[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check

Fri Jan 28 22:20:02 UTC 2022

On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote:
> 
> 
> 
> > 
> > So which was your DC built with, 'Heimdal' or 'MIT' ?
> 
>  
> Those flags are specifically about overriding the krb5 library that
> the samba package carries, to force it to use whatever the system
> happens to have.
> 
> In this case, I specified neither, so it's using whatever 4.15.3
> comes with. Note that I did not package samba myself, I'm just using
> the Gentoo package for it. So if I'm understanding something about
> how Samba is distributed and Samba doesn't come with a pre-specified
> krb5 implementation, then I'm getting whatever the Gentoo packagers
> use. Given the release notes say MIT Krb5 is experimental, I assume
> it's the Heimdal implementation.

You need to find out which you are using, Heimdal or MIT.

> 
> 
> 
> Now that you've pointed out this discrepancy, I'll adjust the
> settings to see if that does any good.
> 
> However, I've been having this problem for several months, and only
> updated to 4.15 last night, whereupon the automatic dependency solver
> decided to replace the system heimdal with mit-krb5, now that samba
> is using it's built in krb5 implementation. (The depsolver solves
> deps and the depsolver wills, i suppose).

Samba has been using the builtin Heimdal since Samba 4 was released,
though there is also an experimental version that uses MIT (this
version should not be used in production).

> 
The TSIG warning line happened before that, when I knew I was using
> heimdal. So I'm skeptical that I'll see a behavior difference. But I
> do agree that having only one krb implementation is much less likely
> to have other problems.

> >Originally, I had a single shared smb.conf across all of my samba
> machines, with appropriate include = /etc/samba/smb-%L.conf configs
> for each machine.

> >This worked great at first, but has subsequently broken more and
> more
> as I've upgraded samba. The config in the email is the result of
> removing quite a lot of configuration lines that have solved some
> problem or another over the years to try to figure out where things
> are breaking on my DC. 

> 
> I've been subscribed to this mailing list for at least 5 years, and
> quite a lot of the traffic on it ultimately culminates in someone
> telling the person asking for help that their configuration is wrong
> in some way.

We do not write your smb.conf, all we can do is to point out any
errors.

> 
> Perhaps samba needs a config checker that has all these rules built
> in, instead of wasting time on the mailing list? Or even have samba
> reject configuration lines that don't apply to a domain controller,
> if it's so sensitive to these settings?

The problem with that idea, is what may be wrong in one smb.conf, is
perfectly valid in another. To get something to parse the smb.conf
based on what the server role is, would probably have to be extremely
large and entail some form of AI and mind reading capabilities :-)

Rowland