[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

Rowland penny rpenny at samba.org
Thu Aug 8 07:29:13 UTC 2019 

On 07/08/2019 23:17, Igor Sousa via samba wrote:
> Hello everybody,
>
> I've had a samba environment with the following "brief" description:
>
>     - There are 2 DC (*samba4 *and *samba4bkp*) running samba version 4.1.6
Ouch, using seriously old and EOL Samba versions is not a good idea. I 
would suggest you upgrade at regular intervals.
>     on my domain (*SMB*). DNS back end is Samba Internal DNS;
>     - I've added a new DC (*king*) running samba version 4.10.2 and  as DC
>     to *SMB *domain with BIND9 DNS Back End;
>     - *king* has updated dns zones and I've checked it;
>     - *king *has got resolve *SMB* domain names;
>     - *samba4bkp* has broken and I've lost its disks. Then I've followed
>     steps described on
>     https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/
> to
>     remove *samba4bkp* manually.
What a lot of work you didn't need to do, 'samba-tool domain demote 
--remove-other-dead-server=samba4bkp' would have done it for you ;-)
>
> After remove *samba4bkp, *I've checked *samba4* dns zones and they are ok,
> but *king *still has maintained *samba4bkp* registers. Then I've tried to
> update dns entries running *samba_dnsupdate --verbose --all-names* and it
> has returned that all 28 entries failed to updated, as shown below.
>
> I've searched about similar error "; TSIG error with server: tsig verify
> failure", but I've been unsuccessful.
>
> Regards!
> --
> Igor Sousa
>
>
>
> ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> update(nsupdate): NS smb king.smb
> Calling nsupdate for NS smb king.smb (add)
> Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> smb. 900 IN NS king.smb.
>
Is 'king' using itself for its nameserver ?

It looks like it isn't: 'Successfully obtained Kerberos ticket to 
DNS/samba4.smb as KING$'

Rowland

More information about the samba mailing list