-tool fsmo transfer --role=naming -Uadministrator
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_GENERAL_FAILURE
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", 
line 268, in run
    transfer_role(self.outf, role, samdb)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", 
line 53, in transfer_role
    samdb.modify(m)

I believe these are related, but I cannot get the TKEY error resolved and have 
attempted every trick I've been able to find on this mailing list. I've tried 
the following based on days of googling:


  1.  Verified that apparmor isn't causing problems by setting the following in 
it's config:

  # Samba 4 support
  /usr/local/samba/private/** rkw,
  /usr/local/samba/private/dns.keytab rk,
  /usr/local/samba/private/dns/** rkw,
  /etc/krb5.conf r,
  /usr/local/samba/etc/smb.conf r,

  #Samba 4 BIND libraries
  /usr/local/samba/lib/bind9/dlz_bind9.so rm,
  /usr/local/samba/lib/** rm,
  /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,

  # with libdlz_bind9, named needs to access /var/tmp/DNS-${HOSTNAME}_xxx ticke$
  /var/tmp/** krw,
  /tmp/** krw,

2. Regenerated the dns.keytab
3. Ensured that the new DC is listed as the SOA record in the DNS for 
mydomain.local
4. Added the requested config to my named.com:

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
#tried with and without the line below, no difference
        tkey-domain "MYDOMAIN.LOCAL";
5. Attempted to transfer and seize roles from both Windows and Samba

I've run out of ideas here, and would appreciate any help or additional things 
to attempt. If I cannot seize the naming role, shutting down the windows box 
results in syslog being flooded with "Can't contact OLDDC.mydomain.local"-type 
errors. I want to rid the domain of all memories of SBS so I'm worried that not 
migrating the naming role will keep some dependency in place.

Thanks for any help!

Kind Regards,

Pat
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to