I'm attempting to join samba 4 (using latest 4.4 built from source) as DC to an existing Win 2k8 server domain. The join works fine with no errors and appears to be replicating fine. However the DNS is not updated and I get the following error multiple times when running samba_dnsupdate --all-names: TSIG error with server: tsig verify failure I've checked the time and all servers are synchronised, however if I capture the temporary ticket that is produced for nsupdate the Service principal is not the name of the samba 4 server but the name of one of the Win 2k8 servers. When I check this on a test domain of purely samba 4 servers the Service Principal is always the name of the server updating itself. I've tried both BIND_DLZ and INTERNAL DNS and they both give the same error. Does anyone have any ideas what is going on? Thanks, Dave Hawkes
Hi, I've been looking into a similar sounding issue and which I think is a regression in 4.3. (Amazingly there's so few people with mixed domains, probably in particular ones which require joining additional DCs at some later point) I may be able to provide more information soon, but this might be the culprit commit: https://git.samba.org/?p=samba.git;a=commit;h=e85ef1dbfef4b16c35cac80c0efc563d8cd1ba3e When you start up Samba, do you see these debug messages during the initial samba_dnsupdate run? GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find SAMBA-BUIL$@2008R2.HOWTO.ABARTLET.NET(kvno 3) in keytab FILE:/tmp/private/secrets.keytab (aes256-cts-hmac-sha1-96) Cheers, Garming On 20/07/2016 1:52 a.m., Dave Hawkes wrote:> I'm attempting to join samba 4 (using latest 4.4 built from source) as > DC to an existing Win 2k8 server domain. The join works fine with no > errors and appears to be replicating fine. However the DNS is not > updated and I get the following error multiple times when running > samba_dnsupdate --all-names: > > TSIG error with server: tsig verify failure > > I've checked the time and all servers are synchronised, however if I > capture the temporary ticket that is produced for nsupdate the Service > principal is not the name of the samba 4 server but the name of one of > the Win 2k8 servers. > > When I check this on a test domain of purely samba 4 servers the > Service Principal is always the name of the server updating itself. > > I've tried both BIND_DLZ and INTERNAL DNS and they both give the same > error. > > Does anyone have any ideas what is going on? > > Thanks, > Dave Hawkes > > >
On 22/07/16 07:32, Andrew Bartlett wrote:> On Fri, 2016-07-22 at 00:18 +1200, Garming Sam wrote: >> Hi, >> >> I've been looking into a similar sounding issue and which I think is >> a >> regression in 4.3. (Amazingly there's so few people with mixed >> domains, >> probably in particular ones which require joining additional DCs at >> some >> later point) >> >> I may be able to provide more information soon, but this might be the >> culprit commit: >> https://git.samba.org/?p=samba.git;a=commit;h=e85ef1dbfef4b16c35cac80 >> c0efc563d8cd1ba3e >> >> When you start up Samba, do you see these debug messages during the >> initial samba_dnsupdate run? >> >> GSS server Update(krb5)(1) Update failed: >> Miscellaneous failure (see text): Failed to find >> SAMBA-BUIL$@2008R2.HOWTO.ABARTLET.NET(kvno 3) in keytab >> FILE:/tmp/private/secrets.keytab (aes256-cts-hmac-sha1-96) > Wow! How did you figure that out! > > Andrew Bartlett >I ran a git bisect after I noticed 4.2 was fine. It just rejoined a Windows domain and then tried samba_dnsupdate. Cheers, Garming