Igor Sousa
2019-Aug-07 22:17 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Hello everybody, I've had a samba environment with the following "brief" description: - There are 2 DC (*samba4 *and *samba4bkp*) running samba version 4.1.6 on my domain (*SMB*). DNS back end is Samba Internal DNS; - I've added a new DC (*king*) running samba version 4.10.2 and as DC to *SMB *domain with BIND9 DNS Back End; - *king* has updated dns zones and I've checked it; - *king *has got resolve *SMB* domain names; - *samba4bkp* has broken and I've lost its disks. Then I've followed steps described on https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/ to remove *samba4bkp* manually. After remove *samba4bkp, *I've checked *samba4* dns zones and they are ok, but *king *still has maintained *samba4bkp* registers. Then I've tried to update dns entries running *samba_dnsupdate --verbose --all-names* and it has returned that all 28 entries failed to updated, as shown below. I've searched about similar error "; TSIG error with server: tsig verify failure", but I've been unsuccessful. Regards! -- Igor Sousa *samba_dnsupdate output:* [root at king ~]# samba_dnsupdate --verbose --all-names IPs: ['10.41.20.67'] force update: A king.smb 10.41.20.67 force update: NS smb king.smb force update: NS _msdcs.smb king.smb force update: A smb 10.41.20.67 force update: SRV _ldap._tcp.smb king.smb 389 force update: SRV _ldap._tcp.dc._msdcs.smb king.smb 389 force update: SRV _ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb king.smb 389 force update: SRV _kerberos._tcp.smb king.smb 88 force update: SRV _kerberos._udp.smb king.smb 88 force update: SRV _kerberos._tcp.dc._msdcs.smb king.smb 88 force update: SRV _kpasswd._tcp.smb king.smb 464 force update: SRV _kpasswd._udp.smb king.smb 464 force update: CNAME 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb king.smb force update: SRV _ldap._tcp.Default-First-Site-Name._sites.smb king.smb 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.smb king.smb 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 88 force update: A gc._msdcs.smb 10.41.20.67 force update: SRV _gc._tcp.smb king.smb 3268 force update: SRV _ldap._tcp.gc._msdcs.smb king.smb 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.smb king.smb 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb king.smb 3268 force update: A DomainDnsZones.smb 10.41.20.67 force update: SRV _ldap._tcp.DomainDnsZones.smb king.smb 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb king.smb 389 force update: A ForestDnsZones.smb 10.41.20.67 force update: SRV _ldap._tcp.ForestDnsZones.smb king.smb 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb king.smb 389 28 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ update(nsupdate): A king.smb 10.41.20.67 Calling nsupdate for A king.smb 10.41.20.67 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: king.smb. 900 IN A 10.41.20.67 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): NS smb king.smb Calling nsupdate for NS smb king.smb (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: smb. 900 IN NS king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): NS _msdcs.smb king.smb Calling nsupdate for NS _msdcs.smb king.smb (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _msdcs.smb. 900 IN NS king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A smb 10.41.20.67 Calling nsupdate for A smb 10.41.20.67 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: smb. 900 IN A 10.41.20.67 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.dc._msdcs.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.dc._msdcs.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.smb king.smb 88 Calling nsupdate for SRV _kerberos._tcp.smb king.smb 88 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.smb. 900 IN SRV 0 100 88 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._udp.smb king.smb 88 Calling nsupdate for SRV _kerberos._udp.smb king.smb 88 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.smb. 900 IN SRV 0 100 88 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.dc._msdcs.smb king.smb 88 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.smb king.smb 88 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.smb. 900 IN SRV 0 100 88 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kpasswd._tcp.smb king.smb 464 Calling nsupdate for SRV _kpasswd._tcp.smb king.smb 464 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.smb. 900 IN SRV 0 100 464 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kpasswd._udp.smb king.smb 464 Calling nsupdate for SRV _kpasswd._udp.smb king.smb 464 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.smb. 900 IN SRV 0 100 464 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): CNAME 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb king.smb Calling nsupdate for CNAME 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb king.smb (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb. 900 IN CNAME king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.smb king.smb 88 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.smb king.smb 88 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.smb. 900 IN SRV 0 100 88 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 88 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 88 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb. 900 IN SRV 0 100 88 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A gc._msdcs.smb 10.41.20.67 Calling nsupdate for A gc._msdcs.smb 10.41.20.67 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.smb. 900 IN A 10.41.20.67 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _gc._tcp.smb king.smb 3268 Calling nsupdate for SRV _gc._tcp.smb king.smb 3268 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.smb. 900 IN SRV 0 100 3268 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.gc._msdcs.smb king.smb 3268 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.smb king.smb 3268 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.smb. 900 IN SRV 0 100 3268 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _gc._tcp.Default-First-Site-Name._sites.smb king.smb 3268 Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.smb king.smb 3268 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.Default-First-Site-Name._sites.smb. 900 IN SRV 0 100 3268 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb king.smb 3268 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb king.smb 3268 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb. 900 IN SRV 0 100 3268 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A DomainDnsZones.smb 10.41.20.67 Calling nsupdate for A DomainDnsZones.smb 10.41.20.67 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: DomainDnsZones.smb. 900 IN A 10.41.20.67 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.DomainDnsZones.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.DomainDnsZones.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb. 900 IN SRV0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A ForestDnsZones.smb 10.41.20.67 Calling nsupdate for A ForestDnsZones.smb 10.41.20.67 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ForestDnsZones.smb. 900 IN A 10.41.20.67 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.ForestDnsZones.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.smb. 900 IN SRV 0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb king.smb 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb king.smb 389 (add) Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb. 900 IN SRV0 100 389 king.smb. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 28 entries
Rowland penny
2019-Aug-08 07:29 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
On 07/08/2019 23:17, Igor Sousa via samba wrote:> Hello everybody, > > I've had a samba environment with the following "brief" description: > > - There are 2 DC (*samba4 *and *samba4bkp*) running samba version 4.1.6Ouch, using seriously old and EOL Samba versions is not a good idea. I would suggest you upgrade at regular intervals.> on my domain (*SMB*). DNS back end is Samba Internal DNS; > - I've added a new DC (*king*) running samba version 4.10.2 and as DC > to *SMB *domain with BIND9 DNS Back End; > - *king* has updated dns zones and I've checked it; > - *king *has got resolve *SMB* domain names; > - *samba4bkp* has broken and I've lost its disks. Then I've followed > steps described on > https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/ > to > remove *samba4bkp* manually.What a lot of work you didn't need to do, 'samba-tool domain demote --remove-other-dead-server=samba4bkp' would have done it for you ;-)> > After remove *samba4bkp, *I've checked *samba4* dns zones and they are ok, > but *king *still has maintained *samba4bkp* registers. Then I've tried to > update dns entries running *samba_dnsupdate --verbose --all-names* and it > has returned that all 28 entries failed to updated, as shown below. > > I've searched about similar error "; TSIG error with server: tsig verify > failure", but I've been unsuccessful. > > Regards! > -- > Igor Sousa > > > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): NS smb king.smb > Calling nsupdate for NS smb king.smb (add) > Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > smb. 900 IN NS king.smb. >Is 'king' using itself for its nameserver ? It looks like it isn't: 'Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$' Rowland
Igor Sousa
2019-Aug-09 20:19 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Em qui, 8 de ago de 2019 ?s 04:30, Rowland penny via samba < samba at lists.samba.org> escreveu:> > What a lot of work you didn't need to do, 'samba-tool domain demote > --remove-other-dead-server=samba4bkp' would have done it for you ;-) >Good to know it. I'll tried if I face the same problem. Em qui, 8 de ago de 2019 ?s 04:30, Rowland penny via samba < samba at lists.samba.org> escreveu:> > Is 'king' using itself for its nameserver ? > > > > It looks like it isn't: 'Successfully obtained Kerberos ticket to > > DNS/samba4.smb as KING$'king' is using the 'samba4' such as its nameserver. I've confirmed that samba4 has the FSMO Roles. I've check cached Kerberos tickets and I've seen that 'king's ticket has expired at 04/26/2019 (this is the date when I've created 'king' and add it as a DC on SMB). After this, I've obtained a new Kerberos ticket with 'kinit' command, but 'samba_dnsupdate --verbose --all-names' has returned the same problem I've reported. OBS: Shouldn't DC renew Kerberos ticket automatically? Regards! -- Igor Sousa =========== Kerberos ticket ============[root at king ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SMB.UFC.BR Valid starting Expires Service principal 04/25/2019 14:42:03 04/26/2019 00:42:03 krbtgt/SMB.UFC.BR at SMB.UFC.BR renew until 04/26/2019 14:41:57 [root at king ~]# kinit administrator Password for administrator at SMB: [root at king ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SMB.UFC.BR Valid starting Expires Service principal 08/09/2019 17:06:36 08/10/2019 03:06:36 krbtgt/SMB.UFC.BR at SMB.UFC.BR renew until 08/10/2019 17:06:31 ======== FMSO owner =============[root at king ~]# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb InfrastructureMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb RidAllocationMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb DomainNamingMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb
Apparently Analagous Threads
- Samba 4 TSIG Error "NOTIMP"
- Problem DNS samba_dnsupdate
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline