[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check
Michael Jones
samba at jonesmz.com
Fri Jan 28 21:10:54 UTC 2022
On Fri, Jan 28, 2022 at 3:03 PM Michael Jones <samba at jonesmz.com> wrote:
> Thank you for the response.
>
> On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>> On AD-DC or Member ?
>>
>
> AD-DC, phrased as "> As the root user on my domain controller." in my
> original email, though I know it was a big wall of text, so I probably
> would have missed that detail myself.
>
>
>> Which samba version is this?
>>
>
> dc1 ~ # samba --version
> Version 4.15.3
>
> dc1 ~ # emerge --info samba
> Portage 3.0.30 (python 3.9.9-final-0, default/linux/amd64/17.1,
> gcc-11.2.0, glibc-2.33-r7, 5.15.11-gentoo x86_64)
> =================================================================
> System Settings
> =================================================================
> System uname:
> Linux-5.15.11-gentoo-x86_64-AMD_E-350D_APU_with_Radeon-tm-_HD_Graphics-with-glibc2.33
> KiB Mem: 16099556 total, 2375520 free
> KiB Swap: 0 total, 0 free
> Timestamp of repository gentoo: Thu, 27 Jan 2022 14:52:00 +0000
> Head commit of repository gentoo: 1ae2a588f3427d972e3b954ae4172e51b975d4e7
>
> Head commit of repository jonesmz-public-overlay:
> aa017c88e14e739423d5cc128d0f8e696a02135e
>
> Head commit of repository lto-overlay:
> 435a9d968854fef21015796a5f464243dc4caa03
>
> Head commit of repository mv: ee4a1a6d419ab49102d2580c8925ed5605012d6f
>
> Head commit of repository wsdd: 1156bfeeee76150f811af9d8049d0edfb4277851
>
> sh bash 5.1_p8
> ld GNU ld (Gentoo 2.37_p1 p0) 2.37
> distcc 3.4 x86_64-pc-linux-gnu [disabled]
> ccache version 4.5.1 [disabled]
> app-misc/pax-utils: 1.3.3::gentoo
> app-shells/bash: 5.1_p8::gentoo
> dev-lang/perl: 5.34.0-r6::gentoo
> dev-lang/python: 3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo
> dev-lang/rust: 1.58.1::gentoo
> dev-util/ccache: 4.5.1::gentoo
> dev-util/cmake: 3.21.4::gentoo
> dev-util/meson: 0.60.3::gentoo
> sys-apps/baselayout: 2.7-r3::gentoo
> sys-apps/sandbox: 2.25::gentoo
> sys-apps/systemd: 249.9::gentoo
> sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo
> sys-devel/automake: 1.16.4::gentoo
> sys-devel/binutils: 2.37_p1::gentoo
> sys-devel/binutils-config: 5.4::gentoo
> sys-devel/gcc: 11.2.0::gentoo
> sys-devel/gcc-config: 2.5-r1::gentoo
> sys-devel/libtool: 2.4.6-r6::gentoo
> sys-devel/llvm: 13.0.0::gentoo
> sys-devel/make: 4.3::gentoo
> sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers)
> sys-libs/glibc: 2.33-r7::gentoo
> Repositories:
>
> gentoo
> location: /var/db/repos/gentoo
> sync-type: git
> sync-uri: git://anongit.gentoo.org/repo/sync/gentoo.git
> priority: -1000
>
> jonesmz-public-overlay
> location: /var/db/repos/jonesmz-public-overlay
> sync-type: git
> sync-uri: https://github.com/jonesmz/gentoo-overlay.git
> masters: gentoo
>
> lto-overlay
> location: /var/db/repos/lto-overlay
> sync-type: git
> sync-uri: https://github.com/InBetweenNames/gentooLTO.git
> masters: gentoo mv
>
> mv
> location: /var/db/repos/mv
> sync-type: git
> sync-uri: https://anongit.gentoo.org/git/user/mv.git
> masters: gentoo
>
> wsdd
> location: /var/db/repos/wsdd-gentoo
> sync-type: git
> sync-uri: https://github.com/christgau/wsdd-gentoo
> masters: gentoo
>
> Installed sets: @pc-base-system, @portage
> ACCEPT_KEYWORDS="amd64"
> ACCEPT_LICENSE="@FREE"
> CBUILD="x86_64-pc-linux-gnu"
> CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize
> -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1
> -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe"
> CHOST="x86_64-pc-linux-gnu"
> CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
> CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf
> /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
> CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize
> -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1
> -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe"
> DISTDIR="/var/cache/distfiles"
> EMERGE_DEFAULT_OPTS=" --jobs --keep-going --newuse --changed-deps --deep
> --tree --backtrack=3000 --complete-graph --with-bdeps=y
> --binpkg-respect-use=y --binpkg-changed-deps=y --changed-slot=y --usepkg=y
> --usepkg"
> ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH
> PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY
> XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
> FCFLAGS="-O2 -pipe"
> FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs
> binpkg-multi-instance buildpkg buildpkg-live clean-logs compress-build-logs
> compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles
> installsources ipc-sandbox merge-sync multilib-strict network-sandbox news
> parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned
> qa-unresolved-soname-deps sandbox sfperms split-elog split-log splitdebug
> strict unknown-features-warn unmerge-logs unmerge-orphans userfetch
> userpriv usersandbox usersync xattr"
> FFLAGS="-O2 -pipe"
> GENTOO_MIRRORS="http://distfiles.gentoo.org"
> LANG="en_US.utf8"
> LDFLAGS="-Wl,-O1 -Wl,--as-needed"
> LINGUAS="en en_US"
> MAKEOPTS="-j1"
> PKGDIR="/var/cache/binpkgs"
> PORTAGE_COMPRESS="xz"
> PORTAGE_CONFIGROOT="/"
> PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
> --omit-dir-times --compress --force --whole-file --delete --stats
> --human-readable --timeout=180 --exclude=/distfiles --exclude=/local
> --exclude=/packages --exclude=/.git"
> PORTAGE_TMPDIR="/var/tmp"
> SHELL="/bin/sh"
> USE="acl amd64 bzip2 crypt hardened iconv ipv6 libglvnd libtirpc multilib
> ncurses nls nptl openmp pam pcre pie readline seccomp split-usr ssl ssp
> systemd udev unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2020"
> APACHE2_MODULES="authn_core authz_core authz_host dir mime unixd
> socache_shmcb info log_config" CALLIGRA_FEATURES="karbon sheets words"
> COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog"
> CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech
> aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax
> mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3
> sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx"
> GRUB_PLATFORMS="coreboot efi-64 emu qemu pc" INPUT_DEVICES="libinput"
> KERNEL="linux" L10N="en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk
> hd44780 lb216 lcdm001 mtxorb ncurses text"
> LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer"
> LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1"
> OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0"
> POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9"
> PYTHON_TARGETS="python3_9" QEMU_SOFTMMU_TARGETS="arm aarch64 x86_64"
> QEMU_USER_TARGETS="arm aarch64 x86_64" RUBY_TARGETS="ruby26 ruby27"
> USERLAND="GNU" VIDEO_CARDS="r600 radeon radeonsi amdgpu vesa modesetting
> fbdev qxl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options
> ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat
> logmark ipmark dhcpmac delude chaos account"
> Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP,
> CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV,
> GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM,
> OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND,
> PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF,
> RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
>
> =================================================================
> Package Settings
> =================================================================
>
> net-fs/samba-4.15.3-r1::gentoo was built with the following:
> USE="acl addc ads client json ldap pam python regedit snapper systemd
> winbind -ceph -cluster -cups -debug (-dmapi) (-fam) -glusterfs -gpg -iprint
> -profiling-data -quota (-selinux) -spotlight -syslog (-system-heimdal)
> -system-mitkrb5 (-test) -zeroconf" ABI_X86="(64) -32 (-x32)"
> CPU_FLAGS_X86="-aes" PYTHON_SINGLE_TARGET="python3_9 -python3_10 -python3_8"
> CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize
> -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1
> -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1
> -Wl,--as-needed"
> CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize
> -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1
> -fuse-linker-plugin -march=x86-64 -mtune=generic -pipe -Wl,-O1
> -Wl,--as-needed"
> FEATURES="binpkg-multi-instance compress-build-logs xattr sandbox
> multilib-strict ipc-sandbox assume-digests binpkg-logs strict usersync
> userpriv preserve-libs binpkg-dostrip parallel-fetch
> qa-unresolved-soname-deps split-log buildpkg-live installsources
> compressdebug ebuild-locks userfetch config-protect-if-modified split-elog
> news buildpkg unmerge-logs splitdebug protect-owned unknown-features-warn
> clean-logs usersandbox network-sandbox binpkg-docompress unmerge-orphans
> pid-sandbox merge-sync sfperms distlocks fixlafiles parallel-install"
> LDFLAGS="-Wl,-O1 -Wl,--as-needed -O3 -fgraphite-identity
> -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta
> -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64
> -mtune=generic -pipe -O2"
>
>
> dc1 ~ # cat /etc/samba/user.map
> # $Id$
>
> # Syntax:
> # Unix_name = SMB_name1 SMB_name2 ...
>
> root = NETWORK-1\administrator
>
>
>
>
> dc1 ~ # cat /etc/samba/smb.conf
>
> [global]
> server role = active directory domain controller
> allow dns updates = nonsecure
> dns forwarder = 10.0.0.1 8.8.8.8 8.8.4.4
> idmap_ldb:use rfc2307 = yes
>
> workgroup = NETWORK-1
> realm = NETWORK-1.NET
>
> ##
> # If LOCAL isn't specifed, then the local unix domain socket for RPC stops
> working, and breaks things.
> # Disabled while debugging
> ##
> #hosts allow = 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
> 127.0.0.0/8 fe80::/10 fd00::/8 ::1 LOCAL
>
> log level = 2 dns:2 auth:2 vfs:2
>
> nsupdate command = /usr/bin/nsupdate -g -L10
>
> # server min protocol = SMB3
> # client min protocol = SMB3
>
> ##
> # Hack hack hack
> # This allows freeradius winbind auth to work
> ##
> ntlm auth = yes
>
> username map = /etc/samba/user.map
> create mask = 0666
> directory mask = 0777
>
> allow trusted domains = no
> template shell = /bin/bash
> template homedir = /home/%U
>
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = no
>
> [netlogon]
> path = /var/lib/samba/sysvol/network-1.net/scripts
> read only = no
>
>
> dc1 ~ # cat /etc/krb5.conf
> [libdefaults]
> default_realm = NETWORK-1.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> dc1 ~ # cat /var/lib/samba/private/krb5.conf
> [libdefaults]
> default_realm = NETWORK-1.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
>
> Whats in smb.conf and krb5.conf
>>
>>
>> Key type 3 is DES_CBC_MD5 to give a hint.
>>
>
> Is this something that would have changed in the samba codebase since
> roughly 2017?
>
>
>
>>
>> We do need more info on this to help better.
>>
>>
>> Greetz,
>>
>> Louis
>>
>
>
> Thank you for the assistance.
>
>
>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Michael Jones via samba
>> > Verzonden: vrijdag 28 januari 2022 10:15
>> > Aan: sambalist
>> > Onderwerp: [Samba] nsupdate failed: GSSAPI error: A token had
>> > an invalid message integrity check
>> >
>> > I'm troubleshooting why I'm getting
>> >
>> > > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error:
>> > Major = A token
>> > had an invalid Message Integrity Check (MIC), Minor = Success.
>> >
>> > when running
>> >
>> > > samba_dnsupdate --verbose --all-names
>> >
>> > As the root user on my domain controller.
>> >
>> > Had to crank the debugging options up to get the actual error (quoted
>> > above).
>> >
>> > > samba_dnsupdate --verbose --all-names --debuglevel=10 --verbose
>> >
>> > with
>> >
>> > > nsupdate command = /usr/bin/nsupdate -g -L10
>> >
>> > in my smb.conf
>> >
>> > There's no information about this in google, that I can tell.
>> > And the error
>> > messages aren't giving me much to go on.
>> >
>> > This domain controller has been running since at least 2017,
>> > and upgraded
>> > regularly as my linux distro updates samba. So it's plausible that i'm
>> > running into a problem caused by an earlier version of samba
>> > that is only
>> > manifesting now.
>> >
>> > Any advice?
>> >
>> >
>> >
>> >
>> > Truncated command output follows immediately, followed by
>> > example snippets
>> > out of /var/log/samba.
>> >
>> > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.network-1.net
>> > dc1.network-1.net 389
>> > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.network-1.net
>> > dc1.network-1.net 389 (add)
>> > Starting GENSEC mechanism gssapi_krb5_sasl
>> > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35989 secs
>> > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq:
>> > 0x564b015950e0
>> > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
>> > NT_STATUS_MORE_PROCESSING_REQUIRED
>> > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss
>> > api.c:1057]:
>> > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
>> > (0x564b015952a0)] timer[(nil)]
>> > finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
>> > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
>> > 28-Jan-2022 09:02:59.885 dns_requestmgr_create
>> > 28-Jan-2022 09:02:59.885 dns_requestmgr_create: 0x7f768d8511c8
>> > Outgoing update query:
>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> > ;; UPDATE SECTION:
>> > _ldap._tcp.ForestDnsZones.network-1.net. 900 INSRV 0 100 389
>> > dc1.network-1.net.
>> >
>> > 28-Jan-2022 09:02:59.895 dns_request_createvia
>> > 28-Jan-2022 09:02:59.895 request_render
>> > 28-Jan-2022 09:02:59.905 requestmgr_attach: 0x7f768d8511c8:
>> > eref 1 iref 1
>> > 28-Jan-2022 09:02:59.905 mgr_gethash
>> > 28-Jan-2022 09:02:59.905 req_send: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.905 dns_request_createvia: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.905 req_senddone: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.905 req_response: request 0x7f768d857610: success
>> > 28-Jan-2022 09:02:59.905 req_cancel: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.905 req_sendevent: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.905 dns_request_getresponse: request
>> > 0x7f768d857610
>> > 28-Jan-2022 09:02:59.915 dns_request_createvia
>> > 28-Jan-2022 09:02:59.915 request_render
>> > 28-Jan-2022 09:02:59.915 requestmgr_attach: 0x7f768d8511c8:
>> > eref 1 iref 2
>> > 28-Jan-2022 09:02:59.915 mgr_gethash
>> > 28-Jan-2022 09:02:59.915 dns_request_createvia: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.915 dns_request_destroy: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.915 req_destroy: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.915 requestmgr_detach: 0x7f768d8511c8:
>> > eref 1 iref 1
>> > 28-Jan-2022 09:02:59.915 req_connected: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.915 req_send: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.915 req_senddone: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.965 req_response: request 0x7f768d857790: success
>> > 28-Jan-2022 09:02:59.965 req_cancel: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.965 req_sendevent: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.965 dns_request_getresponse: request
>> > 0x7f768d857790
>> > 28-Jan-2022 09:02:59.965 dns_request_createvia
>> > 28-Jan-2022 09:02:59.965 request_render
>> > 28-Jan-2022 09:02:59.965 requestmgr_attach: 0x7f768d8511c8:
>> > eref 1 iref 2
>> > 28-Jan-2022 09:02:59.965 mgr_gethash
>> > 28-Jan-2022 09:02:59.965 dns_request_createvia: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.965 dns_request_destroy: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.965 req_destroy: request 0x7f768d857790
>> > 28-Jan-2022 09:02:59.965 requestmgr_detach: 0x7f768d8511c8:
>> > eref 1 iref 1
>> > 28-Jan-2022 09:02:59.965 req_connected: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.965 req_send: request 0x7f768d857610
>> > 28-Jan-2022 09:02:59.965 req_senddone: request 0x7f768d857610
>> > 28-Jan-2022 09:03:00.005 req_response: request 0x7f768d857610: success
>> > 28-Jan-2022 09:03:00.005 req_cancel: request 0x7f768d857610
>> > 28-Jan-2022 09:03:00.005 req_sendevent: request 0x7f768d857610
>> > 28-Jan-2022 09:03:00.005 dns_request_getresponse: request
>> > 0x7f768d857610
>> > 28-Jan-2022 09:03:00.005 GSS verify error: GSSAPI error:
>> > Major = A token
>> > had an invalid Message Integrity Check (MIC), Minor = Success.
>> > 28-Jan-2022 09:03:00.005 tsig key '4222350327.sig-dc1.network-1.net'
>> > (<null>): signature failed to verify(1)
>> > ; TSIG error with server: tsig verify failure
>> > 28-Jan-2022 09:03:00.005 dns_request_destroy: request 0x7f768d857610
>> > 28-Jan-2022 09:03:00.005 req_destroy: request 0x7f768d857610
>> > 28-Jan-2022 09:03:00.005 requestmgr_detach: 0x7f768d8511c8:
>> > eref 1 iref 0
>> > 28-Jan-2022 09:03:00.005 dns_requestmgr_shutdown: 0x7f768d8511c8
>> > 28-Jan-2022 09:03:00.005 send_shutdown_events: 0x7f768d8511c8
>> > 28-Jan-2022 09:03:00.005 dns_requestmgr_detach:
>> > 0x7f768d8511c8: eref 0 iref
>> > 0
>> > 28-Jan-2022 09:03:00.005 mgr_destroy
>> > Failed nsupdate: 2
>> > update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
>> > sites.ForestDnsZones.network-1.net dc1.network-1.net 389
>> > Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
>> > sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add)
>> > Starting GENSEC mechanism gssapi_krb5_sasl
>> > GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35988 secs
>> > gensec_update_send: gssapi_krb5_sasl[0x564b018d5f80]: subreq:
>> > 0x564b015950e0
>> > gensec_update_done: gssapi_krb5_sasl[0x564b018d5f80]:
>> > NT_STATUS_MORE_PROCESSING_REQUIRED
>> > tevent_req[0x564b015950e0/../../source4/auth/gensec/gensec_gss
>> > api.c:1057]:
>> > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
>> > (0x564b015952a0)] timer[(nil)]
>> > finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
>> > Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
>> > 28-Jan-2022 09:03:00.275 dns_requestmgr_create
>> > 28-Jan-2022 09:03:00.275 dns_requestmgr_create: 0x7ff91f5df1c8
>> > Outgoing update query:
>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> > ;; UPDATE SECTION:
>> > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo
>> > rk-1.net.900
>> > IN SRV 0 100 389 dc1.network-1.net.
>> >
>> > 28-Jan-2022 09:03:00.275 dns_request_createvia
>> > 28-Jan-2022 09:03:00.285 request_render
>> > 28-Jan-2022 09:03:00.285 requestmgr_attach: 0x7ff91f5df1c8:
>> > eref 1 iref 1
>> > 28-Jan-2022 09:03:00.285 mgr_gethash
>> > 28-Jan-2022 09:03:00.285 req_send: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.285 dns_request_createvia: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.285 req_senddone: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.285 req_response: request 0x7ff91f5e5610: success
>> > 28-Jan-2022 09:03:00.285 req_cancel: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.285 req_sendevent: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.285 dns_request_getresponse: request
>> > 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.295 dns_request_createvia
>> > 28-Jan-2022 09:03:00.295 request_render
>> > 28-Jan-2022 09:03:00.295 requestmgr_attach: 0x7ff91f5df1c8:
>> > eref 1 iref 2
>> > 28-Jan-2022 09:03:00.295 mgr_gethash
>> > 28-Jan-2022 09:03:00.295 dns_request_createvia: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.295 dns_request_destroy: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.295 req_destroy: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.295 requestmgr_detach: 0x7ff91f5df1c8:
>> > eref 1 iref 1
>> > 28-Jan-2022 09:03:00.295 req_connected: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.295 req_send: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.305 req_senddone: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.335 req_response: request 0x7ff91f5e5790: success
>> > 28-Jan-2022 09:03:00.335 req_cancel: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.335 req_sendevent: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.335 dns_request_getresponse: request
>> > 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.335 dns_request_createvia
>> > 28-Jan-2022 09:03:00.335 request_render
>> > 28-Jan-2022 09:03:00.335 requestmgr_attach: 0x7ff91f5df1c8:
>> > eref 1 iref 2
>> > 28-Jan-2022 09:03:00.335 mgr_gethash
>> > 28-Jan-2022 09:03:00.335 dns_request_createvia: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.335 dns_request_destroy: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.335 req_destroy: request 0x7ff91f5e5790
>> > 28-Jan-2022 09:03:00.335 requestmgr_detach: 0x7ff91f5df1c8:
>> > eref 1 iref 1
>> > 28-Jan-2022 09:03:00.335 req_connected: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.335 req_send: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.345 req_senddone: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.365 req_response: request 0x7ff91f5e5610: success
>> > 28-Jan-2022 09:03:00.365 req_cancel: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.365 req_sendevent: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.365 dns_request_getresponse: request
>> > 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.365 GSS verify error: GSSAPI error:
>> > Major = A token
>> > had an invalid Message Integrity Check (MIC), Minor = Success.
>> > 28-Jan-2022 09:03:00.365 tsig key '3433197691.sig-dc1.network-1.net'
>> > (<null>): signature failed to verify(1)
>> > ; TSIG error with server: tsig verify failure
>> > 28-Jan-2022 09:03:00.365 dns_request_destroy: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.365 req_destroy: request 0x7ff91f5e5610
>> > 28-Jan-2022 09:03:00.365 requestmgr_detach: 0x7ff91f5df1c8:
>> > eref 1 iref 0
>> > 28-Jan-2022 09:03:00.375 dns_requestmgr_shutdown: 0x7ff91f5df1c8
>> > 28-Jan-2022 09:03:00.375 send_shutdown_events: 0x7ff91f5df1c8
>> > 28-Jan-2022 09:03:00.375 dns_requestmgr_detach:
>> > 0x7ff91f5df1c8: eref 0 iref
>> > 0
>> > 28-Jan-2022 09:03:00.375 mgr_destroy
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Data from /var/log/samba/
>> >
>> >
>> >
>> > [2022/01/28 03:02:57.729026, 2]
>> > ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
>> > Got a dns update request.
>> > [2022/01/28 03:02:57.729226, 2]
>> > ../../source4/dns_server/dns_update.c:771(dns_update_allowed)
>> > All updates allowed.
>> > [2022/01/28 03:02:57.732085, 2]
>> > ../../source4/dns_server/dns_update.c:397(handle_one_update)
>> > Looking at record:
>> > [2022/01/28 03:02:57.732402, 2]
>> > ../../source4/dns_server/dns_update.c:398(handle_one_update)
>> > [2022/01/28 03:02:57.732479, 1]
>> > ../../librpc/ndr/ndr.c:435(ndr_print_debug)
>> > discard_const(update): struct dns_res_rec
>> > name :
>> > '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.network-1.net'
>> > rr_type : DNS_QTYPE_SRV (0x21)
>> > rr_class : DNS_QCLASS_IN (0x1)
>> > ttl : 0x00000384 (900)
>> > length : 0x0019 (25)
>> > rdata : union dns_rdata(case 0x21)
>> > srv_record: struct dns_srv_record
>> > priority : 0x0000 (0)
>> > weight : 0x0064 (100)
>> > port : 0x0cc4 (3268)
>> > target : 'dc1.network-1.net'
>> > unexpected : DATA_BLOB length=0
>> > [2022/01/28 03:02:57.885790, 2]
>> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>> > Unsupported keytype ignored - type 3
>> > [2022/01/28 03:02:57.888483, 2]
>> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>> > Unsupported keytype ignored - type 1
>> > [2022/01/28 03:02:58.045607, 2]
>> > ../../source4/dns_server/dns_update.c:824(dns_server_process_update)
>> > Got a dns update request.
>> > [2022/01/28 03:02:58.045825, 2]
>> > ../../source4/dns_server/dns_update.c:771(dns_update_allowed)
>> > All updates allowed.
>> > [2022/01/28 03:02:58.048526, 2]
>> > ../../source4/dns_server/dns_update.c:397(handle_one_update)
>> > Looking at record:
>> > [2022/01/28 03:02:58.048741, 2]
>> > ../../source4/dns_server/dns_update.c:398(handle_one_update)
>> > [2022/01/28 03:02:58.048816, 1]
>> > ../../librpc/ndr/ndr.c:435(ndr_print_debug)
>> > discard_const(update): struct dns_res_rec
>> > name : 'DomainDnsZones.network-1.net'
>> > rr_type : DNS_QTYPE_A (0x1)
>> > rr_class : DNS_QCLASS_IN (0x1)
>> > ttl : 0x00000384 (900)
>> > length : 0x0004 (4)
>> > rdata : union dns_rdata(case 0x1)
>> > ipv4_record : 10.0.0.3
>> > unexpected : DATA_BLOB length=0
>> > [2022/01/28 03:02:58.188259, 2]
>> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>> > Unsupported keytype ignored - type 3
>> > [2022/01/28 03:02:58.188499, 2]
>> > ../../source4/kdc/db-glue.c:643(samba_kdc_message2entry_keys)
>> > Unsupported keytype ignored - type 1
>> > --
>>
>
Some supplemental system information.
dc1 ~ # cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by
man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly
to
# all known uplink DNS servers. This file lists all configured search
domains.
#
# Third party programs should typically not access this file directly, but
only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different
symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes
of
# operation for /etc/resolv.conf.
nameserver 10.0.0.3
nameserver redacted_ipv6_prefix::228
search network-1.net
dc1 ~ # resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/unsupported
resolv.conf mode: uplink
Link 2 (mv-general)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/unsupported
Current DNS Server: 10.0.0.3
DNS Servers: 10.0.0.3 redacted_ipv6_prefix::228
DNS Domain: network-1.net
dc1 ~ # cat /etc/systemd/network/mv-general.network
[Match]
Name=mv-general
Virtualization=true
[Network]
DHCP=yes
DNSSEC=allow-downgrade
Domains=network-1.net
DNS=10.0.0.3
DNS=2601:248:557f:e47c::228
MulticastDNS=false
LLMNR=false
[DHCPv4]
UseDNS=false
UseHostname=false
[DHCPv6]
UseDNS=false
UseHostname=false
[IPv6AcceptRA]
UseDNS=false
#DHCPv6Client=false
dc1 ~ # cat /etc/hosts
##
# As a special setting *only* for dc1
# manually specify the fqdn and hostname
# for 10.0.0.3 so that we don't rely on DNS
# from the router.
##
10.0.0.3 dc1.network-1.net dc1
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
dc1 ~ # cat /etc/hostname
dc1
dc1 ~ # ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 28889 bytes 4280105 (4.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28889 bytes 4280105 (4.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
mv-general: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.3 netmask 255.0.0.0 broadcast 10.255.255.255
inet6 fe80::18ae:d2ff:fe11:e8bc prefixlen 64 scopeid 0x20<link>
inet6 redacted_ipv6_prefix::228 prefixlen 128 scopeid 0x0<global>
inet6 edacted_ipv6_prefix:fe11:e8bc prefixlen 64 scopeid
0x0<global>
ether 1a:ae:d2:11:e8:bc txqueuelen 1000 (Ethernet)
RX packets 226368 bytes 20037534 (19.1 MiB)
RX errors 0 dropped 24425 overruns 0 frame 0
TX packets 87040 bytes 14095184 (13.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
dc1 ~ # hostnamectl
Static hostname: dc1
Icon name: computer-container
Chassis: container
Machine ID: 14b050068a104f70a2dcc08d61c23d9c
Boot ID: d89c1052cd6047d788ffa8ce233a82ca
Virtualization: systemd-nspawn
Operating System: Gentoo/Linux
Kernel: Linux 5.15.11-gentoo
Architecture: x86-64
dc1 ~ # nslookup dc1.network-1.net
Server: 10.0.0.3
Address: 10.0.0.3#53
Name: dc1.network-1.net
Address: 10.0.0.3
Name: dc1.network-1.net
Address: redacted_ipv6_prefix::228
Name: dc1.network-1.net
Address: redacted_ipv6_prefix:fe11:e8bc
dc1 ~ # nslookup dc1
Server: 10.0.0.3
Address: 10.0.0.3#53
Name: dc1.network-1.net
Address: 10.0.0.3
Name: dc1.network-1.net
Address: redacted_ipv6_prefix::228
Name: dc1.network-1.net
Address: redacted_ipv6_prefix:fe11:e8bc
More information about the samba
mailing list