?icro MEGAS
2013-Apr-22 12:07 UTC
[Samba] Samba4: W2k clients cannot perform dynamic updates (TSIG failure)
Hi all, I am running samba 4.0.5 as Active-Directory Domain Controller with bind9 9.8 and I am using the BIND9_DLZ mech. I have setup my DNS quite exactly as described on the samba4_dns HowTo, but I am facing following problems: Win2000 clients are NOT ABLE to update/add/delete dynamic dns ressource records to the DNS database, because it seems they cannot be verified by samba4? The BIND9 log with debug level 3 shows error messages like that: [...] 22-Apr-2013 13:50:56.373 update-security: error: client 172.16.200.66#1343: upda te 'ad.mycompany.com/IN' denied [...] 22-Apr-2013 13:50:56.392 client: debug 3: client 172.16.200.66#1344: read 22-Apr-2013 13:50:56.392 client: debug 3: client @0x7f9a576948d0: accept 22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: TCP request 22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: query 22-Apr-2013 13:50:56.396 general: debug 3: failed gss_inquire_cred: GSSAPI error : Major = Unspecified GSS failure. Minor code may provide more information, Min or = Credentials cache file '/tmp/krb5cc_110' not found. 22-Apr-2013 13:50:56.403 general: debug 3: gss-api source name (accept) is smb4t estwin2k$@AD.MYCOMPANY.COM 22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: send 22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: sendto 22-Apr-2013 13:50:56.404 client: debug 3: client 172.16.200.66#1344: senddone [...] 22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: TCP request 22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: query 22-Apr-2013 13:50:56.537 general: debug 3: failed gss_inquire_cred: GSSAPI error : Major = Unspecified GSS failure. Minor code may provide more information, Min or = Credentials cache file '/tmp/krb5cc_110' not found. 22-Apr-2013 13:50:56.543 general: debug 3: gss-api source name (accept) is smb4t estwin2k$@AD.MYCOMPANY.COM 22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: send 22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: sendto 22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: senddone 22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: next 22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: endrequest 22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: read 22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: next 22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: endrequest 22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: closetcp 22-Apr-2013 13:50:56.563 client: debug 3: client 172.16.200.66#1347: UDP request 22-Apr-2013 13:50:56.564 general: debug 3: GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Unknown error. [...] 22-Apr-2013 13:50:56.707 security: error: client 172.16.200.66#1351: request has invalid signature: TSIG 910533066770-2 (smb4testwin2k\$\@AD.MYCOMPANY.COM) : tsig verify failure (BADSIG) Anyone knows more about that and know how to debug/fix that? Any help appreciated. Thanks a lot. Lucas.
Apparently Analagous Threads
- Samba4: W2k clients cannot set / sync time with samba4 AD DC
- BDC Clients Unable to update DNS (PTR/A)
- Please Help! Dynamic DNS just will not work: " failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure"
- Apparent BIND problem doing RBL lookups for Postfix
- TSIG error with server: tsig verify failure
Wisdom of the Ancients
