[Samba] dns replication errors: TSIG error with server: tsig verify failure

Fri Sep 1 06:14:32 UTC 2023

Hi samba team.

There are two samba domain controllers in the company's infrastructure, I
added another one, three in all, with samba_internal DNS backend.

After adding the third samba ADDC, in that same AD the following messages
appear in the dc3 logs. replaces the domain name with example.com.

sep 01 02:26:24 dc3 samba[23165]: [2023/09/01 02:26:24.270629, 0]
../../source4/lib/tls/tlscert.c:154(tls_cert_generate)
sep 01 02:26:24 dc3 samba[23165]: TLS self-signed keys generated OK
sep 01 02:26:36 dc3 samba[23194]: [2023/09/01 02:26:36.335665, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
sep 01 02:26:36 dc3 samba[23194]: /opt/samba/sbin/samba_dnsupdate: ; TSIG
error with server: tsig verify failure
sep 01 02:26:38 dc3 samba[23194]: [2023/09/01 02:26:38.885133, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
sep 01 02:26:38 dc3 samba[23194]: /opt/samba/sbin/samba_dnsupdate: ; TSIG
error with server: tsig verify failure
sep 01 02:26:40 dc3 samba[23194]: [2023/09/01 02:26:40.531889, 0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
sep 01 02:26:40 dc3 samba[23194]: /opt/samba/sbin/samba_dnsupdate: ; TSIG
error with server: tsig verify failure
sep 01 02:26:41 dc3 samba[23194]: [2023/09/01 02:26:41.978233, 0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
sep 01 02:26:41 dc3 samba[23194]: dnsupdate_nameupdate_done: Failed DNS
update with exit code 110

I assume the dc3 server is not synchronizing DNS records.

When I run on dc3: samba_dnsupdate --verbose

generates the following output below, as there are many logs I only posted
the errors and a little before the errors:

Lookup of _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.exemple.com. succeeded, but we failed to find a
matching DNS entry for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.exemple.com dc3.exemple.com 389
need update: SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.exemple.com dc3.exemple.com 389
21 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$
update(nsupdate): SRV
_ldap._tcp.e82e1c21-7ccd-4382-8722-beb63159095d.domains._msdcs.exemple.com
dc3.exemple.com 389
Calling nsupdate for SRV
_ldap._tcp.e82e1c21-7ccd-4382-8722-beb63159095d.domains._msdcs.exemple.com
dc3.exemple.com 389 (add)
Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.e82e1c21-7ccd-4382-8722-beb63159095d.domains._msdcs.exemple.com.
900 IN SRV 0 100 389 dc3.exemple.com.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.exemple.com dc3.exemple.com 88
Calling nsupdate for SRV _kerberos._tcp.exemple.com dc3.exemple.com 88 (add)
Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.exemple.com. 900 IN SRV 0 100 88 dc3.exemple.com.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._udp.exemple.com dc3.exemple.com 88
Calling nsupdate for SRV _kerberos._udp.exemple.com dc3.exemple.com 88 (add)
Successfully obtained Kerberos ticket to DNS/dc3.exemple.com as DC3$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.exemple.com. 900 IN SRV 0 100 88 dc3.exemple.com.

.....

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 21 entries

After restarting samba on dc3, these logs no longer appear, my question is:
why did I need to restart the new dc samba so that the errors no longer
appear?