[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
Michael Jones
samba at jonesmz.com
Fri Jan 28 09:15:05 UTC 2022
I'm troubleshooting why I'm getting
> 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: Major = A token
had an invalid Message Integrity Check (MIC), Minor = Success.
when running
> samba_dnsupdate --verbose --all-names
As the root user on my domain controller.
Had to crank the debugging options up to get the actual error (quoted
above).
> samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose
with
> nsupdate command = /usr/bin/nsupdate -g -L10
in my smb.conf
There's no information about this in google, that I can tell. And the error
messages aren't giving me much to go on.
This domain controller has been running since at least 2017, and upgraded
regularly as my linux distro updates samba. So it's plausible that i'm
running into a problem caused by an earlier version of samba that is only
manifesting now.
Any advice?
Truncated command output follows immediately, followed by example snippets
out of /var/log/samba.
update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net
dc1.network-1.net 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net
dc1.network-1.net 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs
gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: 0x564b015950e0
gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x564b015952a0)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
28-Jan-2022 09:02:59.885 dns_requestmgr_create
28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389
dc1.network-1.net.
28-Jan-2022 09:02:59.895 dns_request_createvia
28-Jan-2022 09:02:59.895 request_render
28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8: eref 1 iref 1
28-Jan-2022 09:02:59.905 mgr_gethash
28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610
28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610
28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610
28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success
28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610
28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610
28-Jan-2022 09:02:59.905 dns_request_getresponse: request 0x7f768d857610
28-Jan-2022 09:02:59.915 dns_request_createvia
28-Jan-2022 09:02:59.915 request_render
28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8: eref 1 iref 2
28-Jan-2022 09:02:59.915 mgr_gethash
28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790
28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610
28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610
28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8: eref 1 iref 1
28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790
28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790
28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790
28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success
28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790
28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790
28-Jan-2022 09:02:59.965 dns_request_getresponse: request 0x7f768d857790
28-Jan-2022 09:02:59.965 dns_request_createvia
28-Jan-2022 09:02:59.965 request_render
28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8: eref 1 iref 2
28-Jan-2022 09:02:59.965 mgr_gethash
28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610
28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790
28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790
28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8: eref 1 iref 1
28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610
28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610
28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610
28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success
28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610
28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610
28-Jan-2022 09:03:00.005 dns_request_getresponse: request 0x7f768d857610
28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: Major = A token
had an invalid Message Integrity Check (MIC), Minor = Success.
28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net'
(<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610
28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610
28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8: eref 1 iref 0
28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8
28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8
28-Jan-2022 09:03:00.005 dns_requestmgr_detach: 0x7f768d8511c8: eref 0 iref
0
28-Jan-2022 09:03:00.005 mgr_destroy
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.network-1.net dc1.network-1.net 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs
gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: 0x564b015950e0
gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x564b015952a0)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
28-Jan-2022 09:03:00.275 dns_requestmgr_create
28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.network-1.net.900
IN SRV 0 100 389 dc1.network-1.net.
28-Jan-2022 09:03:00.275 dns_request_createvia
28-Jan-2022 09:03:00.285 request_render
28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8: eref 1 iref 1
28-Jan-2022 09:03:00.285 mgr_gethash
28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success
28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.285 dns_request_getresponse: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.295 dns_request_createvia
28-Jan-2022 09:03:00.295 request_render
28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8: eref 1 iref 2
28-Jan-2022 09:03:00.295 mgr_gethash
28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8: eref 1 iref 1
28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success
28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.335 dns_request_getresponse: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.335 dns_request_createvia
28-Jan-2022 09:03:00.335 request_render
28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8: eref 1 iref 2
28-Jan-2022 09:03:00.335 mgr_gethash
28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790
28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8: eref 1 iref 1
28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success
28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.365 dns_request_getresponse: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error: Major = A token
had an invalid Message Integrity Check (MIC), Minor = Success.
28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net'
(<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610
28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8: eref 1 iref 0
28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8
28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8
28-Jan-2022 09:03:00.375 dns_requestmgr_detach: 0x7ff91f5df1c8: eref 0 iref
0
28-Jan-2022 09:03:00.375 mgr_destroy
Data from /var/log/samba/
[2022/01/28 03:02:57.729026, 2]
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
Got a dns update request.
[2022/01/28 03:02:57.729226, 2]
../../source4/dns_server/dns_update.c:771(dns_update_allowed)
All updates allowed.
[2022/01/28 03:02:57.732085, 2]
../../source4/dns_server/dns_update.c:397(handle_one_update)
Looking at record:
[2022/01/28 03:02:57.732402, 2]
../../source4/dns_server/dns_update.c:398(handle_one_update)
[2022/01/28 03:02:57.732479, 1] ../../librpc/ndr/ndr.c:435(ndr_print_debug)
discard_const(update): struct dns_res_rec
name :
'_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net'
rr_type : DNS_QTYPE_SRV (0x21)
rr_class : DNS_QCLASS_IN (0x1)
ttl : 0x00000384 (900)
length : 0x0019 (25)
rdata : union dns_rdata(case 0x21)
srv_record: struct dns_srv_record
priority : 0x0000 (0)
weight : 0x0064 (100)
port : 0x0cc4 (3268)
target : 'dc1.network-1.net'
unexpected : DATA_BLOB length=0
[2022/01/28 03:02:57.885790, 2]
../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
Unsupported keytype ignored - type 3
[2022/01/28 03:02:57.888483, 2]
../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
Unsupported keytype ignored - type 1
[2022/01/28 03:02:58.045607, 2]
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
Got a dns update request.
[2022/01/28 03:02:58.045825, 2]
../../source4/dns_server/dns_update.c:771(dns_update_allowed)
All updates allowed.
[2022/01/28 03:02:58.048526, 2]
../../source4/dns_server/dns_update.c:397(handle_one_update)
Looking at record:
[2022/01/28 03:02:58.048741, 2]
../../source4/dns_server/dns_update.c:398(handle_one_update)
[2022/01/28 03:02:58.048816, 1] ../../librpc/ndr/ndr.c:435(ndr_print_debug)
discard_const(update): struct dns_res_rec
name : 'DomainDnsZones.network-1.net'
rr_type : DNS_QTYPE_A (0x1)
rr_class : DNS_QCLASS_IN (0x1)
ttl : 0x00000384 (900)
length : 0x0004 (4)
rdata : union dns_rdata(case 0x1)
ipv4_record : 10.0.0.3
unexpected : DATA_BLOB length=0
[2022/01/28 03:02:58.188259, 2]
../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
Unsupported keytype ignored - type 3
[2022/01/28 03:02:58.188499, 2]
../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
Unsupported keytype ignored - type 1
More information about the samba
mailing list