thr3ads.net - samba - [Samba] TSIG errors when updating DNS [Feb 2023]

If this information is useful, please help other people find it:
Share via:

Peter Milesson

2023-Feb-04 11:46 UTC

[Samba] TSIG errors when updating DNS

Hi folks,

I get the following errors when running samba_dnsupdate --verbose 
--all-names on both my samba AD DCs. I have cut the list, as it repeats 
the TSIG error

The resolvconf package is not installed, each DC points to itself with 
its 172.16.10.xx in resolv.conf. The hosts file is OK on both DCs.

I have tried to add the following line to smb.conf and restart, it does 
not help, however.

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

I've seen this subject being brought up previously on this list, but it 
beats me why it pops up now.

OS is Debian Bullseye with backports. Samba was upgraded to 4.17.5 from 
the backports packages today on both DCs.

I would very much appreciate some help on this.

Best regards,

Peter



IPs: ['172.16.10.10']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.konstrukce.local 
konadc2.konstrukce.local 389) as we are not a PDC
force update: A konadc2.konstrukce.local 172.16.10.10
force update: NS konstrukce.local konadc2.konstrukce.local
force update: NS _msdcs.konstrukce.local konadc2.konstrukce.local
...
...
28 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/konadc2.konstrukce.local as 
KONADC2$
update(nsupdate): A konadc2.konstrukce.local 172.16.10.10
Calling nsupdate for A konadc2.konstrukce.local 172.16.10.10 (add)
Successfully obtained Kerberos ticket to DNS/konadc2.konstrukce.local as 
KONADC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
konadc2.konstrukce.local. 900?? IN????? A?????? 172.16.10.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): NS konstrukce.local konadc2.konstrukce.local
Calling nsupdate for NS konstrukce.local konadc2.konstrukce.local (add)
Successfully obtained Kerberos ticket to DNS/konadc2.konstrukce.local as 
KONADC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
konstrukce.local.?????? 900???? IN????? NS konadc2.konstrukce.local.
...
...

Rowland Penny

2023-Feb-04 12:21 UTC

head link

[Samba] TSIG errors when updating DNS

On 04/02/2023 11:46, Peter Milesson via samba wrote:> Hi folks,
> 
> I get the following errors when running samba_dnsupdate --verbose 
> --all-names on both my samba AD DCs. I have cut the list, as it repeats 
> the TSIG error
> 
> The resolvconf package is not installed, each DC points to itself with 
> its 172.16.10.xx in resolv.conf. The hosts file is OK on both DCs.
> 
> I have tried to add the following line to smb.conf and restart, it does 
> not help, however.
> 
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
That will have no effect when running samba_dnsupdate. You could try 
adding '--use-samba-tool' to the samba_dnsupdate command, but I think it
will error with an error that isn't an error, how can the record 
existing be an error ?
> 
> I've seen this subject being brought up previously on this list, but it
> beats me why it pops up now.
> 
> OS is Debian Bullseye with backports. Samba was upgraded to 4.17.5 from 
> the backports packages today on both DCs.
What version did you upgrade from ?
> 
> I would very much appreciate some help on this.
I think what is happening here is that your kerberos ticket is too old, 
it still has the old keys in it.

Rowland

samba - Feb 2023 - TSIG errors when updating DNS

[Samba] TSIG errors when updating DNS

[Samba] TSIG errors when updating DNS