[Samba] S4 nsupdate tsig error with internal server

Rowland Penny rpenny at f2s.com
Sat May 11 04:01:49 MDT 2013 

On 11/05/13 09:54, steve wrote:
> Hi
> I know that this has been addressed before but I couldn't find a 
> solution. Summary: when attempting to write a dns record using 
> nsupdate, nothing gets written to the zone due to the error:
> ; TSIG error with server: tsig verify failure
>
> Everything is working. We can login to the domain from the same client 
> and we have sssd sending the dyndns update requests which also produce 
> the same error but still send the correct IP to the server after a 
> change in I on the client but still nothing is written.
>
> Test: we can't ping the client by name from the DC after the update 
> request is sent. The DC responds correctly as for e.g. successful 
> updates from xp clients.
>
> Question, does this work against a DC with bind dlz? Any solution 
> meanwhile?
> Thanks,
> Steve
>
> Here is the output:
>
>  sudo nsupdate -g -d
> [sudo] password for steve:
> > server 192.168.1.16
> > realm HH3.SITE
> > update add pinoso.hh3.site 3600 A 192.168.1.100
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7006
> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;pinoso.hh3.site.        IN    SOA
>
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25384
> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;hh3.site.            IN    SOA
>
> ;; ANSWER SECTION:
> hh3.site.        3600    IN    SOA    hh16.hh3.site. 
> hostmaster.hh3.site. 6 900 600 86400 0
>
> Found zone name: hh3.site
> The master is: hh16.hh3.site
> start_gssrequest
> send_gssrequest
> Outgoing update query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3099
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;3768628576.sig-hh16.hh3.site.    ANY    TKEY
>
> ;; ADDITIONAL SECTION:
> 3768628576.sig-hh16.hh3.site. 0    ANY    TKEY    gss-tsig. 1368261695 
> 1368261695 3 NOERROR 1244 
> YIIE2AYGKwYBBQUCoIIEzDCCBMigDTALBgkqhkiG9xIBAgKiggS1BIIE 
> sWCCBK0GCSqGSIb3EgECAgEAboIEnDCCBJigAwIBBaEDAgEOogcDBQAg 
> AAAAo4IDmmGCA5YwggOSoAMCAQWhChsISEgzLlNJVEWiHzAdoAMCAQGh 
> FjAUGwNETlMbDWhoMTYuaGgzLnNpdGWjggNcMIIDWKADAgEXoQMCAQGi 
> ggNKBIIDRlUabLy43CC30nH0ztt7pJM4GMIzCsGtI/fq2Cpy9+xiLCFi 
> s0cK6oMdAgTxXBXKHBugCAw/2Nc/Bq2hueJp+mgkO0YrNklk0KqNCHcT 
> xlsa2+Iysb3JAeOQKFiF3rfirW8GNP+5c7d79ZVf6vXPRXnKCQ/waxum 
> BJhUZkzcUZT1d34E4xIdZJBSp7vD3kFk5odFPMCehkXt/122hMAbvOKu 
> 0QG0dI3hVhadgAN8RUDyCyAOaAcY2hwfdLnodQACSdJBc3mnw6y6UJvp 
> RjyaibVx8rbDY3kLE5qDPR+ttB46B1kkrRqzbFAQU9bju63Ipbb/naa+ 
> KxoA753ImXCCpDYA/biXGu0tLz8EsWk1HoO+Ij+aqjtqNPAa4u6+qS/0 
> XtZTeRPzjNBs2nkleWVHwr6PRB5Lfa8W9POZwAw5+CiY1DHN7BbmYqwW 
> kIxTO4pFg6mrOe9IaYspfO6bVmrNS45snNJraURPEwXIwAm2O0RwBvZR 
> wG+W8tP04yFyI7eszyvU1IJJTwaFX8DO/abSrmIaMPvgvoTi9eDb5YYo 
> mqJmOQKFQkJMmSOkBkc+KIqIJXuXPVtz3ArRY6gE44Ju+1WAJvMDXopz 
> fIxRydSxbu1Fyd1UR0YkBqRs0KfnGAY4YnnjspfgcrQFmCTROauBidea 
> MkyJOaeARZZDfA/9D4b/giHEjZxDxQ8roWrv1eggaQSGqa3kILma5rB3 
> IZzbGmCkXz1QRPMNncxtoA+MU/63S0Ebd0ubcyqkG0fImZFFYkpTO4BS 
> 7R/0u1E1iIb2jAkxZT6H0EtpeC/yPAYzCkgSphfT6rbpqZvET3W2q2Sp 
> Ig3fwlOFGWTz8GvFH8aBjSnAQkaNarTvlaxt1D0pcn3kSLhpV1SzpYMA 
> DL+mnSXGhCxypvVYyZ8scXf+eW0jXy/th4B6tzrocz/x9d76hWYlIzFd 
> Fhs78rz8yKauXn/1H2sJRldg0atYOFMTjfMAgTigLDuDOBt4YPFfArow 
> OYtBkA/ykZBCjlIgV5BmrqOBpNqBeeGWPRxUrXrnO3W4nebQUH3LRYie 
> WaEaUbeBnCR8QD1ekQJ1rKIYC8tEKK17tTiYW2YSgrlUYPPt8FvL526H 
> 5sjZFu2kgeQwgeGgAwIBF6KB2QSB1hA7lI/olfXairjMfhodpVSAOTgu 
> lM1BFzb44h8+Mu5to6ZiG/ZBPC3EdXkHKiyy1Z3tzOJIA6MRtU971vNp 
> FVj8WCG8r+0MJNi2EpgbrSJswRcJER2TPdZt7LROdztKM30WEaSOH+5W 
> mVWdgrzdJnt1CnAu+Xgt9ZryB+D/ClHgoc8x9ubJqJsAGb2HkoKx5wL6 
> 0INBenMRvUcpGBGQpwm5TTzLhWm8PzgY8fgXq0tHKupIEhKhGtWCOLa3 
> 4KLM1vg/cpf92sL6O+4vBiFHtVzMwTBW1iE= 0
>
> recvmsg reply from GSS-TSIG query
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3099
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;3768628576.sig-hh16.hh3.site.    ANY    TKEY
>
> ;; ANSWER SECTION:
> 3768628576.sig-hh16.hh3.site. 0    ANY    TKEY    gss-tsig. 1368261695 
> 1368261695 3 NOERROR 182 
> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB 
> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrSKJ1+4+PHfd7 
> OARWsz4211kkiXorLDD3Q/cA99dJ3KVNpfjTza9+5jQ9cvygULCqo73Q 
> 70a8Or+USG3q+TAaCzEUuJ/McPpmcly5fXFkY3ES5xtIXv/yp0tJXXsA 
> ixNl/6pt2FqLT+10SI4= 0
>
> ;; TSIG PSEUDOSECTION:
> 3768628576.sig-hh16.hh3.site. 0    ANY    TSIG    gss-tsig. 1368261704 
> 300 28 BAQF//////8AAAAAFKquCK9Y5B2dtDDIUnGo8g== 3099 NOERROR 0
>
> Sending update to 192.168.1.16#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49895
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; UPDATE SECTION:
> pinoso.hh3.site.    3600    IN    A    192.168.1.100
>
> ;; TSIG PSEUDOSECTION:
> 3768628576.sig-hh16.hh3.site. 0    ANY    TSIG    gss-tsig. 1368261695 
> 300 28 BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0
>
> ; TSIG error with server: tsig verify failure
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 49895
> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;hh3.site.            IN    SOA
>
> ;; UPDATE SECTION:
> pinoso.hh3.site.    3600    IN    A    192.168.1.100
>
> ;; TSIG PSEUDOSECTION:
> 3768628576.sig-hh16.hh3.site. 0    ANY    TSIG    gss-tsig. 1368261695 
> 300 28 BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0
>
Hi Steve, I use a script (run by dhcp) that runs nsupdate and this 
works, I can ping clients by name & ip from the server, but I am using 
bind9 instead of the internal dns.

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list