[Samba] AD DC with log errors when sysvol replication is run

Peter Milesson miles at atmos.eu
Fri Apr 9 13:22:56 UTC 2021 

Hi folks,

Continuing with AD DC problems. Everytime sysvol replication is run on 
the secondary DC, the following two error message pairs are written 
about 22 times in the log on the primary DC:

Apr 09 14:55:01 konadc samba[11890]: [2021/04/09 14:55:01.349626, 0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Apr 09 14:55:01 konadc samba[11890]:   /usr/sbin/samba_dnsupdate: ; TSIG 
error with server: tsig verify failure

the whole sequence is terminated by the following error entries:

Apr 09 14:55:02 konadc samba[11890]: [2021/04/09 14:55:02.015226, 0] 
../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_
Apr 09 14:55:02 konadc samba[11890]: 
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29

Kerberos works, DNS replication definitely works and it seems that 
sysvol replication also works. There are no errors in the log on the 
secondary DC. I have spent quite some time searching for this error, 
explanation, causes, and possible problems connected with the errors.

The primary DC is a self compiled Samba 4.9.1 under CentOS 7.9.2009, and 
elrepo kernel 5.11.7-1, the secondary DC is an up to date Debian Buster 
with the latest van Belle Samba packages (Samba 4.14.2).

If anybody got any ideas about this, I would be grateful?

Best regards,

Peter


Primary DC smb.conf
=================
[global]
         netbios name = KONADC
         realm = KONSTRUKCE.LOCAL
         server role = active directory domain controller
         workgroup = KONSTRUKCE
         idmap_ldb:use rfc2307 = yes
         dns forwarder = 192.168.0.221
         dns zone scavenging = yes

[netlogon]
         path = /var/lib/samba/sysvol/konstrukce.local/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


Secondary DC smb.conf
===================
[global]
         netbios name = KONADC2
         realm = KONSTRUKCE.LOCAL
         server role = active directory domain controller
         workgroup = KONSTRUKCE
         idmap_ldb:use rfc2307 = yes
         dns forwarder = 192.168.0.221

[netlogon]
         path = /var/lib/samba/sysvol/konstrukce.local/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

More information about the samba mailing list