thr3ads.net - samba - [Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure [Aug 2019]

If this information is useful, please help other people find it:
Share via:

Igor Sousa

2019-Aug-11 01:36 UTC

[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

Hi Rowland,

I've added 'dns update command' on global section of smb.conf file
and I've
configured namesever on '/etc/resolv.conf' as 127.0.0.1 (I've tried
with
'kings' IP address too), but I don't know if this has worked.
I've seen
some dns updates errors on 'systemctl status samba-ad-dc' though the
same
command has returned status 'Active (running)'. And I've use
'samba_dnsupdate', as I've mentioned previously, and I've
received
'dns_tkey_negotiategss: TKEY is unacceptable' error and all entries have
had their dns update failed. I've read
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
but I think my case doesn't match with described cases.

I've thought for a time to demote 'king' from 'SMB' and
create a new DC to
join 'SMB'. I haven't done it because I've had no guarantees
that this will
work.

OBS: I've used Cent OS7 with firewalld and SElinux disabled.

--
Igor Sousa

[root at king ~]# systemctl status samba-ad-dc -l
? samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor
preset: disabled)
   Active: active (running) since Sat 2019-08-10 21:56:10 -03; 57s ago
 Main PID: 4761 (samba)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/samba-ad-dc.service
           ??4761 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4762 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4763 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4764 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4765 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ??4766 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4767 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4768 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4769 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4770 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4771 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4772 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4773 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4774 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4775 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4776 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4777 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ??4786 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ??4787 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ??4788 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground

Aug 10 21:56:10 king samba[4775]:   /usr/sbin/samba_dnsupdate: Failed to
exec child - No such file or directory
Aug 10 21:56:10 king samba[4775]: [2019/08/10 21:56:10.070765,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 10 21:56:10 king samba[4775]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
Aug 10 21:56:10 king winbindd[4777]: [2019/08/10 21:56:10.742668,  0]
../../source3/winbindd/winbindd_cache.c:3165(initialize_winbindd_cache)
Aug 10 21:56:10 king winbindd[4777]:   initialize_winbindd_cache: clearing
cache and re-creating with version number 2
Aug 10 21:56:10 king winbindd[4777]: [2019/08/10 21:56:10.805712,  0]
../../lib/util/become_daemon.c:136(daemon_ready)
Aug 10 21:56:10 king winbindd[4777]:   daemon_ready: daemon 'winbindd'
finished starting up and ready to serve connections
Aug 10 21:56:10 king systemd[1]: Started Samba Active Directory Domain
Controller.
Aug 10 21:56:11 king smbd[4765]: [2019/08/10 21:56:11.230890,  0]
../../lib/util/become_daemon.c:136(daemon_ready)
Aug 10 21:56:11 king smbd[4765]:   daemon_ready: daemon 'smbd' finished
starting up and ready to serve connections

[root at king ~]# klist -k /usr/local/samba/bind-dns/dns.keytab
Keytab name: FILE:/usr/local/samba/bind-dns/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB

[root at king ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
'cn=dns-KING'
dn
# record 1
dn: CN=dns-KING,CN=Users,DC=smb

# Referral
ref: ldap://smb/CN=Configuration,DC=smb

# Referral
ref: ldap://smb/DC=DomainDnsZones,DC=smb

# Referral
ref: ldap://smb/DC=ForestDnsZones,DC=smb

# returned 4 records
# 1 entries
# 3 referrals

Em s?b, 10 de ago de 2019 ?s 12:30, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 10/08/2019 16:05, Igor Sousa wrote:
> > Hi Rowland,
> >
> > Before to add 'dns update command = /usr/sbin/samba_dnsupdate
> > --use-samba-tool' I've tried once to run 'samba_dnsupdate
--verbose
> > --all-names' and it has returned me TSIG error again. More
precisely,
> > 'TSIG error with server: tsig verify failure'
>
> Just add the line and restart Samba and your problem should go away.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland penny

2019-Aug-11 08:17 UTC

head link

[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

On 11/08/2019 02:36, Igor Sousa wrote:> Hi Rowland,
>
> I've added 'dns update command' on global section of smb.conf
file and
> I've configured namesever on '/etc/resolv.conf' as 127.0.0.1
(I've
> tried with 'kings' IP address too), but I don't know if this
has
> worked. I've seen some dns updates errors on 'systemctl status 
> samba-ad-dc' though the same command has returned status 'Active 
> (running)'. And I've use 'samba_dnsupdate', as I've
mentioned
> previously, and I've received 'dns_tkey_negotiategss: TKEY is 
> unacceptable' error and all entries have had their dns update failed. 
> I've read 
>
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
> but I think my case doesn't match with described cases.
>
> I've thought for a time to demote 'king' from 'SMB' and
create a new
> DC to join 'SMB'. I haven't done it because I've had no
guarantees
> that this will work.
>
> OBS: I've used Cent OS7 with firewalld and SElinux disabled.
Do not use '127.0.0.1' in /etc/resolv.conf, use the DC's ipaddress.

Stop running 'samba_dnsupdate' directly, but if you must, add 
'--use-samba-tool'

By using '--use-samba-tool' you are doing the updates over RPC instead 
of kerberos.

Rowland

Igor Sousa

2019-Aug-12 16:57 UTC

head link

[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

Hi Rowland,

I've done how you have said and I've set nameserver on
'/etc/resolv.conf'
file as 'king' IP (10.41.20.67) and add 'dns update command
/usr/sbin/samba_dnsupdate --use-samba-tool' on
'/usr/local/samba/etc/smb.conf' file. I've still seen
samba_dnsupdate fails
on 'systemctl status samba-ad-dc'. Is there other way to check if dns
entries are update correctly instead of use 'samba_dnsupdate --verbose
--all-names --use-samba-tool'?

[root at king ~]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = KING
realm = SMB
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = SMB
idmap_ldb:use rfc2307  = yes
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/smb/scripts
read only = No


[root at king ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search SMB
nameserver 10.41.20.67

[root at king ~]# systemctl status samba-ad-dc -l
? samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor
preset: disabled)
   Active: active (running) since Mon 2019-08-12 10:08:47 -03; 44min ago
 Main PID: 4771 (samba)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/samba-ad-dc.service
           ??4771 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4773 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4774 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4775 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4776 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4777 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ??4778 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4779 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4780 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4781 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4782 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4783 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4784 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4785 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4786 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4787 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ??4788 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ??4795 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ??4796 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ??4799 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground

Aug 12 10:28:46 king samba[4786]: [2019/08/12 10:28:46.806315,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 12 10:28:46 king samba[4786]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
Aug 12 10:38:46 king samba[4786]: [2019/08/12 10:38:46.874731,  0]
../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Aug 12 10:38:46 king samba[4786]:   /usr/sbin/samba_dnsupdate: Failed to
exec child - No such file or directory
Aug 12 10:38:46 king samba[4786]: [2019/08/12 10:38:46.877919,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 12 10:38:46 king samba[4786]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
Aug 12 10:48:46 king samba[4786]: [2019/08/12 10:48:46.894473,  0]
../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Aug 12 10:48:46 king samba[4786]:   /usr/sbin/samba_dnsupdate: Failed to
exec child - No such file or directory
Aug 12 10:48:46 king samba[4786]: [2019/08/12 10:48:46.897140,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 12 10:48:46 king samba[4786]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
--
Igor Sousa


Em dom, 11 de ago de 2019 ?s 05:18, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 11/08/2019 02:36, Igor Sousa wrote:
> > Hi Rowland,
> >
> > I've added 'dns update command' on global section of
smb.conf file and
> > I've configured namesever on '/etc/resolv.conf' as
127.0.0.1 (I've
> > tried with 'kings' IP address too), but I don't know if
this has
> > worked. I've seen some dns updates errors on 'systemctl status
> > samba-ad-dc' though the same command has returned status
'Active
> > (running)'. And I've use 'samba_dnsupdate', as
I've mentioned
> > previously, and I've received 'dns_tkey_negotiategss: TKEY is
> > unacceptable' error and all entries have had their dns update
failed.
> > I've read
> >
>
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
> > but I think my case doesn't match with described cases.
> >
> > I've thought for a time to demote 'king' from
'SMB' and create a new
> > DC to join 'SMB'. I haven't done it because I've had
no guarantees
> > that this will work.
> >
> > OBS: I've used Cent OS7 with firewalld and SElinux disabled.
>
> Do not use '127.0.0.1' in /etc/resolv.conf, use the DC's
ipaddress.
>
> Stop running 'samba_dnsupdate' directly, but if you must, add
> '--use-samba-tool'
>
> By using '--use-samba-tool' you are doing the updates over RPC
instead
> of kerberos.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Maybe Matching Threads

Search for more reasonably related threads

samba - Aug 2019 - Bind9 doesn't updated - TSIG error with server: tsig verify failure

[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

Maybe Matching Threads