Michael Jones
2022-Jan-28 21:03 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
Thank you for the response. On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> On AD-DC or Member ? >AD-DC, phrased as "> As the root user on my domain controller." in my original email, though I know it was a big wall of text, so I probably would have missed that detail myself.> Which samba version is this? >dc1 ~ # samba --version Version 4.15.3 dc1 ~ # emerge --info samba Portage 3.0.30 (python 3.9.9-final-0, default/linux/amd64/17.1, gcc-11.2.0, glibc-2.33-r7, 5.15.11-gentoo x86_64) ================================================================ System Settings ================================================================System uname: Linux-5.15.11-gentoo-x86_64-AMD_E-350D_APU_with_Radeon-tm-_HD_Graphics-with-glibc2.33 KiB Mem: 16099556 total, 2375520 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Thu, 27 Jan 2022 14:52:00 +0000 Head commit of repository gentoo: 1ae2a588f3427d972e3b954ae4172e51b975d4e7 Head commit of repository jonesmz-public-overlay: aa017c88e14e739423d5cc128d0f8e696a02135e Head commit of repository lto-overlay: 435a9d968854fef21015796a5f464243dc4caa03 Head commit of repository mv: ee4a1a6d419ab49102d2580c8925ed5605012d6f Head commit of repository wsdd: 1156bfeeee76150f811af9d8049d0edfb4277851 sh bash 5.1_p8 ld GNU ld (Gentoo 2.37_p1 p0) 2.37 distcc 3.4 x86_64-pc-linux-gnu [disabled] ccache version 4.5.1 [disabled] app-misc/pax-utils: 1.3.3::gentoo app-shells/bash: 5.1_p8::gentoo dev-lang/perl: 5.34.0-r6::gentoo dev-lang/python: 3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo dev-lang/rust: 1.58.1::gentoo dev-util/ccache: 4.5.1::gentoo dev-util/cmake: 3.21.4::gentoo dev-util/meson: 0.60.3::gentoo sys-apps/baselayout: 2.7-r3::gentoo sys-apps/sandbox: 2.25::gentoo sys-apps/systemd: 249.9::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo sys-devel/automake: 1.16.4::gentoo sys-devel/binutils: 2.37_p1::gentoo sys-devel/binutils-config: 5.4::gentoo sys-devel/gcc: 11.2.0::gentoo sys-devel/gcc-config: 2.5-r1::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/llvm: 13.0.0::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers) sys-libs/glibc: 2.33-r7::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: git://anongit.gentoo.org/repo/sync/gentoo.git priority: -1000 jonesmz-public-overlay location: /var/db/repos/jonesmz-public-overlay sync-type: git sync-uri: https://github.com/jonesmz/gentoo-overlay.git masters: gentoo lto-overlay location: /var/db/repos/lto-overlay sync-type: git sync-uri: https://github.com/InBetweenNames/gentooLTO.git masters: gentoo mv mv location: /var/db/repos/mv sync-type: git sync-uri: https://anongit.gentoo.org/git/user/mv.git masters: gentoo wsdd location: /var/db/repos/wsdd-gentoo sync-type: git sync-uri: https://github.com/christgau/wsdd-gentoo masters: gentoo Installed sets: @pc-base-system, @portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS=" --jobs --keep-going --newuse --changed-deps --deep --tree --backtrack=3000 --complete-graph --with-bdeps=y --binpkg-respect-use=y --binpkg-changed-deps=y --changed-slot=y --usepkg=y --usepkg" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg buildpkg-live clean-logs compress-build-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles installsources ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms split-elog split-log splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_US" MAKEOPTS="-j1" PKGDIR="/var/cache/binpkgs" PORTAGE_COMPRESS="xz" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/sh" USE="acl amd64 bzip2 crypt hardened iconv ipv6 libglvnd libtirpc multilib ncurses nls nptl openmp pam pcre pie readline seccomp split-usr ssl ssp systemd udev unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core authz_host dir mime unixd socache_shmcb info log_config" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="coreboot efi-64 emu qemu pc" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" QEMU_SOFTMMU_TARGETS="arm aarch64 x86_64" QEMU_USER_TARGETS="arm aarch64 x86_64" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="r600 radeon radeonsi amdgpu vesa modesetting fbdev qxl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS ================================================================ Package Settings ================================================================ net-fs/samba-4.15.3-r1::gentoo was built with the following: USE="acl addc ads client json ldap pam python regedit snapper systemd winbind -ceph -cluster -cups -debug (-dmapi) (-fam) -glusterfs -gpg -iprint -profiling-data -quota (-selinux) -spotlight -syslog (-system-heimdal) -system-mitkrb5 (-test) -zeroconf" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="-aes" PYTHON_SINGLE_TARGET="python3_9 -python3_10 -python3_8" CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1 -Wl,--as-needed" CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1 -Wl,--as-needed" FEATURES="binpkg-multi-instance compress-build-logs xattr sandbox multilib-strict ipc-sandbox assume-digests binpkg-logs strict usersync userpriv preserve-libs binpkg-dostrip parallel-fetch qa-unresolved-soname-deps split-log buildpkg-live installsources compressdebug ebuild-locks userfetch config-protect-if-modified split-elog news buildpkg unmerge-logs splitdebug protect-owned unknown-features-warn clean-logs usersandbox network-sandbox binpkg-docompress unmerge-orphans pid-sandbox merge-sync sfperms distlocks fixlafiles parallel-install" LDFLAGS="-Wl,-O1 -Wl,--as-needed -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -O2" dc1 ~ # cat /etc/samba/user.map # $Id$ # Syntax: # Unix_name = SMB_name1 SMB_name2 ... root = NETWORK-1\administrator dc1 ~ # cat /etc/samba/smb.conf [global] server role = active directory domain controller allow dns updates = nonsecure dns forwarder = 10.0.0.1 8.8.8.8 8.8.4.4 idmap_ldb:use rfc2307 = yes workgroup = NETWORK-1 realm = NETWORK-1.NET ## # If LOCAL isn't specifed, then the local unix domain socket for RPC stops working, and breaks things. # Disabled while debugging ## #hosts allow = 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 fe80::/10 fd00::/8 ::1 LOCAL log level = 2 dns:2 auth:2 vfs:2 nsupdate command = /usr/bin/nsupdate -g -L10 # server min protocol = SMB3 # client min protocol = SMB3 ## # Hack hack hack # This allows freeradius winbind auth to work ## ntlm auth = yes username map = /etc/samba/user.map create mask = 0666 directory mask = 0777 allow trusted domains = no template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes [sysvol] path = /var/lib/samba/sysvol read only = no [netlogon] path = /var/lib/samba/sysvol/network-1.net/scripts read only = no dc1 ~ # cat /etc/krb5.conf [libdefaults] default_realm = NETWORK-1.NET dns_lookup_realm = false dns_lookup_kdc = true dc1 ~ # cat /var/lib/samba/private/krb5.conf [libdefaults] default_realm = NETWORK-1.NET dns_lookup_realm = false dns_lookup_kdc = true Whats in smb.conf and krb5.conf> > > Key type 3 is DES_CBC_MD5 to give a hint. >Is this something that would have changed in the samba codebase since roughly 2017?> > We do need more info on this to help better. > > > Greetz, > > Louis >Thank you for the assistance.> > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Michael Jones via samba > > Verzonden: vrijdag 28 januari 2022 10:15 > > Aan: sambalist > > Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had > > an invalid message integrity check > > > > I'm troubleshooting why I'm getting > > > > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: > > Major = A token > > had an invalid Message Integrity Check (MIC), Minor = Success. > > > > when running > > > > > samba_dnsupdate --verbose --all-names > > > > As the root user on my domain controller. > > > > Had to crank the debugging options up to get the actual error (quoted > > above). > > > > > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose > > > > with > > > > > nsupdate command = /usr/bin/nsupdate -g -L10 > > > > in my smb.conf > > > > There's no information about this in google, that I can tell. > > And the error > > messages aren't giving me much to go on. > > > > This domain controller has been running since at least 2017, > > and upgraded > > regularly as my linux distro updates samba. So it's plausible that i'm > > running into a problem caused by an earlier version of samba > > that is only > > manifesting now. > > > > Any advice? > > > > > > > > > > Truncated command output follows immediately, followed by > > example snippets > > out of /var/log/samba. > > > > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net > > dc1.network-1.net 389 > > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net > > dc1.network-1.net 389 (add) > > Starting GENSEC mechanism gssapi_krb5_sasl > > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs > > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: > > 0x564b015950e0 > > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: > > NT_STATUS_MORE_PROCESSING_REQUIRED > > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss > > api.c:1057]: > > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > > (0x564b015952a0)] timer[(nil)] > > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > > 28-Jan-2022 09:02:59.885 dns_requestmgr_create > > 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389 > > dc1.network-1.net. > > > > 28-Jan-2022 09:02:59.895 dns_request_createvia > > 28-Jan-2022 09:02:59.895 request_render > > 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8: > > eref 1 iref 1 > > 28-Jan-2022 09:02:59.905 mgr_gethash > > 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success > > 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.905 dns_request_getresponse: request > > 0x7f768d857610 > > 28-Jan-2022 09:02:59.915 dns_request_createvia > > 28-Jan-2022 09:02:59.915 request_render > > 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8: > > eref 1 iref 2 > > 28-Jan-2022 09:02:59.915 mgr_gethash > > 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8: > > eref 1 iref 1 > > 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success > > 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 dns_request_getresponse: request > > 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 dns_request_createvia > > 28-Jan-2022 09:02:59.965 request_render > > 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8: > > eref 1 iref 2 > > 28-Jan-2022 09:02:59.965 mgr_gethash > > 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790 > > 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8: > > eref 1 iref 1 > > 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610 > > 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success > > 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 dns_request_getresponse: request > > 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: > > Major = A token > > had an invalid Message Integrity Check (MIC), Minor = Success. > > 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net' > > (<null>): signature failed to verify(1) > > ; TSIG error with server: tsig verify failure > > 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610 > > 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8: > > eref 1 iref 0 > > 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8 > > 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8 > > 28-Jan-2022 09:03:00.005 dns_requestmgr_detach: > > 0x7f768d8511c8: eref 0 iref > > 0 > > 28-Jan-2022 09:03:00.005 mgr_destroy > > Failed nsupdate: 2 > > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ > > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 > > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add) > > Starting GENSEC mechanism gssapi_krb5_sasl > > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs > > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: > > 0x564b015950e0 > > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: > > NT_STATUS_MORE_PROCESSING_REQUIRED > > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss > > api.c:1057]: > > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > > (0x564b015952a0)] timer[(nil)] > > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > > 28-Jan-2022 09:03:00.275 dns_requestmgr_create > > 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo > > rk-1.net.900 > > IN SRV 0 100 389 dc1.network-1.net. > > > > 28-Jan-2022 09:03:00.275 dns_request_createvia > > 28-Jan-2022 09:03:00.285 request_render > > 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8: > > eref 1 iref 1 > > 28-Jan-2022 09:03:00.285 mgr_gethash > > 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success > > 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.285 dns_request_getresponse: request > > 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.295 dns_request_createvia > > 28-Jan-2022 09:03:00.295 request_render > > 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8: > > eref 1 iref 2 > > 28-Jan-2022 09:03:00.295 mgr_gethash > > 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8: > > eref 1 iref 1 > > 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success > > 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 dns_request_getresponse: request > > 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 dns_request_createvia > > 28-Jan-2022 09:03:00.335 request_render > > 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8: > > eref 1 iref 2 > > 28-Jan-2022 09:03:00.335 mgr_gethash > > 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790 > > 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8: > > eref 1 iref 1 > > 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success > > 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 dns_request_getresponse: request > > 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error: > > Major = A token > > had an invalid Message Integrity Check (MIC), Minor = Success. > > 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net' > > (<null>): signature failed to verify(1) > > ; TSIG error with server: tsig verify failure > > 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610 > > 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8: > > eref 1 iref 0 > > 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8 > > 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8 > > 28-Jan-2022 09:03:00.375 dns_requestmgr_detach: > > 0x7ff91f5df1c8: eref 0 iref > > 0 > > 28-Jan-2022 09:03:00.375 mgr_destroy > > > > > > > > > > > > > > > > > > > > > > > > > > Data from /var/log/samba/ > > > > > > > > [2022/01/28 03:02:57.729026, 2] > > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > > Got a dns update request. > > [2022/01/28 03:02:57.729226, 2] > > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) > > All updates allowed. > > [2022/01/28 03:02:57.732085, 2] > > ../../source4/dns_server/dns_update.c:397(handle_one_update) > > Looking at record: > > [2022/01/28 03:02:57.732402, 2] > > ../../source4/dns_server/dns_update.c:398(handle_one_update) > > [2022/01/28 03:02:57.732479, 1] > > ../../librpc/ndr/ndr.c:435(ndr_print_debug) > > discard_const(update): struct dns_res_rec > > name : > > '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net' > > rr_type : DNS_QTYPE_SRV (0x21) > > rr_class : DNS_QCLASS_IN (0x1) > > ttl : 0x00000384 (900) > > length : 0x0019 (25) > > rdata : union dns_rdata(case 0x21) > > srv_record: struct dns_srv_record > > priority : 0x0000 (0) > > weight : 0x0064 (100) > > port : 0x0cc4 (3268) > > target : 'dc1.network-1.net' > > unexpected : DATA_BLOB length=0 > > [2022/01/28 03:02:57.885790, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 3 > > [2022/01/28 03:02:57.888483, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 1 > > [2022/01/28 03:02:58.045607, 2] > > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > > Got a dns update request. > > [2022/01/28 03:02:58.045825, 2] > > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) > > All updates allowed. > > [2022/01/28 03:02:58.048526, 2] > > ../../source4/dns_server/dns_update.c:397(handle_one_update) > > Looking at record: > > [2022/01/28 03:02:58.048741, 2] > > ../../source4/dns_server/dns_update.c:398(handle_one_update) > > [2022/01/28 03:02:58.048816, 1] > > ../../librpc/ndr/ndr.c:435(ndr_print_debug) > > discard_const(update): struct dns_res_rec > > name : 'DomainDnsZones.network-1.net' > > rr_type : DNS_QTYPE_A (0x1) > > rr_class : DNS_QCLASS_IN (0x1) > > ttl : 0x00000384 (900) > > length : 0x0004 (4) > > rdata : union dns_rdata(case 0x1) > > ipv4_record : 10.0.0.3 > > unexpected : DATA_BLOB length=0 > > [2022/01/28 03:02:58.188259, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 3 > > [2022/01/28 03:02:58.188499, 2] > > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) > > Unsupported keytype ignored - type 1 > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Michael Jones
2022-Jan-28 21:10 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On Fri, Jan 28, 2022 at 3:03 PM Michael Jones <samba at jonesmz.com> wrote:> Thank you for the response. > > On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba < > samba at lists.samba.org> wrote: > >> On AD-DC or Member ? >> > > AD-DC, phrased as "> As the root user on my domain controller." in my > original email, though I know it was a big wall of text, so I probably > would have missed that detail myself. > > >> Which samba version is this? >> > > dc1 ~ # samba --version > Version 4.15.3 > > dc1 ~ # emerge --info samba > Portage 3.0.30 (python 3.9.9-final-0, default/linux/amd64/17.1, > gcc-11.2.0, glibc-2.33-r7, 5.15.11-gentoo x86_64) > ================================================================> System Settings > ================================================================> System uname: > Linux-5.15.11-gentoo-x86_64-AMD_E-350D_APU_with_Radeon-tm-_HD_Graphics-with-glibc2.33 > KiB Mem: 16099556 total, 2375520 free > KiB Swap: 0 total, 0 free > Timestamp of repository gentoo: Thu, 27 Jan 2022 14:52:00 +0000 > Head commit of repository gentoo: 1ae2a588f3427d972e3b954ae4172e51b975d4e7 > > Head commit of repository jonesmz-public-overlay: > aa017c88e14e739423d5cc128d0f8e696a02135e > > Head commit of repository lto-overlay: > 435a9d968854fef21015796a5f464243dc4caa03 > > Head commit of repository mv: ee4a1a6d419ab49102d2580c8925ed5605012d6f > > Head commit of repository wsdd: 1156bfeeee76150f811af9d8049d0edfb4277851 > > sh bash 5.1_p8 > ld GNU ld (Gentoo 2.37_p1 p0) 2.37 > distcc 3.4 x86_64-pc-linux-gnu [disabled] > ccache version 4.5.1 [disabled] > app-misc/pax-utils: 1.3.3::gentoo > app-shells/bash: 5.1_p8::gentoo > dev-lang/perl: 5.34.0-r6::gentoo > dev-lang/python: 3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo > dev-lang/rust: 1.58.1::gentoo > dev-util/ccache: 4.5.1::gentoo > dev-util/cmake: 3.21.4::gentoo > dev-util/meson: 0.60.3::gentoo > sys-apps/baselayout: 2.7-r3::gentoo > sys-apps/sandbox: 2.25::gentoo > sys-apps/systemd: 249.9::gentoo > sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo > sys-devel/automake: 1.16.4::gentoo > sys-devel/binutils: 2.37_p1::gentoo > sys-devel/binutils-config: 5.4::gentoo > sys-devel/gcc: 11.2.0::gentoo > sys-devel/gcc-config: 2.5-r1::gentoo > sys-devel/libtool: 2.4.6-r6::gentoo > sys-devel/llvm: 13.0.0::gentoo > sys-devel/make: 4.3::gentoo > sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers) > sys-libs/glibc: 2.33-r7::gentoo > Repositories: > > gentoo > location: /var/db/repos/gentoo > sync-type: git > sync-uri: git://anongit.gentoo.org/repo/sync/gentoo.git > priority: -1000 > > jonesmz-public-overlay > location: /var/db/repos/jonesmz-public-overlay > sync-type: git > sync-uri: https://github.com/jonesmz/gentoo-overlay.git > masters: gentoo > > lto-overlay > location: /var/db/repos/lto-overlay > sync-type: git > sync-uri: https://github.com/InBetweenNames/gentooLTO.git > masters: gentoo mv > > mv > location: /var/db/repos/mv > sync-type: git > sync-uri: https://anongit.gentoo.org/git/user/mv.git > masters: gentoo > > wsdd > location: /var/db/repos/wsdd-gentoo > sync-type: git > sync-uri: https://github.com/christgau/wsdd-gentoo > masters: gentoo > > Installed sets: @pc-base-system, @portage > ACCEPT_KEYWORDS="amd64" > ACCEPT_LICENSE="@FREE" > CBUILD="x86_64-pc-linux-gnu" > CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize > -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 > -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe" > CHOST="x86_64-pc-linux-gnu" > CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" > CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf > /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" > CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize > -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 > -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe" > DISTDIR="/var/cache/distfiles" > EMERGE_DEFAULT_OPTS=" --jobs --keep-going --newuse --changed-deps --deep > --tree --backtrack=3000 --complete-graph --with-bdeps=y > --binpkg-respect-use=y --binpkg-changed-deps=y --changed-slot=y --usepkg=y > --usepkg" > ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH > PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY > XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" > FCFLAGS="-O2 -pipe" > FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs > binpkg-multi-instance buildpkg buildpkg-live clean-logs compress-build-logs > compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles > installsources ipc-sandbox merge-sync multilib-strict network-sandbox news > parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned > qa-unresolved-soname-deps sandbox sfperms split-elog split-log splitdebug > strict unknown-features-warn unmerge-logs unmerge-orphans userfetch > userpriv usersandbox usersync xattr" > FFLAGS="-O2 -pipe" > GENTOO_MIRRORS="http://distfiles.gentoo.org" > LANG="en_US.utf8" > LDFLAGS="-Wl,-O1 -Wl,--as-needed" > LINGUAS="en en_US" > MAKEOPTS="-j1" > PKGDIR="/var/cache/binpkgs" > PORTAGE_COMPRESS="xz" > PORTAGE_CONFIGROOT="/" > PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times > --omit-dir-times --compress --force --whole-file --delete --stats > --human-readable --timeout=180 --exclude=/distfiles --exclude=/local > --exclude=/packages --exclude=/.git" > PORTAGE_TMPDIR="/var/tmp" > SHELL="/bin/sh" > USE="acl amd64 bzip2 crypt hardened iconv ipv6 libglvnd libtirpc multilib > ncurses nls nptl openmp pam pcre pie readline seccomp split-usr ssl ssp > systemd udev unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2020" > APACHE2_MODULES="authn_core authz_core authz_host dir mime unixd > socache_shmcb info log_config" CALLIGRA_FEATURES="karbon sheets words" > COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" > CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech > aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax > mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 > sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" > GRUB_PLATFORMS="coreboot efi-64 emu qemu pc" INPUT_DEVICES="libinput" > KERNEL="linux" L10N="en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk > hd44780 lb216 lcdm001 mtxorb ncurses text" > LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" > LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" > OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" > POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" > PYTHON_TARGETS="python3_9" QEMU_SOFTMMU_TARGETS="arm aarch64 x86_64" > QEMU_USER_TARGETS="arm aarch64 x86_64" RUBY_TARGETS="ruby26 ruby27" > USERLAND="GNU" VIDEO_CARDS="r600 radeon radeonsi amdgpu vesa modesetting > fbdev qxl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options > ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat > logmark ipmark dhcpmac delude chaos account" > Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, > CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, > GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, > OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, > PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, > RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS > > ================================================================> Package Settings > ================================================================> > net-fs/samba-4.15.3-r1::gentoo was built with the following: > USE="acl addc ads client json ldap pam python regedit snapper systemd > winbind -ceph -cluster -cups -debug (-dmapi) (-fam) -glusterfs -gpg -iprint > -profiling-data -quota (-selinux) -spotlight -syslog (-system-heimdal) > -system-mitkrb5 (-test) -zeroconf" ABI_X86="(64) -32 (-x32)" > CPU_FLAGS_X86="-aes" PYTHON_SINGLE_TARGET="python3_9 -python3_10 -python3_8" > CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize > -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 > -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1 > -Wl,--as-needed" > CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize > -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 > -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1 > -Wl,--as-needed" > FEATURES="binpkg-multi-instance compress-build-logs xattr sandbox > multilib-strict ipc-sandbox assume-digests binpkg-logs strict usersync > userpriv preserve-libs binpkg-dostrip parallel-fetch > qa-unresolved-soname-deps split-log buildpkg-live installsources > compressdebug ebuild-locks userfetch config-protect-if-modified split-elog > news buildpkg unmerge-logs splitdebug protect-owned unknown-features-warn > clean-logs usersandbox network-sandbox binpkg-docompress unmerge-orphans > pid-sandbox merge-sync sfperms distlocks fixlafiles parallel-install" > LDFLAGS="-Wl,-O1 -Wl,--as-needed -O3 -fgraphite-identity > -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta > -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 > -mtune=generic -pipe -O2" > > > dc1 ~ # cat /etc/samba/user.map > # $Id$ > > # Syntax: > # Unix_name = SMB_name1 SMB_name2 ... > > root = NETWORK-1\administrator > > > > > dc1 ~ # cat /etc/samba/smb.conf > > [global] > server role = active directory domain controller > allow dns updates = nonsecure > dns forwarder = 10.0.0.1 8.8.8.8 8.8.4.4 > idmap_ldb:use rfc2307 = yes > > workgroup = NETWORK-1 > realm = NETWORK-1.NET > > ## > # If LOCAL isn't specifed, then the local unix domain socket for RPC stops > working, and breaks things. > # Disabled while debugging > ## > #hosts allow = 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 > 127.0.0.0/8 fe80::/10 fd00::/8 ::1 LOCAL > > log level = 2 dns:2 auth:2 vfs:2 > > nsupdate command = /usr/bin/nsupdate -g -L10 > > # server min protocol = SMB3 > # client min protocol = SMB3 > > ## > # Hack hack hack > # This allows freeradius winbind auth to work > ## > ntlm auth = yes > > username map = /etc/samba/user.map > create mask = 0666 > directory mask = 0777 > > allow trusted domains = no > template shell = /bin/bash > template homedir = /home/%U > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = no > > [netlogon] > path = /var/lib/samba/sysvol/network-1.net/scripts > read only = no > > > dc1 ~ # cat /etc/krb5.conf > [libdefaults] > default_realm = NETWORK-1.NET > dns_lookup_realm = false > dns_lookup_kdc = true > > dc1 ~ # cat /var/lib/samba/private/krb5.conf > [libdefaults] > default_realm = NETWORK-1.NET > dns_lookup_realm = false > dns_lookup_kdc = true > > > > Whats in smb.conf and krb5.conf >> >> >> Key type 3 is DES_CBC_MD5 to give a hint. >> > > Is this something that would have changed in the samba codebase since > roughly 2017? > > > >> >> We do need more info on this to help better. >> >> >> Greetz, >> >> Louis >> > > > Thank you for the assistance. > > > >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> > Michael Jones via samba >> > Verzonden: vrijdag 28 januari 2022 10:15 >> > Aan: sambalist >> > Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had >> > an invalid message integrity check >> > >> > I'm troubleshooting why I'm getting >> > >> > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: >> > Major = A token >> > had an invalid Message Integrity Check (MIC), Minor = Success. >> > >> > when running >> > >> > > samba_dnsupdate --verbose --all-names >> > >> > As the root user on my domain controller. >> > >> > Had to crank the debugging options up to get the actual error (quoted >> > above). >> > >> > > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose >> > >> > with >> > >> > > nsupdate command = /usr/bin/nsupdate -g -L10 >> > >> > in my smb.conf >> > >> > There's no information about this in google, that I can tell. >> > And the error >> > messages aren't giving me much to go on. >> > >> > This domain controller has been running since at least 2017, >> > and upgraded >> > regularly as my linux distro updates samba. So it's plausible that i'm >> > running into a problem caused by an earlier version of samba >> > that is only >> > manifesting now. >> > >> > Any advice? >> > >> > >> > >> > >> > Truncated command output follows immediately, followed by >> > example snippets >> > out of /var/log/samba. >> > >> > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net >> > dc1.network-1.net 389 >> > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net >> > dc1.network-1.net 389 (add) >> > Starting GENSEC mechanism gssapi_krb5_sasl >> > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs >> > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: >> > 0x564b015950e0 >> > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: >> > NT_STATUS_MORE_PROCESSING_REQUIRED >> > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss >> > api.c:1057]: >> > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state >> > (0x564b015952a0)] timer[(nil)] >> > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] >> > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ >> > 28-Jan-2022 09:02:59.885 dns_requestmgr_create >> > 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8 >> > Outgoing update query: >> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> > ;; UPDATE SECTION: >> > _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389 >> > dc1.network-1.net. >> > >> > 28-Jan-2022 09:02:59.895 dns_request_createvia >> > 28-Jan-2022 09:02:59.895 request_render >> > 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8: >> > eref 1 iref 1 >> > 28-Jan-2022 09:02:59.905 mgr_gethash >> > 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success >> > 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.905 dns_request_getresponse: request >> > 0x7f768d857610 >> > 28-Jan-2022 09:02:59.915 dns_request_createvia >> > 28-Jan-2022 09:02:59.915 request_render >> > 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8: >> > eref 1 iref 2 >> > 28-Jan-2022 09:02:59.915 mgr_gethash >> > 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8: >> > eref 1 iref 1 >> > 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success >> > 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.965 dns_request_getresponse: request >> > 0x7f768d857790 >> > 28-Jan-2022 09:02:59.965 dns_request_createvia >> > 28-Jan-2022 09:02:59.965 request_render >> > 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8: >> > eref 1 iref 2 >> > 28-Jan-2022 09:02:59.965 mgr_gethash >> > 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790 >> > 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8: >> > eref 1 iref 1 >> > 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610 >> > 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610 >> > 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success >> > 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610 >> > 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610 >> > 28-Jan-2022 09:03:00.005 dns_request_getresponse: request >> > 0x7f768d857610 >> > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: >> > Major = A token >> > had an invalid Message Integrity Check (MIC), Minor = Success. >> > 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net' >> > (<null>): signature failed to verify(1) >> > ; TSIG error with server: tsig verify failure >> > 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610 >> > 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610 >> > 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8: >> > eref 1 iref 0 >> > 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8 >> > 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8 >> > 28-Jan-2022 09:03:00.005 dns_requestmgr_detach: >> > 0x7f768d8511c8: eref 0 iref >> > 0 >> > 28-Jan-2022 09:03:00.005 mgr_destroy >> > Failed nsupdate: 2 >> > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ >> > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 >> > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ >> > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add) >> > Starting GENSEC mechanism gssapi_krb5_sasl >> > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs >> > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: >> > 0x564b015950e0 >> > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]: >> > NT_STATUS_MORE_PROCESSING_REQUIRED >> > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss >> > api.c:1057]: >> > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state >> > (0x564b015952a0)] timer[(nil)] >> > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] >> > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ >> > 28-Jan-2022 09:03:00.275 dns_requestmgr_create >> > 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8 >> > Outgoing update query: >> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> > ;; UPDATE SECTION: >> > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo >> > rk-1.net.900 >> > IN SRV 0 100 389 dc1.network-1.net. >> > >> > 28-Jan-2022 09:03:00.275 dns_request_createvia >> > 28-Jan-2022 09:03:00.285 request_render >> > 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8: >> > eref 1 iref 1 >> > 28-Jan-2022 09:03:00.285 mgr_gethash >> > 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success >> > 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.285 dns_request_getresponse: request >> > 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.295 dns_request_createvia >> > 28-Jan-2022 09:03:00.295 request_render >> > 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8: >> > eref 1 iref 2 >> > 28-Jan-2022 09:03:00.295 mgr_gethash >> > 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8: >> > eref 1 iref 1 >> > 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success >> > 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.335 dns_request_getresponse: request >> > 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.335 dns_request_createvia >> > 28-Jan-2022 09:03:00.335 request_render >> > 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8: >> > eref 1 iref 2 >> > 28-Jan-2022 09:03:00.335 mgr_gethash >> > 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790 >> > 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8: >> > eref 1 iref 1 >> > 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success >> > 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.365 dns_request_getresponse: request >> > 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error: >> > Major = A token >> > had an invalid Message Integrity Check (MIC), Minor = Success. >> > 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net' >> > (<null>): signature failed to verify(1) >> > ; TSIG error with server: tsig verify failure >> > 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610 >> > 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8: >> > eref 1 iref 0 >> > 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8 >> > 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8 >> > 28-Jan-2022 09:03:00.375 dns_requestmgr_detach: >> > 0x7ff91f5df1c8: eref 0 iref >> > 0 >> > 28-Jan-2022 09:03:00.375 mgr_destroy >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > Data from /var/log/samba/ >> > >> > >> > >> > [2022/01/28 03:02:57.729026, 2] >> > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) >> > Got a dns update request. >> > [2022/01/28 03:02:57.729226, 2] >> > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) >> > All updates allowed. >> > [2022/01/28 03:02:57.732085, 2] >> > ../../source4/dns_server/dns_update.c:397(handle_one_update) >> > Looking at record: >> > [2022/01/28 03:02:57.732402, 2] >> > ../../source4/dns_server/dns_update.c:398(handle_one_update) >> > [2022/01/28 03:02:57.732479, 1] >> > ../../librpc/ndr/ndr.c:435(ndr_print_debug) >> > discard_const(update): struct dns_res_rec >> > name : >> > '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net' >> > rr_type : DNS_QTYPE_SRV (0x21) >> > rr_class : DNS_QCLASS_IN (0x1) >> > ttl : 0x00000384 (900) >> > length : 0x0019 (25) >> > rdata : union dns_rdata(case 0x21) >> > srv_record: struct dns_srv_record >> > priority : 0x0000 (0) >> > weight : 0x0064 (100) >> > port : 0x0cc4 (3268) >> > target : 'dc1.network-1.net' >> > unexpected : DATA_BLOB length=0 >> > [2022/01/28 03:02:57.885790, 2] >> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) >> > Unsupported keytype ignored - type 3 >> > [2022/01/28 03:02:57.888483, 2] >> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) >> > Unsupported keytype ignored - type 1 >> > [2022/01/28 03:02:58.045607, 2] >> > ../../source4/dns_server/dns_update.c:824(dns_server_process_update) >> > Got a dns update request. >> > [2022/01/28 03:02:58.045825, 2] >> > ../../source4/dns_server/dns_update.c:771(dns_update_allowed) >> > All updates allowed. >> > [2022/01/28 03:02:58.048526, 2] >> > ../../source4/dns_server/dns_update.c:397(handle_one_update) >> > Looking at record: >> > [2022/01/28 03:02:58.048741, 2] >> > ../../source4/dns_server/dns_update.c:398(handle_one_update) >> > [2022/01/28 03:02:58.048816, 1] >> > ../../librpc/ndr/ndr.c:435(ndr_print_debug) >> > discard_const(update): struct dns_res_rec >> > name : 'DomainDnsZones.network-1.net' >> > rr_type : DNS_QTYPE_A (0x1) >> > rr_class : DNS_QCLASS_IN (0x1) >> > ttl : 0x00000384 (900) >> > length : 0x0004 (4) >> > rdata : union dns_rdata(case 0x1) >> > ipv4_record : 10.0.0.3 >> > unexpected : DATA_BLOB length=0 >> > [2022/01/28 03:02:58.188259, 2] >> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) >> > Unsupported keytype ignored - type 3 >> > [2022/01/28 03:02:58.188499, 2] >> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys) >> > Unsupported keytype ignored - type 1 >> > -- >> >Some supplemental system information. dc1 ~ # cat /etc/resolv.conf # This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients directly to # all known uplink DNS servers. This file lists all configured search domains. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 10.0.0.3 nameserver redacted_ipv6_prefix::228 search network-1.net dc1 ~ # resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported resolv.conf mode: uplink Link 2 (mv-general) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported Current DNS Server: 10.0.0.3 DNS Servers: 10.0.0.3 redacted_ipv6_prefix::228 DNS Domain: network-1.net dc1 ~ # cat /etc/systemd/network/mv-general.network [Match] Name=mv-general Virtualization=true [Network] DHCP=yes DNSSEC=allow-downgrade Domains=network-1.net DNS=10.0.0.3 DNS=2601:248:557f:e47c::228 MulticastDNS=false LLMNR=false [DHCPv4] UseDNS=false UseHostname=false [DHCPv6] UseDNS=false UseHostname=false [IPv6AcceptRA] UseDNS=false #DHCPv6Client=false dc1 ~ # cat /etc/hosts ## # As a special setting *only* for dc1 # manually specify the fqdn and hostname # for 10.0.0.3 so that we don't rely on DNS # from the router. ## 10.0.0.3 dc1.network-1.net dc1 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters dc1 ~ # cat /etc/hostname dc1 dc1 ~ # ifconfig lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 28889 bytes 4280105 (4.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 28889 bytes 4280105 (4.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 mv-general: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.3 netmask 255.0.0.0 broadcast 10.255.255.255 inet6 fe80::18ae:d2ff:fe11:e8bc prefixlen 64 scopeid 0x20<link> inet6 redacted_ipv6_prefix::228 prefixlen 128 scopeid 0x0<global> inet6 edacted_ipv6_prefix:fe11:e8bc prefixlen 64 scopeid 0x0<global> ether 1a:ae:d2:11:e8:bc txqueuelen 1000 (Ethernet) RX packets 226368 bytes 20037534 (19.1 MiB) RX errors 0 dropped 24425 overruns 0 frame 0 TX packets 87040 bytes 14095184 (13.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 dc1 ~ # hostnamectl Static hostname: dc1 Icon name: computer-container Chassis: container Machine ID: 14b050068a104f70a2dcc08d61c23d9c Boot ID: d89c1052cd6047d788ffa8ce233a82ca Virtualization: systemd-nspawn Operating System: Gentoo/Linux Kernel: Linux 5.15.11-gentoo Architecture: x86-64 dc1 ~ # nslookup dc1.network-1.net Server: 10.0.0.3 Address: 10.0.0.3#53 Name: dc1.network-1.net Address: 10.0.0.3 Name: dc1.network-1.net Address: redacted_ipv6_prefix::228 Name: dc1.network-1.net Address: redacted_ipv6_prefix:fe11:e8bc dc1 ~ # nslookup dc1 Server: 10.0.0.3 Address: 10.0.0.3#53 Name: dc1.network-1.net Address: 10.0.0.3 Name: dc1.network-1.net Address: redacted_ipv6_prefix::228 Name: dc1.network-1.net Address: redacted_ipv6_prefix:fe11:e8bc
Rowland Penny
2022-Jan-28 21:29 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On Fri, 2022-01-28 at 15:03 -0600, Michael Jones via samba wrote:> Thank you for the response. > > On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba < > samba at lists.samba.org> wrote: > > > On AD-DC or Member ? > > > > AD-DC, phrased as "> As the root user on my domain controller." in my > original email, though I know it was a big wall of text, so I > probably > would have missed that detail myself. >I waded through all of that info and one thing popped out: (-system-heimdal) -system-mitkrb5 So which was your DC built with, 'Heimdal' or 'MIT' ? Also your smb.conf files are borked, you do not use a user.map on a DC and I would expect each DC smb.conf to look similar to this: [global] server role = active directory domain controller allow dns updates = nonsecure dns forwarder = 10.0.0.1 8.8.8.8 8.8.4.4 idmap_ldb:use rfc2307 = yes workgroup = NETWORK-1 realm = NETWORK-1.NET log level = 2 dns:2 auth:2 vfs:2 ntlm auth = yes template shell = /bin/bash template homedir = /home/%U [sysvol] path = /var/lib/samba/sysvol read only = no [netlogon] path = /var/lib/samba/sysvol/network-1.net/scripts read only = no