Anderson Sampaio Mello
2023-Sep-01 06:14 UTC
[Samba] dns replication errors: TSIG error with server: tsig verify failure
Hi samba team. There are two samba domain controllers in the company's infrastructure, I added another one, three in all, with samba_internal DNS backend. After adding the third samba ADDC, in that same AD the following messages appear in the dc3 logs. replaces the domain name with example.com. sep 01 02:26:24 dc3 samba[23165]: [2023/09/01 02:26:24.270629, 0] ../../source4/lib/tls/tlscert.c:154(tls_cert_generate) sep 01 02:26:24 dc3 samba[23165]: TLS self-signed keys generated OK sep 01 02:26:36 dc3 samba[23194]: [2023/09/01 02:26:36.335665, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) sep 01 02:26:36 dc3 samba[23194]: /opt/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure sep 01 02:26:38 dc3 samba[23194]: [2023/09/01 02:26:38.885133, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) sep 01 02:26:38 dc3 samba[23194]: /opt/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure sep 01 02:26:40 dc3 samba[23194]: [2023/09/01 02:26:40.531889, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) sep 01 02:26:40 dc3 samba[23194]: /opt/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure sep 01 02:26:41 dc3 samba[23194]: [2023/09/01 02:26:41.978233, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) sep 01 02:26:41 dc3 samba[23194]: dnsupdate_nameupdate_done: Failed DNS update with exit code 110 I assume the dc3 server is not synchronizing DNS records. When I run on dc3: samba_dnsupdate --verbose generates the following output below, as there are many logs I only posted the errors and a little before the errors: Lookup of _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.exemple.com. succeeded, but we failed to find a matching DNS entry for SRV _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.exemple.com dc3.exemple.com 389 need update: SRV _ldap._tcp.Default-First-Site-Name._ sites.ForestDnsZones.exemple.com dc3.exemple.com 389 21 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$ update(nsupdate): SRV _ldap._tcp.e82e1c21-7ccd-4382-8722-beb63159095d.domains._msdcs.exemple.com dc3.exemple.com 389 Calling nsupdate for SRV _ldap._tcp.e82e1c21-7ccd-4382-8722-beb63159095d.domains._msdcs.exemple.com dc3.exemple.com 389 (add) Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.e82e1c21-7ccd-4382-8722-beb63159095d.domains._msdcs.exemple.com. 900 IN SRV 0 100 389 dc3.exemple.com. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.exemple.com dc3.exemple.com 88 Calling nsupdate for SRV _kerberos._tcp.exemple.com dc3.exemple.com 88 (add) Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.exemple.com. 900 IN SRV 0 100 88 dc3.exemple.com. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._udp.exemple.com dc3.exemple.com 88 Calling nsupdate for SRV _kerberos._udp.exemple.com dc3.exemple.com 88 (add) Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.exemple.com. 900 IN SRV 0 100 88 dc3.exemple.com. ..... ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 21 entries After restarting samba on dc3, these logs no longer appear, my question is: why did I need to restart the new dc samba so that the errors no longer appear?