[Samba] question about zone and tsig verify failure

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 19 08:52:56 MST 2013


On 19/12/13 15:41, L.P.H. van Belle wrote:
> Hai steve,
>
> Yes, i checked it. looks ok to me.
>
> ls -al /var/lib/samba/private/  *(this has 755 root:root )
>
> im seeing. ..  ( part of all. )
> drwxrwx---  3 root bind    4096 Dec 19 15:08 dns
> -rw-r-----  1 root root     947 Dec 19 13:10 dns.keytab
> -rw-r--r--  1 root root    2270 Dec 19 13:10 dns_update_list
> -rw-r--r--  1 root root     100 Dec 19 13:10 krb5.conf
> -rw-r--r--  1 root root     575 Dec 19 15:10 named.conf
> -r--r--r--  1 root root     459 Dec 19 16:20 named.conf.update
> -rw-r--r--  1 root root    2204 Dec 19 15:08 named.txt
> drwxr-x---  2 root bind    4096 Dec 19 15:08 sam.ldb.d
> -rw-r--r--  1 root root     955 Dec 19 13:10 spn_update_list
>
> ls -al /var/lib/samba/private/dns
> -rw-rw---- 1 root bind 3084288 Dec 19 15:08 sam.ldb
> drwxrwx--- 2 root bind    4096 Dec 19 15:08 sam.ldb.d
>
> any other sugestions?
>
> Just did a from source install and again.
>
> ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.subdomain.domain.tld wheezy.subdomain.domain.tld 3268
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.default-first-site-name._sites.subdomain.domain.tld. 900 IN SRV 0 100 3268 wheezy.subdomain.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Failed update of 11 entries
>
> exacly the same as on the sernet-samba.
> im out of options where to look...  :-(
>
> anyone else any options ?
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>> Namens steve
>> Verzonden: donderdag 19 december 2013 16:21
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] question about zone and tsig verify failure
>>
>> On Thu, 2013-12-19 at 14:29 +0000, Rowland Penny wrote:
>>> On 19/12/13 14:16, L.P.H. van Belle wrote:
>>>> Hai
>>>>    
>>>> Im running: debian wheezy, sernet samba 4.1.3 , DC, in
>> windows 2008 AD domain.
>>>>    
>>>> Im reading the wiki and i stumbled on this.
>>>>
>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>
>>>> semanage fcontext -a -t named_var_run_t
>> /usr/local/samba/private/dns/${MYREALM}.zone
>>>> semanage fcontext -a -t named_var_run_t
>> /usr/local/samba/private/dns/${MYREALM}.zone.jnl
>>>> the strange thing is, and this is also my question,
>>>>
>>>> Should there be the zone files, if you using bind9.
>>>> Since im not seeing these. the server ( samba 4.1.3) has
>> joined a windows domain as DC, no problems,
>>>> only the samba_dnsupdate --verbose --all-name give ; TSIG
>> error with server: tsig verify failure
>>>> all other tests are ok as far i can see.
>>>> if tested bind9 ( debian wheezy stable ) 9.8.4
>>>> and i backported bind from sid,
>>>> BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4
>>>>
>>>> Both do not create these zone files.
>>>>
>>>>
>>>>
>>>> dlopen is loaded:
>>>> Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating
>> session key for dynamic DNS
>>>> Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone
>> task pool based on 5 zones
>>>> Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS
>> Zone' using driver dlopen
>>>>
>>>> when i run : samba_upgradedns --dns-backend=BIND9_DLZ it
>> looks ok but no zone file.
>>>> Reading domain information
>>>> DNS accounts already exist
>>>> No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
>>>> DNS records will be automatically created
>>>> DNS partitions already exist
>>>> dns-WS005-S4DC-001 account already exists
>>>> See /var/lib/samba/private/named.conf for an example
>> configuration include file for BIND
>>>> and /var/lib/samba/private/named.txt for further
>> documentation required for secure DNS updates
>>>> Finished upgrading DNS
>>>>
>>>> i also noticed that the output of these 2 are different.
>>>> ls -lai /var/lib/samba/private/sam.ldb.d/
>>>> ls -lai /var/lib/samba/private/dns/sam.ldb.d/
>>>>
>>>>
>>>> after restarting bind, i noticed that
>>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>>
>>>> didnt seem my bind9 upgrade, and bind is not starting
>> anymore, manually fixing
>>>> /var/lib/samba/private/named.conf changing bind9.8 to 9.9
>> dlopen fixed it.
>>>> bug ? shouldnt samba follow the installed bind version?
>>>>
>>>>    
>>>>
>>>> After reading a lot about the tsig message, i've read
>> there is a fix,
>>>> if the fix already applied, or do i have an other problem.
>>>>
>>>>    
>>>>
>>>>    
>>>>
>>>> best regards,
>>>>
>>>>    
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>    
>>>>
>>> Hi Louis, I am running Samba 4.1.0 with Bind 9.9.4 ( both
>> self compiled)
>>> and DHCP, everthing works ok for me and I also do not have
>> the two zone
>>> files. I think that you only get them if you are running an earlier
>>> version of Bind with flat files.
>>>
>>> Rowland
>>>
>> Hi
>> With dlz, the zone information is not stored in files but in the
>> database. After running
>> samba_upgradedns
>> did you adjust the permissions on the partitions that the user running
>> named can access them? Usually, they're left with only root access. On
>> openSUSE it's running as named. On debian it's the user bind. Make sure
>> that the user can access the DNS stuff under .../private. Then restart
>> named.
>> HTH
>> Steve
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Hi Louis, I compile Samba4 myself and this is what I do with reference 
to bind:

chgrp bind /usr/local/samba/private/dns
chgrp bind /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab

 From what you have posted, I do not think that bind can read your 
dns.keytab

Rowland



More information about the samba mailing list