[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 28 10:15:28 UTC 2022
On AD-DC or Member ?
Which samba version is this?
Whats in smb.conf and krb5.conf
Key type 3 is DES_CBC_MD5 to give a hint.
We do need more info on this to help better.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Michael Jones via samba
> Verzonden: vrijdag 28 januari 2022 10:15
> Aan: sambalist
> Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had
> an invalid message integrity check
>
> I'm troubleshooting why I'm getting
>
> > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error:
> Major = A token
> had an invalid Message Integrity Check (MIC), Minor = Success.
>
> when running
>
> > samba_dnsupdate --verbose --all-names
>
> As the root user on my domain controller.
>
> Had to crank the debugging options up to get the actual error (quoted
> above).
>
> > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose
>
> with
>
> > nsupdate command = /usr/bin/nsupdate -g -L10
>
> in my smb.conf
>
> There's no information about this in google, that I can tell.
> And the error
> messages aren't giving me much to go on.
>
> This domain controller has been running since at least 2017,
> and upgraded
> regularly as my linux distro updates samba. So it's plausible that i'm
> running into a problem caused by an earlier version of samba
> that is only
> manifesting now.
>
> Any advice?
>
>
>
>
> Truncated command output follows immediately, followed by
> example snippets
> out of /var/log/samba.
>
> update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net
> dc1.network-1.net 389
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net
> dc1.network-1.net 389 (add)
> Starting GENSEC mechanism gssapi_krb5_sasl
> GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs
> gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq:
> 0x564b015950e0
> gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss
> api.c:1057]:
> state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
> (0x564b015952a0)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
> Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
> 28-Jan-2022 09:02:59.885 dns_requestmgr_create
> 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389
> dc1.network-1.net.
>
> 28-Jan-2022 09:02:59.895 dns_request_createvia
> 28-Jan-2022 09:02:59.895 request_render
> 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8:
> eref 1 iref 1
> 28-Jan-2022 09:02:59.905 mgr_gethash
> 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success
> 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610
> 28-Jan-2022 09:02:59.905 dns_request_getresponse: request
> 0x7f768d857610
> 28-Jan-2022 09:02:59.915 dns_request_createvia
> 28-Jan-2022 09:02:59.915 request_render
> 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8:
> eref 1 iref 2
> 28-Jan-2022 09:02:59.915 mgr_gethash
> 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790
> 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610
> 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610
> 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8:
> eref 1 iref 1
> 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790
> 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790
> 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success
> 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 dns_request_getresponse: request
> 0x7f768d857790
> 28-Jan-2022 09:02:59.965 dns_request_createvia
> 28-Jan-2022 09:02:59.965 request_render
> 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8:
> eref 1 iref 2
> 28-Jan-2022 09:02:59.965 mgr_gethash
> 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610
> 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790
> 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8:
> eref 1 iref 1
> 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610
> 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610
> 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success
> 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 dns_request_getresponse: request
> 0x7f768d857610
> 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error:
> Major = A token
> had an invalid Message Integrity Check (MIC), Minor = Success.
> 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net'
> (<null>): signature failed to verify(1)
> ; TSIG error with server: tsig verify failure
> 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610
> 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8:
> eref 1 iref 0
> 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8
> 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8
> 28-Jan-2022 09:03:00.005 dns_requestmgr_detach:
> 0x7f768d8511c8: eref 0 iref
> 0
> 28-Jan-2022 09:03:00.005 mgr_destroy
> Failed nsupdate: 2
> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.network-1.net dc1.network-1.net 389
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add)
> Starting GENSEC mechanism gssapi_krb5_sasl
> GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs
> gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq:
> 0x564b015950e0
> gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss
> api.c:1057]:
> state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
> (0x564b015952a0)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
> Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
> 28-Jan-2022 09:03:00.275 dns_requestmgr_create
> 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo
> rk-1.net.900
> IN SRV 0 100 389 dc1.network-1.net.
>
> 28-Jan-2022 09:03:00.275 dns_request_createvia
> 28-Jan-2022 09:03:00.285 request_render
> 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8:
> eref 1 iref 1
> 28-Jan-2022 09:03:00.285 mgr_gethash
> 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success
> 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.285 dns_request_getresponse: request
> 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.295 dns_request_createvia
> 28-Jan-2022 09:03:00.295 request_render
> 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8:
> eref 1 iref 2
> 28-Jan-2022 09:03:00.295 mgr_gethash
> 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8:
> eref 1 iref 1
> 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success
> 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 dns_request_getresponse: request
> 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 dns_request_createvia
> 28-Jan-2022 09:03:00.335 request_render
> 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8:
> eref 1 iref 2
> 28-Jan-2022 09:03:00.335 mgr_gethash
> 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790
> 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8:
> eref 1 iref 1
> 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success
> 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 dns_request_getresponse: request
> 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error:
> Major = A token
> had an invalid Message Integrity Check (MIC), Minor = Success.
> 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net'
> (<null>): signature failed to verify(1)
> ; TSIG error with server: tsig verify failure
> 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610
> 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8:
> eref 1 iref 0
> 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8
> 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8
> 28-Jan-2022 09:03:00.375 dns_requestmgr_detach:
> 0x7ff91f5df1c8: eref 0 iref
> 0
> 28-Jan-2022 09:03:00.375 mgr_destroy
>
>
>
>
>
>
>
>
>
>
>
>
> Data from /var/log/samba/
>
>
>
> [2022/01/28 03:02:57.729026, 2]
> ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
> Got a dns update request.
> [2022/01/28 03:02:57.729226, 2]
> ../../source4/dns_server/dns_update.c:771(dns_update_allowed)
> All updates allowed.
> [2022/01/28 03:02:57.732085, 2]
> ../../source4/dns_server/dns_update.c:397(handle_one_update)
> Looking at record:
> [2022/01/28 03:02:57.732402, 2]
> ../../source4/dns_server/dns_update.c:398(handle_one_update)
> [2022/01/28 03:02:57.732479, 1]
> ../../librpc/ndr/ndr.c:435(ndr_print_debug)
> discard_const(update): struct dns_res_rec
> name :
> '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net'
> rr_type : DNS_QTYPE_SRV (0x21)
> rr_class : DNS_QCLASS_IN (0x1)
> ttl : 0x00000384 (900)
> length : 0x0019 (25)
> rdata : union dns_rdata(case 0x21)
> srv_record: struct dns_srv_record
> priority : 0x0000 (0)
> weight : 0x0064 (100)
> port : 0x0cc4 (3268)
> target : 'dc1.network-1.net'
> unexpected : DATA_BLOB length=0
> [2022/01/28 03:02:57.885790, 2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
> Unsupported keytype ignored - type 3
> [2022/01/28 03:02:57.888483, 2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
> Unsupported keytype ignored - type 1
> [2022/01/28 03:02:58.045607, 2]
> ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
> Got a dns update request.
> [2022/01/28 03:02:58.045825, 2]
> ../../source4/dns_server/dns_update.c:771(dns_update_allowed)
> All updates allowed.
> [2022/01/28 03:02:58.048526, 2]
> ../../source4/dns_server/dns_update.c:397(handle_one_update)
> Looking at record:
> [2022/01/28 03:02:58.048741, 2]
> ../../source4/dns_server/dns_update.c:398(handle_one_update)
> [2022/01/28 03:02:58.048816, 1]
> ../../librpc/ndr/ndr.c:435(ndr_print_debug)
> discard_const(update): struct dns_res_rec
> name : 'DomainDnsZones.network-1.net'
> rr_type : DNS_QTYPE_A (0x1)
> rr_class : DNS_QCLASS_IN (0x1)
> ttl : 0x00000384 (900)
> length : 0x0004 (4)
> rdata : union dns_rdata(case 0x1)
> ipv4_record : 10.0.0.3
> unexpected : DATA_BLOB length=0
> [2022/01/28 03:02:58.188259, 2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
> Unsupported keytype ignored - type 3
> [2022/01/28 03:02:58.188499, 2]
> ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
> Unsupported keytype ignored - type 1
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list