samba - Jul 2020 - samab-4.10 nsupdate

I am also seeing this in smbd.log:

[2020/07/03 09:20:18.211558,  1]
../../auth/kerberos/gssapi_helper.c:391(gssapi_check_packet)
  GSS VerifyMic failed:  A token had an invalid MIC: unknown mech-code
2529638943 for mech 1 2 840 113554 1 2 2
[2020/07/03 09:20:18.211625,  0]
../../source4/auth/gensec/gensec_gssapi.c:1347(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=241,pdu=241) failed:
NT_STATUS_ACCESS_DENIED

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

The error I am getting is basically saying that the signed key used for a
secure dynamic update does not match what samba is using.

I have noticed this in the error message:

;; TSIG PSEUDOSECTION:
2629188140.sig-SMB4-1.brockley.harte-lyne.ca. 0	ANY TSIG gss-tsig. 1593803323
300 0 53338 BADSIG 0

However, when I check for SMB4-1.brockley.harte-lyne.ca. in
/var/db/samba4/private/secrets.keytab  I do not find it:

[root at smb4-1 ~ (master)]# ktutil -k /var/db/samba4/private/secrets.keytab
list
| grep 'SMB4-1.brockley.harte-lyne.ca'
[root at smb4-1 ~ (master)]#

The contents of /var/db/samba4/private/secrets.keytab are:

ktutil -k /var/db/samba4/private/secrets.keytab list
/var/db/samba4/private/secrets.keytab:

Vno  Type                     Principal                                        
         Aliases
  1  des-cbc-crc              HOST/smb4-1 at BROCKLEY.HARTE-LYNE.CA
  1  des-cbc-crc             
HOST/smb4-1.brockley.harte-lyne.ca at BROCKLEY.HARTE-LYNE.CA
  1  des-cbc-crc              SMB4-1$@BROCKLEY.HARTE-LYNE.CA
  1  des-cbc-md5              HOST/smb4-1 at BROCKLEY.HARTE-LYNE.CA
  1  des-cbc-md5             
HOST/smb4-1.brockley.harte-lyne.ca at BROCKLEY.HARTE-LYNE.CA
  1  des-cbc-md5              SMB4-1$@BROCKLEY.HARTE-LYNE.CA
  1  arcfour-hmac-md5         HOST/smb4-1 at BROCKLEY.HARTE-LYNE.CA
  1  arcfour-hmac-md5        
HOST/smb4-1.brockley.harte-lyne.ca at BROCKLEY.HARTE-LYNE.CA
  1  arcfour-hmac-md5         SMB4-1$@BROCKLEY.HARTE-LYNE.CA
  1  aes128-cts-hmac-sha1-96  HOST/smb4-1 at BROCKLEY.HARTE-LYNE.CA
  1  aes128-cts-hmac-sha1-96 
HOST/smb4-1.brockley.harte-lyne.ca at BROCKLEY.HARTE-LYNE.CA
  1  aes128-cts-hmac-sha1-96  SMB4-1$@BROCKLEY.HARTE-LYNE.CA
  1  aes256-cts-hmac-sha1-96  HOST/smb4-1 at BROCKLEY.HARTE-LYNE.CA
  1  aes256-cts-hmac-sha1-96 
HOST/smb4-1.brockley.harte-lyne.ca at BROCKLEY.HARTE-LYNE.CA
  1  aes256-cts-hmac-sha1-96  SMB4-1$@BROCKLEY.HARTE-LYNE.CA


I have also discovered that setting   allow dns updates = nonsecure  does not
eliminate the update errors:

[root at smb4-1 ~ (master)]# grep 'allow dns updates'
/usr/local/etc/smb4.conf
  #allow dns updates = secure only | nonsecure | disabled
  allow dns updates = nonsecure
[root at smb4-1 ~ (master)]# service samba_server onestart
Performing sanity check on Samba configuration: OK
Starting samba.
[root at smb4-1 ~ (master)]# samba_dnsupdate --verbose -d8 --all-names 
--current-ip=192.168.18.161
. . .
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  26921
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;4038893611.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY

;; ANSWER SECTION:
4038893611.sig-SMB4-1.brockley.harte-lyne.ca. 0	ANY TKEY gss-tsig. 1593805429
1593805429 3 NOERROR 186
oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB
AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvmzdWYVcQMsVC
ETrr4lm+9sqiizz6PrBDc6BDeMLzWPihPni4jEEP1NN74xfF2Y3NB4G9
ToFRzgQPfqS9csHpY5GiU9KiHmaZtQGIJ8Hto1bsTUeJRTPHq688kqBY
r4twwxPDe2/DLetXseevsJDD 0

;; TSIG PSEUDOSECTION:
4038893611.sig-SMB4-1.brockley.harte-lyne.ca. 0	ANY TSIG gss-tsig. 1593805430
300 28 BAQF//////8AAAAAPyd5e+MT2yDZLuu9IMchyw== 26921 NOERROR 0

Sending update to 192.168.18.161#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  51274
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
4038893611.sig-smb4-1.brockley.harte-lyne.ca. 0	ANY TSIG gss-tsig. 1593805430
300 28 BAQE//////8AAAAALqsRWKlSCySHfZnsA2M/5A== 51274 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  51274
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;brockley.harte-lyne.ca.		IN	SOA

;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
4038893611.sig-SMB4-1.brockley.harte-lyne.ca. 0	ANY TSIG gss-tsig. 1593805430
300 0 51274 BADSIG 0

Failed nsupdate: 2
Failed update of 29 entries

I do not know what to try next.



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3