[Samba] question about zone and tsig verify failure

L.P.H. van Belle belle at bazuin.nl
Thu Dec 19 08:41:15 MST 2013 

Hai steve, 

Yes, i checked it. looks ok to me. 

ls -al /var/lib/samba/private/  *(this has 755 root:root )  

im seeing. ..  ( part of all. ) 
drwxrwx---  3 root bind    4096 Dec 19 15:08 dns
-rw-r-----  1 root root     947 Dec 19 13:10 dns.keytab
-rw-r--r--  1 root root    2270 Dec 19 13:10 dns_update_list
-rw-r--r--  1 root root     100 Dec 19 13:10 krb5.conf
-rw-r--r--  1 root root     575 Dec 19 15:10 named.conf
-r--r--r--  1 root root     459 Dec 19 16:20 named.conf.update
-rw-r--r--  1 root root    2204 Dec 19 15:08 named.txt
drwxr-x---  2 root bind    4096 Dec 19 15:08 sam.ldb.d
-rw-r--r--  1 root root     955 Dec 19 13:10 spn_update_list 

ls -al /var/lib/samba/private/dns 
-rw-rw---- 1 root bind 3084288 Dec 19 15:08 sam.ldb
drwxrwx--- 2 root bind    4096 Dec 19 15:08 sam.ldb.d

any other sugestions? 

Just did a from source install and again.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.subdomain.domain.tld wheezy.subdomain.domain.tld 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.subdomain.domain.tld. 900 IN SRV 0 100 3268 wheezy.subdomain.domain.tld.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 11 entries

exacly the same as on the sernet-samba. 
im out of options where to look...  :-( 

anyone else any options ? 

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org] 
>Namens steve
>Verzonden: donderdag 19 december 2013 16:21
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] question about zone and tsig verify failure
>
>On Thu, 2013-12-19 at 14:29 +0000, Rowland Penny wrote:
>> On 19/12/13 14:16, L.P.H. van Belle wrote:
>> > Hai
>> >   
>> > Im running: debian wheezy, sernet samba 4.1.3 , DC, in 
>windows 2008 AD domain.
>> >   
>> > Im reading the wiki and i stumbled on this.
>> >
>> > https://wiki.samba.org/index.php/Dns-backend_bind
>> >
>> > semanage fcontext -a -t named_var_run_t 
>/usr/local/samba/private/dns/${MYREALM}.zone
>> > semanage fcontext -a -t named_var_run_t 
>/usr/local/samba/private/dns/${MYREALM}.zone.jnl
>> >
>> > the strange thing is, and this is also my question,
>> >
>> > Should there be the zone files, if you using bind9.
>> > Since im not seeing these. the server ( samba 4.1.3) has 
>joined a windows domain as DC, no problems,
>> > only the samba_dnsupdate --verbose --all-name give ; TSIG 
>error with server: tsig verify failure
>> >
>> > all other tests are ok as far i can see.
>> > if tested bind9 ( debian wheezy stable ) 9.8.4
>> > and i backported bind from sid,
>> > BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4
>> >
>> > Both do not create these zone files.
>> >
>> >
>> >
>> > dlopen is loaded:
>> > Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating 
>session key for dynamic DNS
>> > Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone 
>task pool based on 5 zones
>> > Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS 
>Zone' using driver dlopen
>> >
>> >
>> > when i run : samba_upgradedns --dns-backend=BIND9_DLZ it 
>looks ok but no zone file.
>> > Reading domain information
>> > DNS accounts already exist
>> > No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
>> > DNS records will be automatically created
>> > DNS partitions already exist
>> > dns-WS005-S4DC-001 account already exists
>> > See /var/lib/samba/private/named.conf for an example 
>configuration include file for BIND
>> > and /var/lib/samba/private/named.txt for further 
>documentation required for secure DNS updates
>> > Finished upgrading DNS
>> >
>> > i also noticed that the output of these 2 are different.
>> > ls -lai /var/lib/samba/private/sam.ldb.d/
>> > ls -lai /var/lib/samba/private/dns/sam.ldb.d/
>> >
>> >
>> > after restarting bind, i noticed that
>> > samba_upgradedns --dns-backend=BIND9_DLZ
>> >
>> > didnt seem my bind9 upgrade, and bind is not starting 
>anymore, manually fixing
>> >
>> > /var/lib/samba/private/named.conf changing bind9.8 to 9.9 
>dlopen fixed it.
>> >
>> > bug ? shouldnt samba follow the installed bind version?
>> >
>> >   
>> >
>> > After reading a lot about the tsig message, i've read 
>there is a fix,
>> >
>> > if the fix already applied, or do i have an other problem.
>> >
>> >   
>> >
>> >   
>> >
>> > best regards,
>> >
>> >   
>> >
>> > Louis
>> >
>> >
>> >
>> >   
>> >
>> Hi Louis, I am running Samba 4.1.0 with Bind 9.9.4 ( both 
>self compiled) 
>> and DHCP, everthing works ok for me and I also do not have 
>the two zone 
>> files. I think that you only get them if you are running an earlier 
>> version of Bind with flat files.
>> 
>> Rowland
>> 
>
>Hi
>With dlz, the zone information is not stored in files but in the
>database. After running 
>samba_upgradedns
>did you adjust the permissions on the partitions that the user running
>named can access them? Usually, they're left with only root access. On
>openSUSE it's running as named. On debian it's the user bind. Make sure
>that the user can access the DNS stuff under .../private. Then restart
>named.
>HTH
>Steve
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list