Igor Sousa
2019-Aug-09 20:56 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Em sex, 9 de ago de 2019 ?s 17:26, Rowland penny via samba < samba at lists.samba.org> escreveu:> Well it shouldn't ;-) > > Each DC should use itself for its nameserver >Ok. I understand and I think I've forgotten any step when I had mounted 'king'. My bad! I've set 'king' IP as the only namesever on resolv.conf and I've got a new Kerberos ticket with 'kinit' command, but when I've tried to update dns entries with 'samba_dnsupdate' I've receive "dns_tkey_negotiategss: TKEY is unacceptable". I've checked '/usr/local/samba/private/dns.keytab' and there is a Kerberos principal listed and I've checked if BIND AD Account exists and it there is. -- Igor Sousa [root at king ~]# klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB [root at king ~]# ls -l /usr/local/samba/private/dns.keytab -rw-r----- 2 root named 712 Apr 25 15:18 /usr/local/samba/private/dns.keytab [root at king ~]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-KING' dn # record 1 dn: CN=dns-KING,CN=Users,smb # Referral ref: ldap://smb/CN=Configuration,smb # Referral ref: ldap://smb/DC=DomainDnsZones,smb # Referral ref: ldap://smb/DC=ForestDnsZones,smb # returned 4 records # 1 entries # 3 referrals
Rowland penny
2019-Aug-09 21:14 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
On 09/08/2019 21:56, Igor Sousa wrote:> Em sex, 9 de ago de 2019 ?s 17:26, Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> escreveu: > > Well it shouldn't ;-) > > Each DC should use itself for its nameserver > > > Ok. I understand and I think I've forgotten any step when I had > mounted 'king'. My bad! > > I've set 'king' IP as the only namesever on resolv.conf and I've got a > new Kerberos ticket with 'kinit' command, but when I've tried to > update dns entries with 'samba_dnsupdate' I've receive > "dns_tkey_negotiategss: TKEY is unacceptable". I've checked > '/usr/local/samba/private/dns.keytab' and there is a Kerberos > principal listed and I've checked if BIND AD Account exists and it > there is. >OK, try adding this line to the smb.conf on 'king': dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool Rowland
Igor Sousa
2019-Aug-10 15:05 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Hi Rowland, Before to add 'dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool' I've tried once to run 'samba_dnsupdate --verbose --all-names' and it has returned me TSIG error again. More precisely, 'TSIG error with server: tsig verify failure' -- Igor Sousa Em sex, 9 de ago de 2019 ?s 18:14, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 09/08/2019 21:56, Igor Sousa wrote: > > Em sex, 9 de ago de 2019 ?s 17:26, Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> escreveu: > > > > Well it shouldn't ;-) > > > > Each DC should use itself for its nameserver > > > > > > Ok. I understand and I think I've forgotten any step when I had > > mounted 'king'. My bad! > > > > I've set 'king' IP as the only namesever on resolv.conf and I've got a > > new Kerberos ticket with 'kinit' command, but when I've tried to > > update dns entries with 'samba_dnsupdate' I've receive > > "dns_tkey_negotiategss: TKEY is unacceptable". I've checked > > '/usr/local/samba/private/dns.keytab' and there is a Kerberos > > principal listed and I've checked if BIND AD Account exists and it > > there is. > > > OK, try adding this line to the smb.conf on 'king': > > dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >