[Samba] S4 nsupdate tsig error with internal server
steve
steve at steve-ss.com
Sat May 11 06:18:20 MDT 2013
On 11/05/13 12:01, Rowland Penny wrote:
> On 11/05/13 09:54, steve wrote:
>> Hi
>> I know that this has been addressed before but I couldn't find a
>> solution. Summary: when attempting to write a dns record using
>> nsupdate, nothing gets written to the zone due to the error:
>> ; TSIG error with server: tsig verify failure
>>
>> Everything is working. We can login to the domain from the same client
>> and we have sssd sending the dyndns update requests which also produce
>> the same error but still send the correct IP to the server after a
>> change in I on the client but still nothing is written.
>>
>> Test: we can't ping the client by name from the DC after the update
>> request is sent. The DC responds correctly as for e.g. successful
>> updates from xp clients.
>>
>> Question, does this work against a DC with bind dlz? Any solution
>> meanwhile?
>> Thanks,
>> Steve
>>
>> Here is the output:
>>
>> sudo nsupdate -g -d
>> [sudo] password for steve:
>> > server 192.168.1.16
>> > realm HH3.SITE
>> > update add pinoso.hh3.site 3600 A 192.168.1.100
>> > send
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7006
>> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;pinoso.hh3.site. IN SOA
>>
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25384
>> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;hh3.site. IN SOA
>>
>> ;; ANSWER SECTION:
>> hh3.site. 3600 IN SOA hh16.hh3.site.
>> hostmaster.hh3.site. 6 900 600 86400 0
>>
>> Found zone name: hh3.site
>> The master is: hh16.hh3.site
>> start_gssrequest
>> send_gssrequest
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3099
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;3768628576.sig-hh16.hh3.site. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>> 3768628576.sig-hh16.hh3.site. 0 ANY TKEY gss-tsig. 1368261695
>> 1368261695 3 NOERROR 1244
>> YIIE2AYGKwYBBQUCoIIEzDCCBMigDTALBgkqhkiG9xIBAgKiggS1BIIE
>> sWCCBK0GCSqGSIb3EgECAgEAboIEnDCCBJigAwIBBaEDAgEOogcDBQAg
>> AAAAo4IDmmGCA5YwggOSoAMCAQWhChsISEgzLlNJVEWiHzAdoAMCAQGh
>> FjAUGwNETlMbDWhoMTYuaGgzLnNpdGWjggNcMIIDWKADAgEXoQMCAQGi
>> ggNKBIIDRlUabLy43CC30nH0ztt7pJM4GMIzCsGtI/fq2Cpy9+xiLCFi
>> s0cK6oMdAgTxXBXKHBugCAw/2Nc/Bq2hueJp+mgkO0YrNklk0KqNCHcT
>> xlsa2+Iysb3JAeOQKFiF3rfirW8GNP+5c7d79ZVf6vXPRXnKCQ/waxum
>> BJhUZkzcUZT1d34E4xIdZJBSp7vD3kFk5odFPMCehkXt/122hMAbvOKu
>> 0QG0dI3hVhadgAN8RUDyCyAOaAcY2hwfdLnodQACSdJBc3mnw6y6UJvp
>> RjyaibVx8rbDY3kLE5qDPR+ttB46B1kkrRqzbFAQU9bju63Ipbb/naa+
>> KxoA753ImXCCpDYA/biXGu0tLz8EsWk1HoO+Ij+aqjtqNPAa4u6+qS/0
>> XtZTeRPzjNBs2nkleWVHwr6PRB5Lfa8W9POZwAw5+CiY1DHN7BbmYqwW
>> kIxTO4pFg6mrOe9IaYspfO6bVmrNS45snNJraURPEwXIwAm2O0RwBvZR
>> wG+W8tP04yFyI7eszyvU1IJJTwaFX8DO/abSrmIaMPvgvoTi9eDb5YYo
>> mqJmOQKFQkJMmSOkBkc+KIqIJXuXPVtz3ArRY6gE44Ju+1WAJvMDXopz
>> fIxRydSxbu1Fyd1UR0YkBqRs0KfnGAY4YnnjspfgcrQFmCTROauBidea
>> MkyJOaeARZZDfA/9D4b/giHEjZxDxQ8roWrv1eggaQSGqa3kILma5rB3
>> IZzbGmCkXz1QRPMNncxtoA+MU/63S0Ebd0ubcyqkG0fImZFFYkpTO4BS
>> 7R/0u1E1iIb2jAkxZT6H0EtpeC/yPAYzCkgSphfT6rbpqZvET3W2q2Sp
>> Ig3fwlOFGWTz8GvFH8aBjSnAQkaNarTvlaxt1D0pcn3kSLhpV1SzpYMA
>> DL+mnSXGhCxypvVYyZ8scXf+eW0jXy/th4B6tzrocz/x9d76hWYlIzFd
>> Fhs78rz8yKauXn/1H2sJRldg0atYOFMTjfMAgTigLDuDOBt4YPFfArow
>> OYtBkA/ykZBCjlIgV5BmrqOBpNqBeeGWPRxUrXrnO3W4nebQUH3LRYie
>> WaEaUbeBnCR8QD1ekQJ1rKIYC8tEKK17tTiYW2YSgrlUYPPt8FvL526H
>> 5sjZFu2kgeQwgeGgAwIBF6KB2QSB1hA7lI/olfXairjMfhodpVSAOTgu
>> lM1BFzb44h8+Mu5to6ZiG/ZBPC3EdXkHKiyy1Z3tzOJIA6MRtU971vNp
>> FVj8WCG8r+0MJNi2EpgbrSJswRcJER2TPdZt7LROdztKM30WEaSOH+5W
>> mVWdgrzdJnt1CnAu+Xgt9ZryB+D/ClHgoc8x9ubJqJsAGb2HkoKx5wL6
>> 0INBenMRvUcpGBGQpwm5TTzLhWm8PzgY8fgXq0tHKupIEhKhGtWCOLa3
>> 4KLM1vg/cpf92sL6O+4vBiFHtVzMwTBW1iE= 0
>>
>> recvmsg reply from GSS-TSIG query
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3099
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;3768628576.sig-hh16.hh3.site. ANY TKEY
>>
>> ;; ANSWER SECTION:
>> 3768628576.sig-hh16.hh3.site. 0 ANY TKEY gss-tsig. 1368261695
>> 1368261695 3 NOERROR 182
>> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
>> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrSKJ1+4+PHfd7
>> OARWsz4211kkiXorLDD3Q/cA99dJ3KVNpfjTza9+5jQ9cvygULCqo73Q
>> 70a8Or+USG3q+TAaCzEUuJ/McPpmcly5fXFkY3ES5xtIXv/yp0tJXXsA
>> ixNl/6pt2FqLT+10SI4= 0
>>
>> ;; TSIG PSEUDOSECTION:
>> 3768628576.sig-hh16.hh3.site. 0 ANY TSIG gss-tsig. 1368261704
>> 300 28 BAQF//////8AAAAAFKquCK9Y5B2dtDDIUnGo8g== 3099 NOERROR 0
>>
>> Sending update to 192.168.1.16#53
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49895
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>> ;; UPDATE SECTION:
>> pinoso.hh3.site. 3600 IN A 192.168.1.100
>>
>> ;; TSIG PSEUDOSECTION:
>> 3768628576.sig-hh16.hh3.site. 0 ANY TSIG gss-tsig. 1368261695
>> 300 28 BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0
>>
>> ; TSIG error with server: tsig verify failure
>>
>> Reply from update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 49895
>> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;hh3.site. IN SOA
>>
>> ;; UPDATE SECTION:
>> pinoso.hh3.site. 3600 IN A 192.168.1.100
>>
>> ;; TSIG PSEUDOSECTION:
>> 3768628576.sig-hh16.hh3.site. 0 ANY TSIG gss-tsig. 1368261695
>> 300 28 BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0
>>
> Hi Steve, I use a script (run by dhcp) that runs nsupdate and this
> works, I can ping clients by name & ip from the server, but I am using
> bind9 instead of the internal dns.
>
> Rowland
>
>
Hi Rowland
Does your script work with the internal server? I like the idea of the
latest sssd which does dyndns (using nsupdate) as it takes us one step
closer toward one-config-file-for everything for Linux clients. I
wouldn't mind switching to bind if it's the internal server which is the
problem.
Cheers,
Steve
More information about the samba
mailing list