Discussion:
[Samba] TSIG failure
Dave Hawkes
2016-07-19 13:52:50 UTC
Permalink
I'm attempting to join samba 4 (using latest 4.4 built from source) as
DC to an existing Win 2k8 server domain. The join works fine with no
errors and appears to be replicating fine. However the DNS is not
updated and I get the following error multiple times when running
samba_dnsupdate --all-names:

TSIG error with server: tsig verify failure

I've checked the time and all servers are synchronised, however if I
capture the temporary ticket that is produced for nsupdate the Service
principal is not the name of the samba 4 server but the name of one of
the Win 2k8 servers.

When I check this on a test domain of purely samba 4 servers the Service
Principal is always the name of the server updating itself.

I've tried both BIND_DLZ and INTERNAL DNS and they both give the same error.

Does anyone have any ideas what is going on?

Thanks,
Dave Hawkes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Garming Sam
2016-07-21 12:18:12 UTC
Permalink
Hi,

I've been looking into a similar sounding issue and which I think is a
regression in 4.3. (Amazingly there's so few people with mixed domains,
probably in particular ones which require joining additional DCs at some
later point)

I may be able to provide more information soon, but this might be the
culprit commit:
https://git.samba.org/?p=samba.git;a=commit;h=e85ef1dbfef4b16c35cac80c0efc563d8cd1ba3e

When you start up Samba, do you see these debug messages during the
initial samba_dnsupdate run?

GSS server Update(krb5)(1) Update failed:
Miscellaneous failure (see text): Failed to find
SAMBA-BUIL$@2008R2.HOWTO.ABARTLET.NET(kvno 3) in keytab
FILE:/tmp/private/secrets.keytab (aes256-cts-hmac-sha1-96)


Cheers,

Garming
Post by Dave Hawkes
I'm attempting to join samba 4 (using latest 4.4 built from source) as
DC to an existing Win 2k8 server domain. The join works fine with no
errors and appears to be replicating fine. However the DNS is not
updated and I get the following error multiple times when running
TSIG error with server: tsig verify failure
I've checked the time and all servers are synchronised, however if I
capture the temporary ticket that is produced for nsupdate the Service
principal is not the name of the samba 4 server but the name of one of
the Win 2k8 servers.
When I check this on a test domain of purely samba 4 servers the
Service Principal is always the name of the server updating itself.
I've tried both BIND_DLZ and INTERNAL DNS and they both give the same error.
Does anyone have any ideas what is going on?
Thanks,
Dave Hawkes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Garming Sam
2016-07-21 21:21:27 UTC
Permalink
Post by Garming Sam
Hi,
I've been looking into a similar sounding issue and which I think is a
regression in 4.3. (Amazingly there's so few people with mixed domains,
probably in particular ones which require joining additional DCs at some
later point)
I may be able to provide more information soon, but this might be the
https://git.samba.org/?p=samba.git;a=commit;h=e85ef1dbfef4b16c35cac80
c0efc563d8cd1ba3e
When you start up Samba, do you see these debug messages during the
initial samba_dnsupdate run?
Miscellaneous failure (see text): Failed to find
FILE:/tmp/private/secrets.keytab (aes256-cts-hmac-sha1-96)
Wow! How did you figure that out!
Andrew Bartlett
I ran a git bisect after I noticed 4.2 was fine. It just rejoined a
Windows domain and then tried samba_dnsupdate.


Cheers,

Garming
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...