Michael Jones
2022-Jan-28 22:45 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
Thank you for the help On Fri, Jan 28, 2022 at 4:20 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote: > You need to find out which you are using, Heimdal or MIT. >It's using the version bundled with samba. I've never attempted to override that, so it's always been whatever version is bundled with each samba release, since the DC was first installed. If that's Heimdal, then it's always been Heimdal. Samba has been using the builtin Heimdal since Samba 4 was released,> though there is also an experimental version that uses MIT (this > version should not be used in production).That's fine. I don't have samba configured to use MIT, and never have. Yet I've had the problem I'm asking for help with both before and after my bind-tools package was switched by my package manager from the system's heimdal to the system's mit-krb5. Note that bind-tools using the mit-krb5 package *does not* mean that samba ever has. Regardless, I do agree with you that using MIT is not the right thing to do, and am waiting on the DC to install Heimdal as I write this. However, it doesn't seem like this has anything to do with the problem in my original email. We do not write your smb.conf, all we can do is to point out any> errors> The problem with that idea, is what may be wrong in one smb.conf, is > perfectly valid in another. To get something to parse the smb.conf > based on what the server role is, would probably have to be extremely > large and entail some form of AI and mind reading capabilities :-) > > Rowland >The configuration lines were added when I experienced a problem. The problem went away when the config lines were added (repeat per config line, generally speaking). Either the configuration lines are errors enough that they shouldn't be allowed in the role that this instance of samba is running as, or they aren't errors. Typically I have to find out why something stopped working when I upgrade samba, and find that the new version either stops doing something I want, or starts doing something I don't want. The lack of consistency with the behavior each release is the ultimate driver behind why there are hundreds of guides telling people to add configuration lines that the mailing list considers major problems, and why the few people who have run into a problem they couldn't solve and therefore email the mailing list so frequently have configurations that you think are set up incorrectly. Compound that with the Samba software's logs having a predisposition to say an error occurred, but give no real information about what the error was, what might have caused it, how to fix it, or really anything. This leads to people who may not be experts at samba, but are experts at computer admin, finding their own solutions that only work by accident, further compounding the problem of bad configuration files. I'm a software engineer for my day job, so I have my own share of people "holding it wrong", and sympathize. It's not an easy problem, but it is one that I've mitigated by having my log messages lean toward over-explaining, even to the point of condescension for particularly difficult situations. Really, what I want is a single git repository that represents the configuration for all of my samba machines, with common configuration settings specified in smb.conf, and per machine settings specified in appropriately named config files, and I had that working for over a year, and it broke upon upgrade to some samba version, i don't recall which. So this DC has config lines left over from when it shared the same git repository as all my member machines. If it hasn't caused a problem until now, i've generally left it alone. Regardless, I appreciate your feedback on my configuration, and I'll take it under advisement. Thank you. However, I don't believe that the settings you omitted from my smb.conf are related to nsupdate encountering the error: "GSSAPI error: A token had an invalid message integrity check", are they? Or is there some influence between, e.g. "winbind ..." settings and the DNS updater mechanism that I'm not understanding?
Michael Jones
2022-Jan-29 06:00 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On Fri, Jan 28, 2022 at 4:45 PM Michael Jones <samba at jonesmz.com> wrote:> Thank you for the help > > On Fri, Jan 28, 2022 at 4:20 PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote: >> You need to find out which you are using, Heimdal or MIT. >> > > It's using the version bundled with samba. I've never attempted to > override that, so it's always been whatever version is bundled with each > samba release, since the DC was first installed. If that's Heimdal, then > it's always been Heimdal. >Ok. mit-krb5 is completely purged from my system. bind-tools (nsupdate) now uses heimdal again. I'm getting a similar error as before, though the error message is slightly different. I have very little knowledge about kerberos or gssapi, so I really need some guidance on how to investigate this further. update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.network-1.net dc1.network-1.net 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add) Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35991 secs gensec_update_send: gssapi_krb5_sasl[0x558a610e5320]: subreq: 0x558a6061eed0 gensec_update_done: gssapi_krb5_sasl[0x558a610e5320]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x558a6061eed0/../../source4/auth/gensec/gensec_gssapi.c:1057]: state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state (0x558a6061f090)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1068] Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ 29-Jan-2022 05:58:01.436 dns_requestmgr_create 29-Jan-2022 05:58:01.436 dns_requestmgr_create: 0x7fbbbbf831c8 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.network-1.net. 900 IN SRV 0 100 389 dc1.network-1.net. 29-Jan-2022 05:58:01.446 dns_request_createvia 29-Jan-2022 05:58:01.456 request_render 29-Jan-2022 05:58:01.456 requestmgr_attach: 0x7fbbbbf831c8: eref 1 iref 1 29-Jan-2022 05:58:01.456 mgr_gethash 29-Jan-2022 05:58:01.456 req_send: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.456 dns_request_createvia: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.456 req_senddone: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.456 req_response: request 0x7fbbbbf89610: success 29-Jan-2022 05:58:01.456 req_cancel: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.456 req_sendevent: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.456 dns_request_getresponse: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.466 dns_request_createvia 29-Jan-2022 05:58:01.466 request_render 29-Jan-2022 05:58:01.466 requestmgr_attach: 0x7fbbbbf831c8: eref 1 iref 2 29-Jan-2022 05:58:01.466 mgr_gethash 29-Jan-2022 05:58:01.466 dns_request_createvia: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.466 dns_request_destroy: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.466 req_destroy: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.466 requestmgr_detach: 0x7fbbbbf831c8: eref 1 iref 1 29-Jan-2022 05:58:01.466 req_connected: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.466 req_send: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.466 req_senddone: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.496 req_response: request 0x7fbbbbf89790: success 29-Jan-2022 05:58:01.496 req_cancel: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.506 req_sendevent: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.506 dns_request_getresponse: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.506 dns_request_createvia 29-Jan-2022 05:58:01.506 request_render 29-Jan-2022 05:58:01.506 requestmgr_attach: 0x7fbbbbf831c8: eref 1 iref 2 29-Jan-2022 05:58:01.506 mgr_gethash 29-Jan-2022 05:58:01.506 dns_request_createvia: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.506 dns_request_destroy: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.506 req_destroy: request 0x7fbbbbf89790 29-Jan-2022 05:58:01.506 requestmgr_detach: 0x7fbbbbf831c8: eref 1 iref 1 29-Jan-2022 05:58:01.506 req_connected: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.506 req_send: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.506 req_senddone: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.536 req_response: request 0x7fbbbbf89610: success 29-Jan-2022 05:58:01.536 req_cancel: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.536 req_sendevent: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.536 dns_request_getresponse: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.536 GSS verify error: GSSAPI error: Major = A token had an invalid MIC, Minor = unknown mech-code 2529638943 for mech unknown. 29-Jan-2022 05:58:01.536 tsig key '1576010161.sig-dc1.network-1.net' (<null>): signature failed to verify(1) ; TSIG error with server: tsig verify failure 29-Jan-2022 05:58:01.536 dns_request_destroy: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.536 req_destroy: request 0x7fbbbbf89610 29-Jan-2022 05:58:01.536 requestmgr_detach: 0x7fbbbbf831c8: eref 1 iref 0 29-Jan-2022 05:58:01.536 dns_requestmgr_shutdown: 0x7fbbbbf831c8 29-Jan-2022 05:58:01.536 send_shutdown_events: 0x7fbbbbf831c8 29-Jan-2022 05:58:01.536 dns_requestmgr_detach: 0x7fbbbbf831c8: eref 0 iref 0 29-Jan-2022 05:58:01.536 mgr_destroy
L.P.H. van Belle
2022-Jan-31 08:44 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
Hai, Sorry for the late reply, i having (again) a dead in the family.. I saw this. Not sure if it still applies The last lines here : https://marc.info/?l=samba&m=138748499227175&w=2 Quote: That output ; TSIG error with server: tsig verify failure is usually only seen when the internal DNS server is running. It's a glitch, which can be ignored atm (all dyn. updates are done OK). Based on "all dyn. updates are done OK" You can verifiy that youself by running : samba_dnsupdate --verbose --all-names Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Michael Jones via samba > Verzonden: zaterdag 29 januari 2022 7:01 > Aan: Rowland Penny > CC: sambalist > Onderwerp: Re: [Samba] nsupdate failed: GSSAPI error: A token > had an invalid message integrity check > > On Fri, Jan 28, 2022 at 4:45 PM Michael Jones > <samba at jonesmz.com> wrote: > > > Thank you for the help > > > > On Fri, Jan 28, 2022 at 4:20 PM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > >> On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote: > >> You need to find out which you are using, Heimdal or MIT. > >> > > > > It's using the version bundled with samba. I've never attempted to > > override that, so it's always been whatever version is > bundled with each > > samba release, since the DC was first installed. If that's > Heimdal, then > > it's always been Heimdal. > > > > Ok. mit-krb5 is completely purged from my system. bind-tools > (nsupdate) now > uses heimdal again. > > I'm getting a similar error as before, though the error > message is slightly > different. > > I have very little knowledge about kerberos or gssapi, so I > really need > some guidance on how to investigate this further. > > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._ > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add) > Starting GENSEC mechanism gssapi_krb5_sasl > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35991 secs > gensec_update_send: gssapi_krb5_sasl[0x558a610e5320]: subreq: > 0x558a6061eed0 > gensec_update_done: gssapi_krb5_sasl[0x558a610e5320]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x558a6061eed0/../../source4/auth/gensec/gensec_gss > api.c:1057]: > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state > (0x558a6061f090)] timer[(nil)] > finish[../../source4/auth/gensec/gensec_gssapi.c:1068] > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$ > 29-Jan-2022 05:58:01.436 dns_requestmgr_create > 29-Jan-2022 05:58:01.436 dns_requestmgr_create: 0x7fbbbbf831c8 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo > rk-1.net. 900 > IN SRV 0 100 389 dc1.network-1.net. > > 29-Jan-2022 05:58:01.446 dns_request_createvia > 29-Jan-2022 05:58:01.456 request_render > 29-Jan-2022 05:58:01.456 requestmgr_attach: 0x7fbbbbf831c8: > eref 1 iref 1 > 29-Jan-2022 05:58:01.456 mgr_gethash > 29-Jan-2022 05:58:01.456 req_send: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.456 dns_request_createvia: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.456 req_senddone: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.456 req_response: request 0x7fbbbbf89610: success > 29-Jan-2022 05:58:01.456 req_cancel: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.456 req_sendevent: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.456 dns_request_getresponse: request > 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.466 dns_request_createvia > 29-Jan-2022 05:58:01.466 request_render > 29-Jan-2022 05:58:01.466 requestmgr_attach: 0x7fbbbbf831c8: > eref 1 iref 2 > 29-Jan-2022 05:58:01.466 mgr_gethash > 29-Jan-2022 05:58:01.466 dns_request_createvia: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.466 dns_request_destroy: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.466 req_destroy: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.466 requestmgr_detach: 0x7fbbbbf831c8: > eref 1 iref 1 > 29-Jan-2022 05:58:01.466 req_connected: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.466 req_send: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.466 req_senddone: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.496 req_response: request 0x7fbbbbf89790: success > 29-Jan-2022 05:58:01.496 req_cancel: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.506 req_sendevent: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.506 dns_request_getresponse: request > 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.506 dns_request_createvia > 29-Jan-2022 05:58:01.506 request_render > 29-Jan-2022 05:58:01.506 requestmgr_attach: 0x7fbbbbf831c8: > eref 1 iref 2 > 29-Jan-2022 05:58:01.506 mgr_gethash > 29-Jan-2022 05:58:01.506 dns_request_createvia: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.506 dns_request_destroy: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.506 req_destroy: request 0x7fbbbbf89790 > 29-Jan-2022 05:58:01.506 requestmgr_detach: 0x7fbbbbf831c8: > eref 1 iref 1 > 29-Jan-2022 05:58:01.506 req_connected: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.506 req_send: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.506 req_senddone: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.536 req_response: request 0x7fbbbbf89610: success > 29-Jan-2022 05:58:01.536 req_cancel: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.536 req_sendevent: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.536 dns_request_getresponse: request > 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.536 GSS verify error: GSSAPI error: > Major = A token > had an invalid MIC, Minor = unknown mech-code 2529638943 for > mech unknown. > 29-Jan-2022 05:58:01.536 tsig key '1576010161.sig-dc1.network-1.net' > (<null>): signature failed to verify(1) > ; TSIG error with server: tsig verify failure > 29-Jan-2022 05:58:01.536 dns_request_destroy: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.536 req_destroy: request 0x7fbbbbf89610 > 29-Jan-2022 05:58:01.536 requestmgr_detach: 0x7fbbbbf831c8: > eref 1 iref 0 > 29-Jan-2022 05:58:01.536 dns_requestmgr_shutdown: 0x7fbbbbf831c8 > 29-Jan-2022 05:58:01.536 send_shutdown_events: 0x7fbbbbf831c8 > 29-Jan-2022 05:58:01.536 dns_requestmgr_detach: > 0x7fbbbbf831c8: eref 0 iref > 0 > 29-Jan-2022 05:58:01.536 mgr_destroy > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Michael Jones
2022-Feb-13 21:57 UTC
[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
On Mon, Jan 31, 2022 at 2:46 AM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai, > > Sorry for the late reply, i having (again) a dead in the family.. > > I saw this. Not sure if it still applies > The last lines here : > https://marc.info/?l=samba&m=138748499227175&w=2 > > Quote: > That output > ; TSIG error with server: tsig verify failure > is usually only seen when the internal DNS server is running. > It's a glitch, which can be ignored atm (all dyn. updates are done OK). > > Based on "all dyn. updates are done OK" > > You can verifiy that youself by running : samba_dnsupdate --verbose > --all-names > > > Greetz, > > Louis >I'm so sorry to hear about your family. Thank you for the reference link, but I'm afraid that the updates are not actually applied. To work around this problem, I've issued static DHCP leases to all machines in my domain. I hope that a future version of Samba can address this bug.