Igor Sousa
2019-Aug-12 16:57 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Hi Rowland,
I've done how you have said and I've set nameserver on
'/etc/resolv.conf'
file as 'king' IP (10.41.20.67) and add 'dns update command
/usr/sbin/samba_dnsupdate --use-samba-tool' on
'/usr/local/samba/etc/smb.conf' file. I've still seen
samba_dnsupdate fails
on 'systemctl status samba-ad-dc'. Is there other way to check if dns
entries are update correctly instead of use 'samba_dnsupdate --verbose
--all-names --use-samba-tool'?
[root at king ~]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = KING
realm = SMB
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = SMB
idmap_ldb:use rfc2307 = yes
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/smb/scripts
read only = No
[root at king ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search SMB
nameserver 10.41.20.67
[root at king ~]# systemctl status samba-ad-dc -l
? samba-ad-dc.service - Samba Active Directory Domain Controller
Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor
preset: disabled)
Active: active (running) since Mon 2019-08-12 10:08:47 -03; 44min ago
Main PID: 4771 (samba)
Status: "smbd: ready to serve connections..."
CGroup: /system.slice/samba-ad-dc.service
??4771 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4773 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4774 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4775 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4776 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4777 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
??4778 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4779 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4780 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4781 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4782 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4783 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4784 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4785 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4786 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4787 /usr/local/samba/sbin/samba --foreground
--no-process-group
??4788 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
??4795 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
??4796 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
??4799 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
Aug 12 10:28:46 king samba[4786]: [2019/08/12 10:28:46.806315, 0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 12 10:28:46 king samba[4786]: dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
Aug 12 10:38:46 king samba[4786]: [2019/08/12 10:38:46.874731, 0]
../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Aug 12 10:38:46 king samba[4786]: /usr/sbin/samba_dnsupdate: Failed to
exec child - No such file or directory
Aug 12 10:38:46 king samba[4786]: [2019/08/12 10:38:46.877919, 0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 12 10:38:46 king samba[4786]: dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
Aug 12 10:48:46 king samba[4786]: [2019/08/12 10:48:46.894473, 0]
../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Aug 12 10:48:46 king samba[4786]: /usr/sbin/samba_dnsupdate: Failed to
exec child - No such file or directory
Aug 12 10:48:46 king samba[4786]: [2019/08/12 10:48:46.897140, 0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 12 10:48:46 king samba[4786]: dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
--
Igor Sousa
Em dom, 11 de ago de 2019 ?s 05:18, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 11/08/2019 02:36, Igor Sousa wrote:
> > Hi Rowland,
> >
> > I've added 'dns update command' on global section of
smb.conf file and
> > I've configured namesever on '/etc/resolv.conf' as
127.0.0.1 (I've
> > tried with 'kings' IP address too), but I don't know if
this has
> > worked. I've seen some dns updates errors on 'systemctl status
> > samba-ad-dc' though the same command has returned status
'Active
> > (running)'. And I've use 'samba_dnsupdate', as
I've mentioned
> > previously, and I've received 'dns_tkey_negotiategss: TKEY is
> > unacceptable' error and all entries have had their dns update
failed.
> > I've read
> >
>
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
> > but I think my case doesn't match with described cases.
> >
> > I've thought for a time to demote 'king' from
'SMB' and create a new
> > DC to join 'SMB'. I haven't done it because I've had
no guarantees
> > that this will work.
> >
> > OBS: I've used Cent OS7 with firewalld and SElinux disabled.
>
> Do not use '127.0.0.1' in /etc/resolv.conf, use the DC's
ipaddress.
>
> Stop running 'samba_dnsupdate' directly, but if you must, add
> '--use-samba-tool'
>
> By using '--use-samba-tool' you are doing the updates over RPC
instead
> of kerberos.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland penny
2019-Aug-12 17:36 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
On 12/08/2019 17:57, Igor Sousa wrote:> Hi Rowland, > > I've done how you have said and I've set nameserver on > '/etc/resolv.conf' file as 'king' IP (10.41.20.67) and add 'dns update > command = /usr/sbin/samba_dnsupdate --use-samba-tool' on > '/usr/local/samba/etc/smb.conf' file. I've still seen samba_dnsupdate > fails on 'systemctl status samba-ad-dc'. Is there other way to check > if dns entries are update correctly instead of use 'samba_dnsupdate > --verbose --all-names --use-samba-tool'? > > [root at king ~]# cat /usr/local/samba/etc/smb.conf > dns update command = /usr/sbin/samba_dnsupdate --use-samba-toolOOOOOPPPPSSSS You have compiled Samba yourself, so samba_dnsupdate will not be in /usr/sbin, it will be in /usr/local/samba/sbin so change the line in smb.conf to: dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool Rowland
Igor Sousa
2019-Aug-12 23:27 UTC
[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Em seg, 12 de ago de 2019 ?s 14:36, Rowland penny via samba < samba at lists.samba.org> escreveu:> > OOOOOPPPPSSSS > > > > You have compiled Samba yourself, so samba_dnsupdate will not be in > > /usr/sbin, it will be in /usr/local/samba/sbin > > > > so change the line in smb.conf to: > > > > dns update command = /usr/local/samba/sbin/samba_dnsupdate > --use-samba-tool >My bad! I haven't paid attention to samba_dnsupdate directory. ;-D I've corrected it and the dnsupdate errors has disappeared from 'systemctl status samba-ad-dc'. I don't know to check if really works though. Thanks a lot for your help!
Reasonably Related Threads
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Bind9 doesn't updated - TSIG error with server: tsig verify failure