[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check

Michael Jones samba at jonesmz.com
Sat Jan 29 06:00:55 UTC 2022 

On Fri, Jan 28, 2022 at 4:45 PM Michael Jones <samba at jonesmz.com> wrote:

> Thank you for the help
>
> On Fri, Jan 28, 2022 at 4:20 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote:
>> You need to find out which you are using, Heimdal or MIT.
>>
>
> It's using the version bundled with samba.  I've never attempted to
> override that, so it's always been whatever version is bundled with each
> samba release, since the DC was first installed. If that's Heimdal, then
> it's always been Heimdal.
>

Ok. mit-krb5 is completely purged from my system. bind-tools (nsupdate) now
uses heimdal again.

I'm getting a similar error as before, though the error message is slightly
different.

I have very little knowledge about kerberos or gssapi, so I really need
some guidance on how to investigate this further.

update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.network-1.net dc1.network-1.net 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35991 secs
gensec_update_send: gssapi_krb5_sasl[0x558a610e5320]: subreq: 0x558a6061eed0
gensec_update_done: gssapi_krb5_sasl[0x558a610e5320]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x558a6061eed0/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
(0x558a6061f090)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
29-Jan-2022 05:58:01.436 dns_requestmgr_create
29-Jan-2022 05:58:01.436 dns_requestmgr_create: 0x7fbbbbf831c8
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.network-1.net. 900
IN SRV 0 100 389 dc1.network-1.net.

29-Jan-2022 05:58:01.446 dns_request_createvia
29-Jan-2022 05:58:01.456 request_render
29-Jan-2022 05:58:01.456 requestmgr_attach: 0x7fbbbbf831c8: eref 1 iref 1
29-Jan-2022 05:58:01.456 mgr_gethash
29-Jan-2022 05:58:01.456 req_send: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.456 dns_request_createvia: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.456 req_senddone: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.456 req_response: request 0x7fbbbbf89610: success
29-Jan-2022 05:58:01.456 req_cancel: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.456 req_sendevent: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.456 dns_request_getresponse: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.466 dns_request_createvia
29-Jan-2022 05:58:01.466 request_render
29-Jan-2022 05:58:01.466 requestmgr_attach: 0x7fbbbbf831c8: eref 1 iref 2
29-Jan-2022 05:58:01.466 mgr_gethash
29-Jan-2022 05:58:01.466 dns_request_createvia: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.466 dns_request_destroy: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.466 req_destroy: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.466 requestmgr_detach: 0x7fbbbbf831c8: eref 1 iref 1
29-Jan-2022 05:58:01.466 req_connected: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.466 req_send: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.466 req_senddone: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.496 req_response: request 0x7fbbbbf89790: success
29-Jan-2022 05:58:01.496 req_cancel: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.506 req_sendevent: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.506 dns_request_getresponse: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.506 dns_request_createvia
29-Jan-2022 05:58:01.506 request_render
29-Jan-2022 05:58:01.506 requestmgr_attach: 0x7fbbbbf831c8: eref 1 iref 2
29-Jan-2022 05:58:01.506 mgr_gethash
29-Jan-2022 05:58:01.506 dns_request_createvia: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.506 dns_request_destroy: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.506 req_destroy: request 0x7fbbbbf89790
29-Jan-2022 05:58:01.506 requestmgr_detach: 0x7fbbbbf831c8: eref 1 iref 1
29-Jan-2022 05:58:01.506 req_connected: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.506 req_send: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.506 req_senddone: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.536 req_response: request 0x7fbbbbf89610: success
29-Jan-2022 05:58:01.536 req_cancel: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.536 req_sendevent: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.536 dns_request_getresponse: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.536 GSS verify error: GSSAPI error: Major =  A token
had an invalid MIC, Minor = unknown mech-code 2529638943 for mech unknown.
29-Jan-2022 05:58:01.536 tsig key '1576010161.sig-dc1.network-1.net'
(<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
29-Jan-2022 05:58:01.536 dns_request_destroy: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.536 req_destroy: request 0x7fbbbbf89610
29-Jan-2022 05:58:01.536 requestmgr_detach: 0x7fbbbbf831c8: eref 1 iref 0
29-Jan-2022 05:58:01.536 dns_requestmgr_shutdown: 0x7fbbbbf831c8
29-Jan-2022 05:58:01.536 send_shutdown_events: 0x7fbbbbf831c8
29-Jan-2022 05:58:01.536 dns_requestmgr_detach: 0x7fbbbbf831c8: eref 0 iref
0
29-Jan-2022 05:58:01.536 mgr_destroy

More information about the samba mailing list