[Samba] samab-4.10 nsupdate
James B. Byrne
byrnejb at harte-lyne.ca
Fri Jul 3 15:15:01 UTC 2020
I changed the entries in smb4.conf (smb.conf) to this:
[global]
. . .
dns update command = /usr/local/sbin/samba_dnsupdate
nsupdate command = /usr/local/bin/samba-nsupdate -d -g
And this is what results when I run: samba_dnsupdate --verbose -d8 --all-names
. . .
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1151
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
IN SOA
;; AUTHORITY SECTION:
brockley.harte-lyne.ca. 3600 IN SOA SMB4-1.brockley.harte-lyne.ca.
hostmaster.brockley.harte-lyne.ca. 1 900 600 86400 3600
Found zone name: brockley.harte-lyne.ca
The master is: SMB4-1.brockley.harte-lyne.ca
start_gssrequest
Found realm from ticket: BROCKLEY.HARTE-LYNE.CA
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13304
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY
;; ADDITIONAL SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY gss-tsig. 1593782418
1593782418 3 NOERROR 1515
YIIF5wYGKwYBBQUCoIIF2zCCBdegDTALBgkqhkiG9xIBAgKiggXEBIIF
wGCCBbwGCSqGSIb3EgECAgEAboIFqzCCBaegAwIBBaEDAgEOogcDBQAg
AAAAo4IEgmGCBH4wggR6oAMCAQWhGBsWQlJPQ0tMRVkuSEFSVEUtTFlO
RS5DQaIvMC2gAwIBAaEmMCQbA0ROUxsdU01CNC0xLmJyb2NrbGV5Lmhh
cnRlLWx5bmUuY2GjggQmMIIEIqADAgESoQMCAQGiggQUBIIEEPKZxwM3
nlYxG19pmsozHjqDZmkRoogbsckJAOKM3wPAupRfZJk8nsmqppFalVBV
fpvjV2U2otzwV9FbIivz3U3vjjZ1k9jmda1iBQ4pPEwLy/QXmrUdmWAA
A48xYE35w6TBdfd13XxKbKAKYD4w7gJ5D1u7PxSakmmelko5fs9UPZ0v
bJG+tQcwn+qAWc9TQMOmIl/zWxp7sZdhQLaC66frd0liUFz15lmbbE5m
IKF+i+cfHxsfe0TLzZ7lCOmaZjHacHq+pF94VYQ1y/9FmSL/qs7+Vz3B
GcPF1I+KfRsQyE3C5cecVMVRJVUlyFYYDB9j+4wkiQOgSMPajxl7G1TB
+7esXerD5u+JBYQHU0ArEZvTNIea00ArA16HWlgqpku8GK+y3Gfs5q5e
WPyADUIqctMiO0T34pUUxmeNgt1UdVyH8ayQikN17xATkqHkek2jzemI
VaPWOlZRJt0UKTPUCoufChdPwxD3b4NHpRpbxxof9MkcUU+ZZcV5nocB
X75yOZmK6YdHFGITzIv8zpx1Vp9sqtzXsk7QH7rTfLnosiM9DbPXZPbx
W92JRCUdc6IrVWq4/qVk1IC5uZ2fq4aCJgAMAlKMyTmXljqecXIxQ6J2
J0LK34otl3XAzxGJHBD/95P2uk2NeCPE+0Cpgm0CeDO0DDNAYcAYCFJb
UVovHAAqetLrxYRcgNegici7CNV7jjSz0KGKq4S+hq+6onOe7lu10Qkg
enkAsKy269M3kkexFiJqr6zKGRdoDHDUxzmGzFMsLgp8Ib16dJHQ3mTX
PUrYQMnUwh98VxpUnRl83Tg7MQalZon7ZjcJ2+VnL/sUcM4KuUo1hW7O
8nydXR2F2Kjh7ACySsUBmpVVwn5t0LihMrQm6VwPih+eKw0iTGKY12Uz
VnV2/fDWtmYzM26a3z5fKkavbkTlJNIwebRI4zz1taOIyCqNUDFcxnTx
7/2aGbnXLskQirvx47RSgNyVAcKPneudt3UePS/Vp/2ntAXIB/ZnmBPi
rvkuz/uVqLqxW/ytC5hLUINP0su9pRXLlXWjYSwuu47sDEOQQCToZAuc
BodLA9tkut/Wx3vpiLKmTNYPOU735BBy1OrpCXJEJzzahA73x0TNpQi9
8j7dH6dlQqzcds69EzQ6NfW2YwXDXTvM8hg+r/BvarvHGYDuLj/Zm96o
vUr9vNoY4uCvFxym7jnbp0tW0A4Lh2jYMoi7BicJ9tQRHrVi10inhPkU
z835kJjL5HfYXYFRsKcHBVu3RjVUW6KH+9jWmxqdIfbgEbMw/KhEH5z4
WdsTfSX1fXpasF+R3e/4fuLmqy/sY3u6r8vus1dqRMGsFQfxp3HGH15b
BPID9ZlvCL6kFqOP9ZObYgi4HyBp5WRfVuRUpIIBCjCCAQagAwIBEqKB
/gSB+yqrzpMkt6mBL8datfhCA8QkVoxhRkR9p8cEpb4wu9cbVrXkQAkq
jq6endFOstiWEHM9Yv6da4M3HmVgoQr+yeECguvqL9TKBA87E5yUbAEO
R090LciiZnRpU8g+vUDZ7cvF7Nx/doshmy82l/pxPUUyBXEJcDm+a6R5
fF5JYpSy/AI0GsoDh6brHBg8AcyNC8SDL/bOybQS/6KiskoZwrBsmumX
UVudMMpbGyd2113i5jgccxE2UfUoJp5DU8LBekIux4KKXh8QE8ctewkX
j1uT7BIv8CJ64BKsyR5qfk3AWdqM1+Ma0ejtOEGtuLhPKQXf8YnBW5zv 4EzB 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13304
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY
;; ANSWER SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY gss-tsig. 1593782418
1593782418 3 NOERROR 186
oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB
AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvuDJDPZTRZw4t
rumU7CUM54QqUWXZEf6MQ5ZeOQhrzV8cOQAwx0mMTkLIQm+YAu4Bysim
Qn+Dfqy1qLL8mPSCes86vUp4l/Sa8a6mKjQ91+FeGqsorgsAEYrLaGXl
vSBcP+Qxi+FC1e07Iuv3LXF/ 0
;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG gss-tsig. 1593782418
300 28 BAQF//////8AAAAAMRP+/dHMO1zAtXPIT0vu4A== 13304 NOERROR 0
Sending update to 192.168.18.161#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 38762
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.
;; TSIG PSEUDOSECTION:
489873631.sig-smb4-1.brockley.harte-lyne.ca. 0 ANY TSIG gss-tsig. 1593782418
300 28 BAQE//////8AAAAAJXvohvDbm2q9Fel/zluw/w== 38762 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 38762
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;brockley.harte-lyne.ca. IN SOA
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.
;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG gss-tsig. 1593782418
300 0 38762 BADSIG 0
Failed nsupdate: 2
. . .
root at smb4-1 ~ (master)]# netstat -an | grep -i listen | grep 53
. . .
tcp4 0 0 192.168.18.161.53 *.* LISTEN
tcp4 0 0 127.0.161.1.53 *.* LISTEN
As far as I can determine the secret key and signature are not configured
manually. What is causing the bad signature error? How is it fixed?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the samba
mailing list