[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

Rowland penny rpenny at samba.org
Sun Aug 11 08:17:39 UTC 2019


On 11/08/2019 02:36, Igor Sousa wrote:
> Hi Rowland,
>
> I've added 'dns update command' on global section of smb.conf file and 
> I've configured namesever on '/etc/resolv.conf' as 127.0.0.1 (I've 
> tried with 'kings' IP address too), but I don't know if this has 
> worked. I've seen some dns updates errors on 'systemctl status 
> samba-ad-dc' though the same command has returned status 'Active 
> (running)'. And I've use 'samba_dnsupdate', as I've mentioned 
> previously, and I've received 'dns_tkey_negotiategss: TKEY is 
> unacceptable' error and all entries have had their dns update failed. 
> I've read 
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable 
> but I think my case doesn't match with described cases.
>
> I've thought for a time to demote 'king' from 'SMB' and create a new 
> DC to join 'SMB'. I haven't done it because I've had no guarantees 
> that this will work.
>
> OBS: I've used Cent OS7 with firewalld and SElinux disabled.

Do not use '127.0.0.1' in /etc/resolv.conf, use the DC's ipaddress.

Stop running 'samba_dnsupdate' directly, but if you must, add 
'--use-samba-tool'

By using '--use-samba-tool' you are doing the updates over RPC instead 
of kerberos.

Rowland




More information about the samba mailing list