[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check

Rowland Penny rpenny at samba.org
Fri Jan 28 21:29:22 UTC 2022

On Fri, 2022-01-28 at 15:03 -0600, Michael Jones via samba wrote:
> Thank you for the response.
> On Fri, Jan 28, 2022 at 4:16 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
> > On AD-DC or Member ?
> > 
> AD-DC, phrased as "> As the root user on my domain controller." in my
> original email, though I know it was a big wall of text, so I
> probably
> would have missed that detail myself.

I waded through all of that info and one thing popped out:
(-system-heimdal) -system-mitkrb5

So which was your DC built with, 'Heimdal' or 'MIT' ?

Also your smb.conf files are borked, you do not use a user.map on a DC
and I would expect each DC smb.conf to look similar to this:

    server role = active directory domain controller
    allow dns updates = nonsecure
    dns forwarder =
    idmap_ldb:use rfc2307 = yes
    workgroup = NETWORK-1
    realm = NETWORK-1.NET
    log level = 2 dns:2 auth:2 vfs:2
    ntlm auth = yes
    template shell = /bin/bash
    template homedir = /home/%U

    path = /var/lib/samba/sysvol
    read only = no

    path = /var/lib/samba/sysvol/network-1.net/scripts
    read only = no

More information about the samba mailing list