# Samba ADDC and BIND9_DLZ - dns updates not working

## spindles7

Hi,

I have a test system with two DCs based on samba v 4.8.0 with BIND9_DLZ as the dns backend running on a fresh install of Gentoo.   I can't get DNS Updates to work on both DCs.   If I issue the command: samba_dnsupdate --verbose after the 2nd DC has joined the domain I get the errors (just showing the last entry):

```
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com gentoo-dc2.samba4p8.example.com 389

Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com gentoo-dc2.samba4p8.example.com 389 (add)

Successfully obtained Kerberos ticket to DNS/gentoo-dc1.samba4p8.example.com as GENTOO-DC2$

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com. 900 IN SRV 0 100 389 gentoo-dc2.samba4p8.example.com.

dns_tkey_gssnegotiate: TKEY is unacceptable

Failed nsupdate: 1

Failed update of 26 entries

```

I have followed the samba Wiki (https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable ) for troubleshooting this error and all seems OK:

dns.keytabs:

```
gentoo-dc2 ~ # ktutil -k /var/lib/samba/private/dns.keytab list

/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal                                                 Aliases

  2  des-cbc-crc              DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM  

  2  des-cbc-crc              dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       

  2  des-cbc-md5              DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM  

  2  des-cbc-md5              dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       

  2  arcfour-hmac-md5         DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM  

  2  arcfour-hmac-md5         dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       

  2  aes128-cts-hmac-sha1-96  DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM  

  2  aes128-cts-hmac-sha1-96  dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       

  2  aes256-cts-hmac-sha1-96  DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM  

  2  aes256-cts-hmac-sha1-96  dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       

```

dns user in AD:

```
gentoo-dc2 ~ # ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=dns-gentoo-dc2' dn

# record 1

dn: CN=dns-GENTOO-DC2,CN=Users,DC=samba4p8,DC=example,DC=com

# Referral

ref: ldap://samba4p8.example.com/CN=Configuration,DC=samba4p8,DC=example,DC=com

# Referral

ref: ldap://samba4p8.example.com/DC=DomainDnsZones,DC=samba4p8,DC=example,DC=com

# Referral

ref: ldap://samba4p8.example.com/DC=ForestDnsZones,DC=samba4p8,DC=example,DC=com

# returned 4 records

# 1 entries

# 3 referrals
```

named -V produces the relevant build options: '--with-dlopen' and  '--with-gssapi'

I ran named with the debug option "-d 7" and it produced this log output:

```
15-Mar-2018 12:29:13.562 starting BIND 9.11.2-P1 <id:2c2bc60>

15-Mar-2018 12:29:13.563 running on Linux x86_64 4.9.76-gentoo-r1 #1 SMP Wed Mar 14 23:34:12 GMT 2018

15-Mar-2018 12:29:13.563 built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--enable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--enable-threads' '--without-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--with-gssapi' '--without-idn' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--with-python' '--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib' '--with-randomdev=/dev/urandom' '--with-geoip' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'

15-Mar-2018 12:29:13.563 running as: named -u named -f -g

15-Mar-2018 12:29:13.563 ----------------------------------------------------

15-Mar-2018 12:29:13.563 BIND 9 is maintained by Internet Systems Consortium,

15-Mar-2018 12:29:13.563 Inc. (ISC), a non-profit 501(c)(3) public-benefit 

15-Mar-2018 12:29:13.563 corporation.  Support and training for BIND 9 are 

15-Mar-2018 12:29:13.563 available at https://www.isc.org/support

15-Mar-2018 12:29:13.563 ----------------------------------------------------

15-Mar-2018 12:29:13.563 adjusted limit on open files from 4096 to 1048576

15-Mar-2018 12:29:13.563 found 1 CPU, using 1 worker thread

15-Mar-2018 12:29:13.563 using 1 UDP listener per interface

15-Mar-2018 12:29:13.563 using up to 4096 sockets

15-Mar-2018 12:29:13.565 ./config.c: option 'lmdb-mapsize' was not enabled at compile time (ignored)

15-Mar-2018 12:29:13.565 loading configuration from '/etc/bind/named.conf'

15-Mar-2018 12:29:13.566 reading built-in trusted keys from file '/etc/bind/bind.keys'

15-Mar-2018 12:29:13.566 GeoIP Country (IPv4) (type 1) DB not available

15-Mar-2018 12:29:13.566 GeoIP Country (IPv6) (type 12) DB not available

15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 2) DB not available

15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 6) DB not available

15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 30) DB not available

15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 31) DB not available

15-Mar-2018 12:29:13.566 GeoIP Region (type 3) DB not available

15-Mar-2018 12:29:13.566 GeoIP Region (type 7) DB not available

15-Mar-2018 12:29:13.566 GeoIP ISP (type 4) DB not available

15-Mar-2018 12:29:13.566 GeoIP Org (type 5) DB not available

15-Mar-2018 12:29:13.566 GeoIP AS (type 9) DB not available

15-Mar-2018 12:29:13.566 GeoIP Domain (type 11) DB not available

15-Mar-2018 12:29:13.566 GeoIP NetSpeed (type 10) DB not available

15-Mar-2018 12:29:13.566 using default UDP/IPv4 port range: [32768, 60999]

15-Mar-2018 12:29:13.566 using default UDP/IPv6 port range: [32768, 60999]

15-Mar-2018 12:29:13.566 listening on IPv4 interface lo, 127.0.0.1#53

15-Mar-2018 12:29:13.567 listening on IPv4 interface enp0s3, 192.168.2.16#53

15-Mar-2018 12:29:13.567 generating session key for dynamic DNS

15-Mar-2018 12:29:13.567 sizing zone task pool based on 3 zones

15-Mar-2018 12:29:13.568 zone 'localhost' allows unsigned updates from remote hosts, which is insecure

15-Mar-2018 12:29:13.568 zone '0.0.127.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure

15-Mar-2018 12:29:13.568 Loading 'AD DNS Zone' using driver dlopen

15-Mar-2018 12:29:13.580 samba_dlz: INFO: Current debug levels:

15-Mar-2018 12:29:13.580 samba_dlz:   all: 7

15-Mar-2018 12:29:13.580 samba_dlz:   tdb: 7

15-Mar-2018 12:29:13.580 samba_dlz:   printdrivers: 7

15-Mar-2018 12:29:13.580 samba_dlz:   lanman: 7

15-Mar-2018 12:29:13.580 samba_dlz:   smb: 7

15-Mar-2018 12:29:13.580 samba_dlz:   rpc_parse: 7

15-Mar-2018 12:29:13.580 samba_dlz:   rpc_srv: 7

15-Mar-2018 12:29:13.580 samba_dlz:   rpc_cli: 7

15-Mar-2018 12:29:13.581 samba_dlz:   passdb: 7

15-Mar-2018 12:29:13.581 samba_dlz:   sam: 7

15-Mar-2018 12:29:13.581 samba_dlz:   auth: 7

15-Mar-2018 12:29:13.581 samba_dlz:   winbind: 7

15-Mar-2018 12:29:13.581 samba_dlz:   vfs: 7

15-Mar-2018 12:29:13.581 samba_dlz:   idmap: 7

15-Mar-2018 12:29:13.581 samba_dlz:   quota: 7

15-Mar-2018 12:29:13.581 samba_dlz:   acls: 7

15-Mar-2018 12:29:13.581 samba_dlz:   locking: 7

15-Mar-2018 12:29:13.581 samba_dlz:   msdfs: 7

15-Mar-2018 12:29:13.581 samba_dlz:   dmapi: 7

15-Mar-2018 12:29:13.581 samba_dlz:   registry: 7

15-Mar-2018 12:29:13.582 samba_dlz:   scavenger: 7

15-Mar-2018 12:29:13.582 samba_dlz:   dns: 7

15-Mar-2018 12:29:13.582 samba_dlz:   ldb: 7

15-Mar-2018 12:29:13.582 samba_dlz:   tevent: 7

15-Mar-2018 12:29:13.582 samba_dlz:   auth_audit: 7

15-Mar-2018 12:29:13.582 samba_dlz:   auth_json_audit: 7

15-Mar-2018 12:29:13.582 samba_dlz:   kerberos: 7

15-Mar-2018 12:29:13.582 samba_dlz:   drs_repl: 7

15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_spnego' registered

15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5' registered

15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered

15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'spnego' registered

15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'schannel' registered

15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'naclrpc_as_system' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_basic' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_ntlm' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_negotiate' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'krb5' registered

15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered

15-Mar-2018 12:29:13.616 samba_dlz: ldb: No encrypted secrets key file. Secret attributes will not be encrypted or decrypted

15-Mar-2018 12:29:13.616 samba_dlz: 

15-Mar-2018 12:29:13.653 samba_dlz: schema_fsmo_init: we are master[no] updates allowed[no]

15-Mar-2018 12:29:13.669 samba_dlz: started for DN DC=samba4p8,DC=example,DC=com

15-Mar-2018 12:29:13.669 samba_dlz: starting configure

15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone 'samba4p8.example.com'

15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone '2.168.192.in-addr.arpa'

15-Mar-2018 12:29:13.672 samba_dlz: configured writeable zone '_msdcs.samba4p8.example.com'

15-Mar-2018 12:29:13.672 none:103: 'max-cache-size 90%' - setting to 893MB (out of 992MB)

15-Mar-2018 12:29:13.673 obtaining root key for view _default from '/etc/bind/bind.keys'

15-Mar-2018 12:29:13.673 set up managed keys zone for view _default, file 'managed-keys.bind'

15-Mar-2018 12:29:13.673 zone 'version.bind' allows unsigned updates from remote hosts, which is insecure

15-Mar-2018 12:29:13.673 zone 'hostname.bind' allows unsigned updates from remote hosts, which is insecure

15-Mar-2018 12:29:13.673 zone 'authors.bind' allows unsigned updates from remote hosts, which is insecure

15-Mar-2018 12:29:13.674 zone 'id.server' allows unsigned updates from remote hosts, which is insecure

15-Mar-2018 12:29:13.674 none:103: 'max-cache-size 90%' - setting to 893MB (out of 992MB)

15-Mar-2018 12:29:13.675 command channel listening on 127.0.0.1#953

15-Mar-2018 12:29:13.675 not using config file logging statement for logging due to -g option

15-Mar-2018 12:29:13.675 managed-keys-zone: loaded serial 3

15-Mar-2018 12:29:13.676 zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101

15-Mar-2018 12:29:13.676 zone localhost/IN: loaded serial 2008122601

15-Mar-2018 12:29:13.676 all zones loaded

15-Mar-2018 12:29:13.676 running

```

Can anyone spot what I am missing or what I've done wrong?      I have a similar system based on Debian Stretch which works fine.   So I think it may be something to do with the USE flags in Gentoo.  (I am new to Gentoo, so may have made simple errors!)  Appreciate any help.

Many thanks,

Roy

----------

