L.P.H. van Belle
2022-Jan-28 10:15 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On AD-DC or Member ? Which samba version is this? Whats in smb.conf and krb5.conf Key type 3 is DES_CBC_MD5 to give a hint. We do need more info on this to help better. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Michael Jones via samba > Verzonden: vrijdag 28 januari 2022 10:15 > Aan: sambalist > Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had > an invalid message integrity check > > I'm troubleshooting why I'm getting > > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: > Major = A token > had an invalid Message Integrity Check (MIC), Minor = Success. > > when running > > > samba_dnsupdate --verbose --all-names > > As the root user on my domain controller. > > Had to crank the debugging options up to get the actual error (quoted > above). > > > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose > > with > > > nsupdate command = /usr/bin/nsupdate -g -L10 > > in my smb.conf > > There's no information about this in google, that I can tell. > And the error > messages aren't giving me much to go on. > > This domain controller has been running since at least 2017, > and upgraded > regularly as my linux distro updates samba. So it's plausible that i'm > running into a problem caused by an earlier version of samba > that is only > manifesting now. > > Any advice? > > > > > Truncated command output follows immediately, followed by > example snippets > out of /var/log/samba. > > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net > dc1.network-1.net 389 > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net > dc1.network-1.net 389 (add) > Starting GENSEC mechanism gssapi_krb5_sasl > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: > 0x564b015950e0 > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss > api.c:1057]: > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > (0x564b015952a0)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > 28-Jan-2022 09:02:59.885 dns_requestmgr_create > 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389 > dc1.network-1.net. > > 28-Jan-2022 09:02:59.895 dns_request_createvia > 28-Jan-2022 09:02:59.895 request_render > 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8: > eref 1 iref 1 > 28-Jan-2022 09:02:59.905 mgr_gethash > 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610 > 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610 > 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610 > 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success > 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610 > 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610 > 28-Jan-2022 09:02:59.905 dns_request_getresponse: request > 0x7f768d857610 > 28-Jan-2022 09:02:59.915 dns_request_createvia > 28-Jan-2022 09:02:59.915 request_render > 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8: > eref 1 iref 2 > 28-Jan-2022 09:02:59.915 mgr_gethash > 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790 > 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610 > 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610 > 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8: > eref 1 iref 1 > 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790 > 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790 > 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790 > 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success > 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790 > 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790 > 28-Jan-2022 09:02:59.965 dns_request_getresponse: request > 0x7f768d857790 > 28-Jan-2022 09:02:59.965 dns_request_createvia > 28-Jan-2022 09:02:59.965 request_render > 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8: > eref 1 iref 2 > 28-Jan-2022 09:02:59.965 mgr_gethash > 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610 > 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790 > 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790 > 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8: > eref 1 iref 1 > 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610 > 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610 > 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610 > 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success > 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610 > 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610 > 28-Jan-2022 09:03:00.005 dns_request_getresponse: request > 0x7f768d857610 > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: > Major = A token > had an invalid Message Integrity Check (MIC), Minor = Success. > 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net' > (<null>): signature failed to verify(1) > ; TSIG error with server: tsig verify failure > 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610 > 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610 > 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8: > eref 1 iref 0 > 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8 > 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8 > 28-Jan-2022 09:03:00.005 dns_requestmgr_detach: > 0x7f768d8511c8: eref 0 iref > 0 > 28-Jan-2022 09:03:00.005 mgr_destroy > Failed nsupdate: 2 > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add) > Starting GENSEC mechanism gssapi_krb5_sasl > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: > 0x564b015950e0 > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss > api.c:1057]: > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > (0x564b015952a0)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > 28-Jan-2022 09:03:00.275 dns_requestmgr_create > 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo > rk-1.net.900 > IN SRV 0 100 389 dc1.network-1.net. > > 28-Jan-2022 09:03:00.275 dns_request_createvia > 28-Jan-2022 09:03:00.285 request_render > 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8: > eref 1 iref 1 > 28-Jan-2022 09:03:00.285 mgr_gethash > 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success > 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.285 dns_request_getresponse: request > 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.295 dns_request_createvia > 28-Jan-2022 09:03:00.295 request_render > 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8: > eref 1 iref 2 > 28-Jan-2022 09:03:00.295 mgr_gethash > 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8: > eref 1 iref 1 > 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success > 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.335 dns_request_getresponse: request > 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.335 dns_request_createvia > 28-Jan-2022 09:03:00.335 request_render > 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8: > eref 1 iref 2 > 28-Jan-2022 09:03:00.335 mgr_gethash > 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790 > 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8: > eref 1 iref 1 > 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success > 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.365 dns_request_getresponse: request > 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error: > Major = A token > had an invalid Message Integrity Check (MIC), Minor = Success. > 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net' > (<null>): signature failed to verify(1) > ; TSIG error with server: tsig verify failure > 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610 > 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8: > eref 1 iref 0 > 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8 > 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8 > 28-Jan-2022 09:03:00.375 dns_requestmgr_detach: > 0x7ff91f5df1c8: eref 0 iref > 0 > 28-Jan-2022 09:03:00.375 mgr_destroy > > > > > > > > > > > > > Data from /var/log/samba/ > > > > [2022/01/28 03:02:57.729026, 2] > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > Got a dns update request. > [2022/01/28 03:02:57.729226, 2] > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) > All updates allowed. > [2022/01/28 03:02:57.732085, 2] > ../../source4/dns_server/dns_update.c:397(handle_one_update) > Looking at record: > [2022/01/28 03:02:57.732402, 2] > ../../source4/dns_server/dns_update.c:398(handle_one_update) > [2022/01/28 03:02:57.732479, 1] > ../../librpc/ndr/ndr.c:435(ndr_print_debug) > discard_const(update): struct dns_res_rec > name : > '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net' > rr_type : DNS_QTYPE_SRV (0x21) > rr_class : DNS_QCLASS_IN (0x1) > ttl : 0x00000384 (900) > length : 0x0019 (25) > rdata : union dns_rdata(case 0x21) > srv_record: struct dns_srv_record > priority : 0x0000 (0) > weight : 0x0064 (100) > port : 0x0cc4 (3268) > target : 'dc1.network-1.net' > unexpected : DATA_BLOB length=0 > [2022/01/28 03:02:57.885790, 2] > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > Unsupported keytype ignored - type 3 > [2022/01/28 03:02:57.888483, 2] > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > Unsupported keytype ignored - type 1 > [2022/01/28 03:02:58.045607, 2] > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > Got a dns update request. > [2022/01/28 03:02:58.045825, 2] > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) > All updates allowed. > [2022/01/28 03:02:58.048526, 2] > ../../source4/dns_server/dns_update.c:397(handle_one_update) > Looking at record: > [2022/01/28 03:02:58.048741, 2] > ../../source4/dns_server/dns_update.c:398(handle_one_update) > [2022/01/28 03:02:58.048816, 1] > ../../librpc/ndr/ndr.c:435(ndr_print_debug) > discard_const(update): struct dns_res_rec > name : 'DomainDnsZones.network-1.net' > rr_type : DNS_QTYPE_A (0x1) > rr_class : DNS_QCLASS_IN (0x1) > ttl : 0x00000384 (900) > length : 0x0004 (4) > rdata : union dns_rdata(case 0x1) > ipv4_record : 10.0.0.3 > unexpected : DATA_BLOB length=0 > [2022/01/28 03:02:58.188259, 2] > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > Unsupported keytype ignored - type 3 > [2022/01/28 03:02:58.188499, 2] > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > Unsupported keytype ignored - type 1 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Michael Jones
2022-Jan-28 21:03 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
Thank you for the response. On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> On AD-DC or Member ? >AD-DC, phrased as "> As the root user on my domain controller." in my original email, though I know it was a big wall of text, so I probably would have missed that detail myself.> Which samba version is this? >dc1 ~ # samba --version Version 4.15.3 dc1 ~ # emerge --info samba Portage 3.0.30 (python 3.9.9-final-0, default/linux/amd64/17.1, gcc-11.2.0, glibc-2.33-r7, 5.15.11-gentoo x86_64) ================================================================ System Settings ================================================================System uname: Linux-5.15.11-gentoo-x86_64-AMD_E-350D_APU_with_Radeon-tm-_HD_Graphics-with-glibc2.33 KiB Mem: 16099556 total, 2375520 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Thu, 27 Jan 2022 14:52:00 +0000 Head commit of repository gentoo: 1ae2a588f3427d972e3b954ae4172e51b975d4e7 Head commit of repository jonesmz-public-overlay: aa017c88e14e739423d5cc128d0f8e696a02135e Head commit of repository lto-overlay: 435a9d968854fef21015796a5f464243dc4caa03 Head commit of repository mv: ee4a1a6d419ab49102d2580c8925ed5605012d6f Head commit of repository wsdd: 1156bfeeee76150f811af9d8049d0edfb4277851 sh bash 5.1_p8 ld GNU ld (Gentoo 2.37_p1 p0) 2.37 distcc 3.4 x86_64-pc-linux-gnu [disabled] ccache version 4.5.1 [disabled] app-misc/pax-utils: 1.3.3::gentoo app-shells/bash: 5.1_p8::gentoo dev-lang/perl: 5.34.0-r6::gentoo dev-lang/python: 3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo dev-lang/rust: 1.58.1::gentoo dev-util/ccache: 4.5.1::gentoo dev-util/cmake: 3.21.4::gentoo dev-util/meson: 0.60.3::gentoo sys-apps/baselayout: 2.7-r3::gentoo sys-apps/sandbox: 2.25::gentoo sys-apps/systemd: 249.9::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo sys-devel/automake: 1.16.4::gentoo sys-devel/binutils: 2.37_p1::gentoo sys-devel/binutils-config: 5.4::gentoo sys-devel/gcc: 11.2.0::gentoo sys-devel/gcc-config: 2.5-r1::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/llvm: 13.0.0::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers) sys-libs/glibc: 2.33-r7::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: git://anongit.gentoo.org/repo/sync/gentoo.git priority: -1000 jonesmz-public-overlay location: /var/db/repos/jonesmz-public-overlay sync-type: git sync-uri: https://github.com/jonesmz/gentoo-overlay.git masters: gentoo lto-overlay location: /var/db/repos/lto-overlay sync-type: git sync-uri: https://github.com/InBetweenNames/gentooLTO.git masters: gentoo mv mv location: /var/db/repos/mv sync-type: git sync-uri: https://anongit.gentoo.org/git/user/mv.git masters: gentoo wsdd location: /var/db/repos/wsdd-gentoo sync-type: git sync-uri: https://github.com/christgau/wsdd-gentoo masters: gentoo Installed sets: @pc-base-system, @portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS=" --jobs --keep-going --newuse --changed-deps --deep --tree --backtrack=3000 --complete-graph --with-bdeps=y --binpkg-respect-use=y --binpkg-changed-deps=y --changed-slot=y --usepkg=y --usepkg" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg buildpkg-live clean-logs compress-build-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles installsources ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms split-elog split-log splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_US" MAKEOPTS="-j1" PKGDIR="/var/cache/binpkgs" PORTAGE_COMPRESS="xz" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/sh" USE="acl amd64 bzip2 crypt hardened iconv ipv6 libglvnd libtirpc multilib ncurses nls nptl openmp pam pcre pie readline seccomp split-usr ssl ssp systemd udev unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core authz_host dir mime unixd socache_shmcb info log_config" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="coreboot efi-64 emu qemu pc" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" QEMU_SOFTMMU_TARGETS="arm aarch64 x86_64" QEMU_USER_TARGETS="arm aarch64 x86_64" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="r600 radeon radeonsi amdgpu vesa modesetting fbdev qxl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS ================================================================ Package Settings ================================================================ net-fs/samba-4.15.3-r1::gentoo was built with the following: USE="acl addc ads client json ldap pam python regedit snapper systemd winbind -ceph -cluster -cups -debug (-dmapi) (-fam) -glusterfs -gpg -iprint -profiling-data -quota (-selinux) -spotlight -syslog (-system-heimdal) -system-mitkrb5 (-test) -zeroconf" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="-aes" PYTHON_SINGLE_TARGET="python3_9 -python3_10 -python3_8" CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1 -Wl,--as-needed" CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1 -Wl,--as-needed" FEATURES="binpkg-multi-instance compress-build-logs xattr sandbox multilib-strict ipc-sandbox assume-digests binpkg-logs strict usersync userpriv preserve-libs binpkg-dostrip parallel-fetch qa-unresolved-soname-deps split-log buildpkg-live installsources compressdebug ebuild-locks userfetch config-protect-if-modified split-elog news buildpkg unmerge-logs splitdebug protect-owned unknown-features-warn clean-logs usersandbox network-sandbox binpkg-docompress unmerge-orphans pid-sandbox merge-sync sfperms distlocks fixlafiles parallel-install" LDFLAGS="-Wl,-O1 -Wl,--as-needed -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -O2" dc1 ~ # cat /etc/samba/user.map # $Id$ # Syntax: # Unix_name = SMB_name1 SMB_name2 ... root = NETWORK-1\administrator dc1 ~ # cat /etc/samba/smb.conf [global] server role = active directory domain controller allow dns updates = nonsecure dns forwarder = 10.0.0.1 8.8.8.8 8.8.4.4 idmap_ldb:use rfc2307 = yes workgroup = NETWORK-1 realm = NETWORK-1.NET ## # If LOCAL isn't specifed, then the local unix domain socket for RPC stops working, and breaks things. # Disabled while debugging ## #hosts allow = 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fe80::/10 fd00::/8 ::1 LOCAL log level = 2 dns:2 auth:2 vfs:2 nsupdate command = /usr/bin/nsupdate -g -L10 # server min protocol = SMB3 # client min protocol = SMB3 ## # Hack hack hack # This allows freeradius winbind auth to work ## ntlm auth = yes username map = /etc/samba/user.map create mask = 0666 directory mask = 0777 allow trusted domains = no template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes [sysvol] path = /var/lib/samba/sysvol read only = no [netlogon] path = /var/lib/samba/sysvol/network-1.net/scripts read only = no dc1 ~ # cat /etc/krb5.conf [libdefaults] default_realm = NETWORK-1.NET dns_lookup_realm = false dns_lookup_kdc = true dc1 ~ # cat /var/lib/samba/private/krb5.conf [libdefaults] default_realm = NETWORK-1.NET dns_lookup_realm = false dns_lookup_kdc = true Whats in smb.conf and krb5.conf> > > Key type 3 is DES_CBC_MD5 to give a hint. >Is this something that would have changed in the samba codebase since roughly 2017?> > We do need more info on this to help better. > > > Greetz, > > Louis >Thank you for the assistance.> > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Michael Jones via samba > > Verzonden: vrijdag 28 januari 2022 10:15 > > Aan: sambalist > > Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had > > an invalid message integrity check > > > > I'm troubleshooting why I'm getting > > > > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: > > Major = A token > > had an invalid Message Integrity Check (MIC), Minor = Success. > > > > when running > > > > > samba_dnsupdate --verbose --all-names > > > > As the root user on my domain controller. > > > > Had to crank the debugging options up to get the actual error (quoted > > above). > > > > > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose > > > > with > > > > > nsupdate command = /usr/bin/nsupdate -g -L10 > > > > in my smb.conf > > > > There's no information about this in google, that I can tell. > > And the error > > messages aren't giving me much to go on. > > > > This domain controller has been running since at least 2017, > > and upgraded > > regularly as my linux distro updates samba. So it's plausible that i'm > > running into a problem caused by an earlier version of samba > > that is only > > manifesting now. > > > > Any advice? > > > > > > > > > > Truncated command output follows immediately, followed by > > example snippets > > out of /var/log/samba. > > > > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net > > dc1.network-1.net 389 > > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net > > dc1.network-1.net 389 (add) > > Starting GENSEC mechanism gssapi_krb5_sasl > > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs > > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: > > 0x564b015950e0 > > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: > > NT_STATUS_MORE_PROCESSING_REQUIRED > > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss > > api.c:1057]: > > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > > (0x564b015952a0)] timer[(nil)] > > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > > 28-Jan-2022 09:02:59.885 dns_requestmgr_create > > 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389 > > dc1.network-1.net. > > > > 28-Jan-2022 09:02:59.895 dns_request_createvia > > 28-Jan-2022 09:02:59.895 request_render > > 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8: > > eref 1 iref 1 > > 28-Jan-2022 09:02:59.905 mgr_gethash > > 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success > > 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 dns_request_getresponse: request > > 0x7f768d857610 > > 28-Jan-2022 09:02:59.915 dns_request_createvia > > 28-Jan-2022 09:02:59.915 request_render > > 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8: > > eref 1 iref 2 > > 28-Jan-2022 09:02:59.915 mgr_gethash > > 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8: > > eref 1 iref 1 > > 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success > > 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 dns_request_getresponse: request > > 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 dns_request_createvia > > 28-Jan-2022 09:02:59.965 request_render > > 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8: > > eref 1 iref 2 > > 28-Jan-2022 09:02:59.965 mgr_gethash > > 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8: > > eref 1 iref 1 > > 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success > > 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 dns_request_getresponse: request > > 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: > > Major = A token > > had an invalid Message Integrity Check (MIC), Minor = Success. > > 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net' > > (<null>): signature failed to verify(1) > > ; TSIG error with server: tsig verify failure > > 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8: > > eref 1 iref 0 > > 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8 > > 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8 > > 28-Jan-2022 09:03:00.005 dns_requestmgr_detach: > > 0x7f768d8511c8: eref 0 iref > > 0 > > 28-Jan-2022 09:03:00.005 mgr_destroy > > Failed nsupdate: 2 > > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ > > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 > > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add) > > Starting GENSEC mechanism gssapi_krb5_sasl > > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs > > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: > > 0x564b015950e0 > > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: > > NT_STATUS_MORE_PROCESSING_REQUIRED > > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss > > api.c:1057]: > > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > > (0x564b015952a0)] timer[(nil)] > > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > > 28-Jan-2022 09:03:00.275 dns_requestmgr_create > > 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo > > rk-1.net.900 > > IN SRV 0 100 389 dc1.network-1.net. > > > > 28-Jan-2022 09:03:00.275 dns_request_createvia > > 28-Jan-2022 09:03:00.285 request_render > > 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8: > > eref 1 iref 1 > > 28-Jan-2022 09:03:00.285 mgr_gethash > > 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success > > 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 dns_request_getresponse: request > > 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.295 dns_request_createvia > > 28-Jan-2022 09:03:00.295 request_render > > 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8: > > eref 1 iref 2 > > 28-Jan-2022 09:03:00.295 mgr_gethash > > 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8: > > eref 1 iref 1 > > 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success > > 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 dns_request_getresponse: request > > 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 dns_request_createvia > > 28-Jan-2022 09:03:00.335 request_render > > 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8: > > eref 1 iref 2 > > 28-Jan-2022 09:03:00.335 mgr_gethash > > 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8: > > eref 1 iref 1 > > 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success > > 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 dns_request_getresponse: request > > 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error: > > Major = A token > > had an invalid Message Integrity Check (MIC), Minor = Success. > > 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net' > > (<null>): signature failed to verify(1) > > ; TSIG error with server: tsig verify failure > > 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8: > > eref 1 iref 0 > > 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8 > > 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8 > > 28-Jan-2022 09:03:00.375 dns_requestmgr_detach: > > 0x7ff91f5df1c8: eref 0 iref > > 0 > > 28-Jan-2022 09:03:00.375 mgr_destroy > > > > > > > > > > > > > > > > > > > > > > > > > > Data from /var/log/samba/ > > > > > > > > [2022/01/28 03:02:57.729026, 2] > > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > > Got a dns update request. > > [2022/01/28 03:02:57.729226, 2] > > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) > > All updates allowed. > > [2022/01/28 03:02:57.732085, 2] > > ../../source4/dns_server/dns_update.c:397(handle_one_update) > > Looking at record: > > [2022/01/28 03:02:57.732402, 2] > > ../../source4/dns_server/dns_update.c:398(handle_one_update) > > [2022/01/28 03:02:57.732479, 1] > > ../../librpc/ndr/ndr.c:435(ndr_print_debug) > > discard_const(update): struct dns_res_rec > > name : > > '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net' > > rr_type : DNS_QTYPE_SRV (0x21) > > rr_class : DNS_QCLASS_IN (0x1) > > ttl : 0x00000384 (900) > > length : 0x0019 (25) > > rdata : union dns_rdata(case 0x21) > > srv_record: struct dns_srv_record > > priority : 0x0000 (0) > > weight : 0x0064 (100) > > port : 0x0cc4 (3268) > > target : 'dc1.network-1.net' > > unexpected : DATA_BLOB length=0 > > [2022/01/28 03:02:57.885790, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 3 > > [2022/01/28 03:02:57.888483, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 1 > > [2022/01/28 03:02:58.045607, 2] > > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > > Got a dns update request. > > [2022/01/28 03:02:58.045825, 2] > > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) > > All updates allowed. > > [2022/01/28 03:02:58.048526, 2] > > ../../source4/dns_server/dns_update.c:397(handle_one_update) > > Looking at record: > > [2022/01/28 03:02:58.048741, 2] > > ../../source4/dns_server/dns_update.c:398(handle_one_update) > > [2022/01/28 03:02:58.048816, 1] > > ../../librpc/ndr/ndr.c:435(ndr_print_debug) > > discard_const(update): struct dns_res_rec > > name : 'DomainDnsZones.network-1.net' > > rr_type : DNS_QTYPE_A (0x1) > > rr_class : DNS_QCLASS_IN (0x1) > > ttl : 0x00000384 (900) > > length : 0x0004 (4) > > rdata : union dns_rdata(case 0x1) > > ipv4_record : 10.0.0.3 > > unexpected : DATA_BLOB length=0 > > [2022/01/28 03:02:58.188259, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 3 > > [2022/01/28 03:02:58.188499, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 1 > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >