[Samba] S4 nsupdate tsig error with internal server

Sat May 11 02:54:50 MDT 2013

Hi
I know that this has been addressed before but I couldn't find a 
solution. Summary: when attempting to write a dns record using nsupdate, 
nothing gets written to the zone due to the error:
; TSIG error with server: tsig verify failure

Everything is working. We can login to the domain from the same client 
and we have sssd sending the dyndns update requests which also produce 
the same error but still send the correct IP to the server after a 
change in I on the client but still nothing is written.

Test: we can't ping the client by name from the DC after the update 
request is sent. The DC responds correctly as for e.g. successful 
updates from xp clients.

Question, does this work against a DC with bind dlz? Any solution meanwhile?
Thanks,
Steve

Here is the output:

  sudo nsupdate -g -d
[sudo] password for steve:
 > server 192.168.1.16
 > realm HH3.SITE
 > update add pinoso.hh3.site 3600 A 192.168.1.100
 > send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:   7006
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pinoso.hh3.site.		IN	SOA

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  25384
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;hh3.site.			IN	SOA

;; ANSWER SECTION:
hh3.site.		3600	IN	SOA	hh16.hh3.site. hostmaster.hh3.site. 6 900 600 86400 0

Found zone name: hh3.site
The master is: hh16.hh3.site
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   3099
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3768628576.sig-hh16.hh3.site.	ANY	TKEY

;; ADDITIONAL SECTION:
3768628576.sig-hh16.hh3.site. 0	ANY	TKEY	gss-tsig. 1368261695 1368261695 
3 NOERROR 1244 YIIE2AYGKwYBBQUCoIIEzDCCBMigDTALBgkqhkiG9xIBAgKiggS1BIIE 
sWCCBK0GCSqGSIb3EgECAgEAboIEnDCCBJigAwIBBaEDAgEOogcDBQAg 
AAAAo4IDmmGCA5YwggOSoAMCAQWhChsISEgzLlNJVEWiHzAdoAMCAQGh 
FjAUGwNETlMbDWhoMTYuaGgzLnNpdGWjggNcMIIDWKADAgEXoQMCAQGi 
ggNKBIIDRlUabLy43CC30nH0ztt7pJM4GMIzCsGtI/fq2Cpy9+xiLCFi 
s0cK6oMdAgTxXBXKHBugCAw/2Nc/Bq2hueJp+mgkO0YrNklk0KqNCHcT 
xlsa2+Iysb3JAeOQKFiF3rfirW8GNP+5c7d79ZVf6vXPRXnKCQ/waxum 
BJhUZkzcUZT1d34E4xIdZJBSp7vD3kFk5odFPMCehkXt/122hMAbvOKu 
0QG0dI3hVhadgAN8RUDyCyAOaAcY2hwfdLnodQACSdJBc3mnw6y6UJvp 
RjyaibVx8rbDY3kLE5qDPR+ttB46B1kkrRqzbFAQU9bju63Ipbb/naa+ 
KxoA753ImXCCpDYA/biXGu0tLz8EsWk1HoO+Ij+aqjtqNPAa4u6+qS/0 
XtZTeRPzjNBs2nkleWVHwr6PRB5Lfa8W9POZwAw5+CiY1DHN7BbmYqwW 
kIxTO4pFg6mrOe9IaYspfO6bVmrNS45snNJraURPEwXIwAm2O0RwBvZR 
wG+W8tP04yFyI7eszyvU1IJJTwaFX8DO/abSrmIaMPvgvoTi9eDb5YYo 
mqJmOQKFQkJMmSOkBkc+KIqIJXuXPVtz3ArRY6gE44Ju+1WAJvMDXopz 
fIxRydSxbu1Fyd1UR0YkBqRs0KfnGAY4YnnjspfgcrQFmCTROauBidea 
MkyJOaeARZZDfA/9D4b/giHEjZxDxQ8roWrv1eggaQSGqa3kILma5rB3 
IZzbGmCkXz1QRPMNncxtoA+MU/63S0Ebd0ubcyqkG0fImZFFYkpTO4BS 
7R/0u1E1iIb2jAkxZT6H0EtpeC/yPAYzCkgSphfT6rbpqZvET3W2q2Sp 
Ig3fwlOFGWTz8GvFH8aBjSnAQkaNarTvlaxt1D0pcn3kSLhpV1SzpYMA 
DL+mnSXGhCxypvVYyZ8scXf+eW0jXy/th4B6tzrocz/x9d76hWYlIzFd 
Fhs78rz8yKauXn/1H2sJRldg0atYOFMTjfMAgTigLDuDOBt4YPFfArow 
OYtBkA/ykZBCjlIgV5BmrqOBpNqBeeGWPRxUrXrnO3W4nebQUH3LRYie 
WaEaUbeBnCR8QD1ekQJ1rKIYC8tEKK17tTiYW2YSgrlUYPPt8FvL526H 
5sjZFu2kgeQwgeGgAwIBF6KB2QSB1hA7lI/olfXairjMfhodpVSAOTgu 
lM1BFzb44h8+Mu5to6ZiG/ZBPC3EdXkHKiyy1Z3tzOJIA6MRtU971vNp 
FVj8WCG8r+0MJNi2EpgbrSJswRcJER2TPdZt7LROdztKM30WEaSOH+5W 
mVWdgrzdJnt1CnAu+Xgt9ZryB+D/ClHgoc8x9ubJqJsAGb2HkoKx5wL6 
0INBenMRvUcpGBGQpwm5TTzLhWm8PzgY8fgXq0tHKupIEhKhGtWCOLa3 
4KLM1vg/cpf92sL6O+4vBiFHtVzMwTBW1iE= 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   3099
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3768628576.sig-hh16.hh3.site.	ANY	TKEY

;; ANSWER SECTION:
3768628576.sig-hh16.hh3.site. 0	ANY	TKEY	gss-tsig. 1368261695 1368261695 
3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB 
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrSKJ1+4+PHfd7 
OARWsz4211kkiXorLDD3Q/cA99dJ3KVNpfjTza9+5jQ9cvygULCqo73Q 
70a8Or+USG3q+TAaCzEUuJ/McPpmcly5fXFkY3ES5xtIXv/yp0tJXXsA 
ixNl/6pt2FqLT+10SI4= 0

;; TSIG PSEUDOSECTION:
3768628576.sig-hh16.hh3.site. 0	ANY	TSIG	gss-tsig. 1368261704 300 28 
BAQF//////8AAAAAFKquCK9Y5B2dtDDIUnGo8g== 3099 NOERROR 0

Sending update to 192.168.1.16#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  49895
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
pinoso.hh3.site.	3600	IN	A	192.168.1.100

;; TSIG PSEUDOSECTION:
3768628576.sig-hh16.hh3.site. 0	ANY	TSIG	gss-tsig. 1368261695 300 28 
BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0

; TSIG error with server: tsig verify failure

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  49895
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;hh3.site.			IN	SOA

;; UPDATE SECTION:
pinoso.hh3.site.	3600	IN	A	192.168.1.100

;; TSIG PSEUDOSECTION:
3768628576.sig-hh16.hh3.site. 0	ANY	TSIG	gss-tsig. 1368261695 300 28 
BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0