samba_dnsupdate do not work, error Check your Kerberos ticket, it may have expired.

Rohit Rajan rohit.rajan at
Tue Oct 19 05:05:57 MDT 2010

  Sorry i forgot to mention, i'm using the bind only on the DC1 and dc2 
is pointing to the dc1 bind server only.

the bind version
BIND 9.7.2-P2 built with '--with-openssl' '--with-gssapi' 
'--enable-threads' '--disable-openssl-version-check'

no bind

yes the libdefaults sections on both the servers are set


  default_realm = XXX.COM
  dns_lookup_realm = false
dns_lookup_kdc = false
         ticket_lifetime = 24h
         forwardable = yes

  dns_lookup_realm = true
  dns_lookup_kdc = true
default_realm = XXX.COM

samba 4 NTLMSSP NTLMV2 packet check failed due to invalid signature!

On 10/19/2010 3:27 PM, Matthieu Patou wrote:
> On 19/10/2010 12:30, Rohit Rajan wrote:
>>  here is the full error
>> DC2
>> [Tue Oct 19 13:56:21 2010 IST, 0 
>> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
>> /usr/local/samba/sbin/samba_dnsupdate: Check your Kerberos ticket, it 
>> may have expired.
>> DC1
>> [Tue Oct 19 12:54:45 2010 IST, 0 
>> ../dsdb/repl/drepl_notify.c:218:dreplsrv_notify_op_callback()]
>> dreplsrv_notify: Failed to send DsReplicaSync to 
>> for 
>> On 10/19/2010 1:12 PM, Rohit Rajan wrote:
>>>  Hi all,
>>> I have recently added the additional domain controller to my samba 4 
>>> provision, the vampire went fine and the dc got vampired, but the 
>>> replication do not work, that is because i believe my dns do have 
>>> the entries for the second domain controller. the second domain 
>>> controller gives me error of "Check your Kerberos ticket, it may 
>>> have expired." according to the previous post of Robert Perschl, by 
>>> adding the tkey-gssapi-credential "DNS/my.realm";will resolve the 
>>> issue but i already have it in my named.conf. not sure where to look 
>>> at.
>>> dc1
>>> Centos5.5, pyhton 2.4, samba Version 4.0.0alpha14-GIT-cd04af7
>>> dc2
>>> Ubuntu 10.04.1
>>> Python 2.6.5
>>> Version 4.0.0alpha14-GIT-1229935
> What is the version of bind on both ?
> Did you put some debug on the bind ?
> Have you the default realm set on both krb5.conf of both server (in 
> the [libdefaults] section).
> Matthieu

This message may contain confidential, proprietary or legally privileged information. In case you are not the original intended recipient of the message, you must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. 

Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by "Catalyst Business Partners" or any of its subsidiaries unless sent with that express intent and with due authority of Catalyst Business Partners. 

Catalyst Business Partners has taken sufficient measures and precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email.

More information about the samba-technical mailing list