Igor Sousa
2019-Aug-10 15:05 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Hi Rowland, Before to add 'dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool' I've tried once to run 'samba_dnsupdate --verbose --all-names' and it has returned me TSIG error again. More precisely, 'TSIG error with server: tsig verify failure' -- Igor Sousa Em sex, 9 de ago de 2019 ?s 18:14, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 09/08/2019 21:56, Igor Sousa wrote: > > Em sex, 9 de ago de 2019 ?s 17:26, Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> escreveu: > > > > Well it shouldn't ;-) > > > > Each DC should use itself for its nameserver > > > > > > Ok. I understand and I think I've forgotten any step when I had > > mounted 'king'. My bad! > > > > I've set 'king' IP as the only namesever on resolv.conf and I've got a > > new Kerberos ticket with 'kinit' command, but when I've tried to > > update dns entries with 'samba_dnsupdate' I've receive > > "dns_tkey_negotiategss: TKEY is unacceptable". I've checked > > '/usr/local/samba/private/dns.keytab' and there is a Kerberos > > principal listed and I've checked if BIND AD Account exists and it > > there is. > > > OK, try adding this line to the smb.conf on 'king': > > dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2019-Aug-10 15:29 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
On 10/08/2019 16:05, Igor Sousa wrote:> Hi Rowland, > > Before to add 'dns update command = /usr/sbin/samba_dnsupdate > --use-samba-tool' I've tried once to run 'samba_dnsupdate --verbose > --all-names' and it has returned me TSIG error again. More precisely, > 'TSIG error with server: tsig verify failure'Just add the line and restart Samba and your problem should go away. Rowland
Igor Sousa
2019-Aug-11 01:36 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Hi Rowland, I've added 'dns update command' on global section of smb.conf file and I've configured namesever on '/etc/resolv.conf' as 127.0.0.1 (I've tried with 'kings' IP address too), but I don't know if this has worked. I've seen some dns updates errors on 'systemctl status samba-ad-dc' though the same command has returned status 'Active (running)'. And I've use 'samba_dnsupdate', as I've mentioned previously, and I've received 'dns_tkey_negotiategss: TKEY is unacceptable' error and all entries have had their dns update failed. I've read https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable but I think my case doesn't match with described cases. I've thought for a time to demote 'king' from 'SMB' and create a new DC to join 'SMB'. I haven't done it because I've had no guarantees that this will work. OBS: I've used Cent OS7 with firewalld and SElinux disabled. -- Igor Sousa [root at king ~]# systemctl status samba-ad-dc -l ? samba-ad-dc.service - Samba Active Directory Domain Controller Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2019-08-10 21:56:10 -03; 57s ago Main PID: 4761 (samba) Status: "smbd: ready to serve connections..." CGroup: /system.slice/samba-ad-dc.service ??4761 /usr/local/samba/sbin/samba --foreground --no-process-group ??4762 /usr/local/samba/sbin/samba --foreground --no-process-group ??4763 /usr/local/samba/sbin/samba --foreground --no-process-group ??4764 /usr/local/samba/sbin/samba --foreground --no-process-group ??4765 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??4766 /usr/local/samba/sbin/samba --foreground --no-process-group ??4767 /usr/local/samba/sbin/samba --foreground --no-process-group ??4768 /usr/local/samba/sbin/samba --foreground --no-process-group ??4769 /usr/local/samba/sbin/samba --foreground --no-process-group ??4770 /usr/local/samba/sbin/samba --foreground --no-process-group ??4771 /usr/local/samba/sbin/samba --foreground --no-process-group ??4772 /usr/local/samba/sbin/samba --foreground --no-process-group ??4773 /usr/local/samba/sbin/samba --foreground --no-process-group ??4774 /usr/local/samba/sbin/samba --foreground --no-process-group ??4775 /usr/local/samba/sbin/samba --foreground --no-process-group ??4776 /usr/local/samba/sbin/samba --foreground --no-process-group ??4777 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ??4786 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??4787 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground ??4788 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground Aug 10 21:56:10 king samba[4775]: /usr/sbin/samba_dnsupdate: Failed to exec child - No such file or directory Aug 10 21:56:10 king samba[4775]: [2019/08/10 21:56:10.070765, 0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done) Aug 10 21:56:10 king samba[4775]: dnsupdate_nameupdate_done: Failed DNS update with exit code 255 Aug 10 21:56:10 king winbindd[4777]: [2019/08/10 21:56:10.742668, 0] ../../source3/winbindd/winbindd_cache.c:3165(initialize_winbindd_cache) Aug 10 21:56:10 king winbindd[4777]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Aug 10 21:56:10 king winbindd[4777]: [2019/08/10 21:56:10.805712, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Aug 10 21:56:10 king winbindd[4777]: daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections Aug 10 21:56:10 king systemd[1]: Started Samba Active Directory Domain Controller. Aug 10 21:56:11 king smbd[4765]: [2019/08/10 21:56:11.230890, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Aug 10 21:56:11 king smbd[4765]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections [root at king ~]# klist -k /usr/local/samba/bind-dns/dns.keytab Keytab name: FILE:/usr/local/samba/bind-dns/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB 1 DNS/king.smb at SMB 1 dns-KING at SMB [root at king ~]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-KING' dn # record 1 dn: CN=dns-KING,CN=Users,DC=smb # Referral ref: ldap://smb/CN=Configuration,DC=smb # Referral ref: ldap://smb/DC=DomainDnsZones,DC=smb # Referral ref: ldap://smb/DC=ForestDnsZones,DC=smb # returned 4 records # 1 entries # 3 referrals Em s?b, 10 de ago de 2019 ?s 12:30, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 10/08/2019 16:05, Igor Sousa wrote: > > Hi Rowland, > > > > Before to add 'dns update command = /usr/sbin/samba_dnsupdate > > --use-samba-tool' I've tried once to run 'samba_dnsupdate --verbose > > --all-names' and it has returned me TSIG error again. More precisely, > > 'TSIG error with server: tsig verify failure' > > Just add the line and restart Samba and your problem should go away. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >