[Samba] Samba4: W2k clients cannot perform dynamic updates (TSIG failure)

?icro MEGAS micromegas at mail333.com
Mon Apr 22 06:07:16 MDT 2013


Hi all,

I am running samba 4.0.5 as Active-Directory Domain Controller with bind9 9.8 and I am using the BIND9_DLZ mech. I have setup my DNS quite exactly as described on the samba4_dns HowTo, but I am facing following problems:

Win2000 clients are NOT ABLE to update/add/delete dynamic dns ressource records to the DNS database, because it seems they cannot be verified by samba4? The BIND9 log with debug level 3 shows error messages like that:

[...]
22-Apr-2013 13:50:56.373 update-security: error: client 172.16.200.66#1343: upda
te 'ad.mycompany.com/IN' denied
[...]
22-Apr-2013 13:50:56.392 client: debug 3: client 172.16.200.66#1344: read
22-Apr-2013 13:50:56.392 client: debug 3: client @0x7f9a576948d0: accept
22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: TCP request
22-Apr-2013 13:50:56.395 client: debug 3: client 172.16.200.66#1344: query
22-Apr-2013 13:50:56.396 general: debug 3: failed gss_inquire_cred: GSSAPI error
: Major = Unspecified GSS failure.  Minor code may provide more information, Min
or = Credentials cache file '/tmp/krb5cc_110' not found.
22-Apr-2013 13:50:56.403 general: debug 3: gss-api source name (accept) is smb4t
estwin2k$@AD.MYCOMPANY.COM
22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: send
22-Apr-2013 13:50:56.403 client: debug 3: client 172.16.200.66#1344: sendto
22-Apr-2013 13:50:56.404 client: debug 3: client 172.16.200.66#1344: senddone
[...]
22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: TCP request
22-Apr-2013 13:50:56.536 client: debug 3: client 172.16.200.66#1346: query
22-Apr-2013 13:50:56.537 general: debug 3: failed gss_inquire_cred: GSSAPI error
: Major = Unspecified GSS failure.  Minor code may provide more information, Min
or = Credentials cache file '/tmp/krb5cc_110' not found.
22-Apr-2013 13:50:56.543 general: debug 3: gss-api source name (accept) is smb4t
estwin2k$@AD.MYCOMPANY.COM
22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: send
22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: sendto
22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: senddone
22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: next
22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: endrequest
22-Apr-2013 13:50:56.544 client: debug 3: client 172.16.200.66#1346: read
22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: next
22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: endrequest
22-Apr-2013 13:50:56.549 client: debug 3: client 172.16.200.66#1346: closetcp
22-Apr-2013 13:50:56.563 client: debug 3: client 172.16.200.66#1347: UDP request
22-Apr-2013 13:50:56.564 general: debug 3: GSS verify error: GSSAPI error: Major
= A token had an invalid Message Integrity Check (MIC), Minor = Unknown error.
[...]
22-Apr-2013 13:50:56.707 security: error: client 172.16.200.66#1351: request has
 invalid signature: TSIG 910533066770-2 (smb4testwin2k\$\@AD.MYCOMPANY.COM)
: tsig verify failure (BADSIG)

Anyone knows more about that and know how to debug/fix that? Any help appreciated. Thanks a lot.

Lucas.


More information about the samba mailing list