Igor Sousa
2019-Aug-09 20:19 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Em qui, 8 de ago de 2019 ?s 04:30, Rowland penny via samba < samba at lists.samba.org> escreveu:> > What a lot of work you didn't need to do, 'samba-tool domain demote > --remove-other-dead-server=samba4bkp' would have done it for you ;-) >Good to know it. I'll tried if I face the same problem. Em qui, 8 de ago de 2019 ?s 04:30, Rowland penny via samba < samba at lists.samba.org> escreveu:> > Is 'king' using itself for its nameserver ? > > > > It looks like it isn't: 'Successfully obtained Kerberos ticket to > > DNS/samba4.smb as KING$'king' is using the 'samba4' such as its nameserver. I've confirmed that samba4 has the FSMO Roles. I've check cached Kerberos tickets and I've seen that 'king's ticket has expired at 04/26/2019 (this is the date when I've created 'king' and add it as a DC on SMB). After this, I've obtained a new Kerberos ticket with 'kinit' command, but 'samba_dnsupdate --verbose --all-names' has returned the same problem I've reported. OBS: Shouldn't DC renew Kerberos ticket automatically? Regards! -- Igor Sousa =========== Kerberos ticket ============[root at king ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SMB.UFC.BR Valid starting Expires Service principal 04/25/2019 14:42:03 04/26/2019 00:42:03 krbtgt/SMB.UFC.BR at SMB.UFC.BR renew until 04/26/2019 14:41:57 [root at king ~]# kinit administrator Password for administrator at SMB: [root at king ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SMB.UFC.BR Valid starting Expires Service principal 08/09/2019 17:06:36 08/10/2019 03:06:36 krbtgt/SMB.UFC.BR at SMB.UFC.BR renew until 08/10/2019 17:06:31 ======== FMSO owner =============[root at king ~]# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb InfrastructureMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb RidAllocationMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb DomainNamingMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=SAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb
Rowland penny
2019-Aug-09 20:25 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
On 09/08/2019 21:19, Igor Sousa wrote:> Em qui, 8 de ago de 2019 ?s 04:30, Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> escreveu: > > > What a lot of work you didn't need to do, 'samba-tool domain demote > --remove-other-dead-server=samba4bkp' would have done it for you ;-) > > Good to know it. I'll tried if I face the same problem. > > Em qui, 8 de ago de 2019 ?s 04:30, Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> escreveu: > > > Is 'king' using itself for its nameserver ? > > > > It looks like it isn't: 'Successfully obtained Kerberos ticket to > > DNS/samba4.smb as KING$ > > 'king' is using the 'samba4' such as its nameserver.Well it shouldn't ;-) Each DC should use itself for its nameserver> I've confirmed that samba4 has the FSMO Roles. I've check cached > Kerberos tickets and I've seen that 'king's ticket has expired at > 04/26/2019 (this is the date when I've created 'king' and add it as a > DC on SMB). After this, I've obtained a new Kerberos ticket with > 'kinit' command, but 'samba_dnsupdate --verbose --all-names' has > returned the same problem I've reported. > > OBS: Shouldn't DC renew Kerberos ticket automatically?They do, but you are trying to update the records for 'king' using a ticket for 'samba4' Rowland
Igor Sousa
2019-Aug-09 20:56 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Em sex, 9 de ago de 2019 ?s 17:26, Rowland penny via samba < samba at lists.samba.org> escreveu:> Well it shouldn't ;-) > > Each DC should use itself for its nameserver >Ok. I understand and I think I've forgotten any step when I had mounted 'king'. My bad! I've set 'king' IP as the only namesever on resolv.conf and I've got a new Kerberos ticket with 'kinit' command, but when I've tried to update dns entries with 'samba_dnsupdate' I've receive "dns_tkey_negotiategss: TKEY is unacceptable". I've checked '/usr/local/samba/private/dns.keytab' and there is a Kerberos principal listed and I've checked if BIND AD Account exists and it there is. -- Igor Sousa [root at king ~]# klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB [root at king ~]# ls -l /usr/local/samba/private/dns.keytab -rw-r----- 2 root named 712 Apr 25 15:18 /usr/local/samba/private/dns.keytab [root at king ~]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-KING' dn # record 1 dn: CN=dns-KING,CN=Users,smb # Referral ref: ldap://smb/CN=Configuration,smb # Referral ref: ldap://smb/DC=DomainDnsZones,smb # Referral ref: ldap://smb/DC=ForestDnsZones,smb # returned 4 records # 1 entries # 3 referrals
Possibly Parallel Threads
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure