[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check

L.P.H. van Belle belle at bazuin.nl
Fri Jan 28 10:15:28 UTC 2022


On AD-DC or Member ? 
Which samba version is this? 
Whats in smb.conf and krb5.conf


Key type 3 is DES_CBC_MD5  to give a hint. 

We do need more info on this to help better. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Michael Jones via samba
> Verzonden: vrijdag 28 januari 2022 10:15
> Aan: sambalist
> Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had 
> an invalid message integrity check
> 
> I'm troubleshooting why I'm getting
> 
> > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: 
> Major = A token
> had an invalid Message Integrity Check (MIC), Minor = Success.
> 
> when running
> 
> > samba_dnsupdate --verbose --all-names
> 
> As the root user on my domain controller.
> 
> Had to crank the debugging options up to get the actual error (quoted
> above).
> 
> > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose
> 
> with
> 
> > nsupdate command = /usr/bin/nsupdate -g -L10
> 
> in my smb.conf
> 
> There's no information about this in google, that I can tell. 
> And the error
> messages aren't giving me much to go on.
> 
> This domain controller has been running since at least 2017, 
> and upgraded
> regularly as my linux distro updates samba. So it's plausible that i'm
> running into a problem caused by an earlier version of samba 
> that is only
> manifesting now.
> 
> Any advice?
> 
> 
> 
> 
> Truncated command output follows immediately, followed by 
> example snippets
> out of /var/log/samba.
> 
> update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net
> dc1.network-1.net 389
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net
> dc1.network-1.net 389 (add)
> Starting GENSEC mechanism gssapi_krb5_sasl
> GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs
> gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: 
> 0x564b015950e0
> gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss
> api.c:1057]:
> state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> (0x564b015952a0)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
> Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
> 28-Jan-2022 09:02:59.885 dns_requestmgr_create
> 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389
> dc1.network-1.net.
> 
> 28-Jan-2022 09:02:59.895 dns_request_createvia
> 28-Jan-2022 09:02:59.895 request_render
> 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8: 
> eref 1 iref 1
> 28-Jan-2022 09:02:59.905 mgr_gethash
> 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success
> 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 dns_request_getresponse: request 
> 0x7f768d857610
> 28-Jan-2022 09:02:59.915 dns_request_createvia
> 28-Jan-2022 09:02:59.915 request_render
> 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8: 
> eref 1 iref 2
> 28-Jan-2022 09:02:59.915 mgr_gethash
> 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790
> 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610
> 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610
> 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8: 
> eref 1 iref 1
> 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790
> 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790
> 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success
> 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 dns_request_getresponse: request 
> 0x7f768d857790
> 28-Jan-2022 09:02:59.965 dns_request_createvia
> 28-Jan-2022 09:02:59.965 request_render
> 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8: 
> eref 1 iref 2
> 28-Jan-2022 09:02:59.965 mgr_gethash
> 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610
> 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8: 
> eref 1 iref 1
> 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610
> 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610
> 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success
> 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 dns_request_getresponse: request 
> 0x7f768d857610
> 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error: 
> Major = A token
> had an invalid Message Integrity Check (MIC), Minor = Success.
> 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net'
> (<null>): signature failed to verify(1)
> ; TSIG error with server: tsig verify failure
> 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8: 
> eref 1 iref 0
> 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8
> 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8
> 28-Jan-2022 09:03:00.005 dns_requestmgr_detach: 
> 0x7f768d8511c8: eref 0 iref
> 0
> 28-Jan-2022 09:03:00.005 mgr_destroy
> Failed nsupdate: 2
> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.network-1.net dc1.network-1.net 389
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add)
> Starting GENSEC mechanism gssapi_krb5_sasl
> GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs
> gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq: 
> 0x564b015950e0
> gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss
> api.c:1057]:
> state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> (0x564b015952a0)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
> Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
> 28-Jan-2022 09:03:00.275 dns_requestmgr_create
> 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo
> rk-1.net.900
> IN SRV 0 100 389 dc1.network-1.net.
> 
> 28-Jan-2022 09:03:00.275 dns_request_createvia
> 28-Jan-2022 09:03:00.285 request_render
> 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8: 
> eref 1 iref 1
> 28-Jan-2022 09:03:00.285 mgr_gethash
> 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success
> 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 dns_request_getresponse: request 
> 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.295 dns_request_createvia
> 28-Jan-2022 09:03:00.295 request_render
> 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8: 
> eref 1 iref 2
> 28-Jan-2022 09:03:00.295 mgr_gethash
> 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8: 
> eref 1 iref 1
> 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success
> 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 dns_request_getresponse: request 
> 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 dns_request_createvia
> 28-Jan-2022 09:03:00.335 request_render
> 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8: 
> eref 1 iref 2
> 28-Jan-2022 09:03:00.335 mgr_gethash
> 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8: 
> eref 1 iref 1
> 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success
> 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 dns_request_getresponse: request 
> 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error: 
> Major = A token
> had an invalid Message Integrity Check (MIC), Minor = Success.
> 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net'
> (<null>): signature failed to verify(1)
> ; TSIG error with server: tsig verify failure
> 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8: 
> eref 1 iref 0
> 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8
> 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8
> 28-Jan-2022 09:03:00.375 dns_requestmgr_detach: 
> 0x7ff91f5df1c8: eref 0 iref
> 0
> 28-Jan-2022 09:03:00.375 mgr_destroy
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Data from /var/log/samba/
> 
> 
> 
> [2022/01/28 03:02:57.729026,  2]
> ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
>   Got a dns update request.
> [2022/01/28 03:02:57.729226,  2]
> ../../source4/dns_server/dns_update.c:771(dns_update_allowed)
>   All updates allowed.
> [2022/01/28 03:02:57.732085,  2]
> ../../source4/dns_server/dns_update.c:397(handle_one_update)
>   Looking at record:
> [2022/01/28 03:02:57.732402,  2]
> ../../source4/dns_server/dns_update.c:398(handle_one_update)
> [2022/01/28 03:02:57.732479,  1] 
> ../../librpc/ndr/ndr.c:435(ndr_print_debug)
>        discard_const(update): struct dns_res_rec
>           name                     :
> '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net'
>           rr_type                  : DNS_QTYPE_SRV (0x21)
>           rr_class                 : DNS_QCLASS_IN (0x1)
>           ttl                      : 0x00000384 (900)
>           length                   : 0x0019 (25)
>           rdata                    : union dns_rdata(case 0x21)
>           srv_record: struct dns_srv_record
>               priority                 : 0x0000 (0)
>               weight                   : 0x0064 (100)
>               port                     : 0x0cc4 (3268)
>               target                   : 'dc1.network-1.net'
>           unexpected               : DATA_BLOB length=0
> [2022/01/28 03:02:57.885790,  2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>   Unsupported keytype ignored - type 3
> [2022/01/28 03:02:57.888483,  2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>   Unsupported keytype ignored - type 1
> [2022/01/28 03:02:58.045607,  2]
> ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
>   Got a dns update request.
> [2022/01/28 03:02:58.045825,  2]
> ../../source4/dns_server/dns_update.c:771(dns_update_allowed)
>   All updates allowed.
> [2022/01/28 03:02:58.048526,  2]
> ../../source4/dns_server/dns_update.c:397(handle_one_update)
>   Looking at record:
> [2022/01/28 03:02:58.048741,  2]
> ../../source4/dns_server/dns_update.c:398(handle_one_update)
> [2022/01/28 03:02:58.048816,  1] 
> ../../librpc/ndr/ndr.c:435(ndr_print_debug)
>        discard_const(update): struct dns_res_rec
>           name                     : 'DomainDnsZones.network-1.net'
>           rr_type                  : DNS_QTYPE_A (0x1)
>           rr_class                 : DNS_QCLASS_IN (0x1)
>           ttl                      : 0x00000384 (900)
>           length                   : 0x0004 (4)
>           rdata                    : union dns_rdata(case 0x1)
>           ipv4_record              : 10.0.0.3
>           unexpected               : DATA_BLOB length=0
> [2022/01/28 03:02:58.188259,  2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>   Unsupported keytype ignored - type 3
> [2022/01/28 03:02:58.188499,  2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>   Unsupported keytype ignored - type 1
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list