[Samba] nsupdate failed: GSSAPI error: A token had an invalid message integrity check

Mon Jan 31 08:44:55 UTC 2022

Hai, 

Sorry for the late reply, i having (again) a dead in the family..

I saw this. Not sure if it still applies 
The last lines here : 
https://marc.info/?l=samba&m=138748499227175&w=2 

Quote: 
That output
   ; TSIG error with server: tsig verify failure
is usually only seen when the internal DNS server is running.
It's a glitch, which can be ignored atm (all dyn. updates are done OK).

Based on "all dyn. updates are done OK" 

You can verifiy that youself by running : samba_dnsupdate --verbose --all-names 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Michael Jones via samba
> Verzonden: zaterdag 29 januari 2022 7:01
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] nsupdate failed: GSSAPI error: A token 
> had an invalid message integrity check
> 
> On Fri, Jan 28, 2022 at 4:45 PM Michael Jones 
> <samba at jonesmz.com> wrote:
> 
> > Thank you for the help
> >
> > On Fri, Jan 28, 2022 at 4:20 PM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On Fri, 2022-01-28 at 15:57 -0600, Michael Jones wrote:
> >> You need to find out which you are using, Heimdal or MIT.
> >>
> >
> > It's using the version bundled with samba.  I've never attempted to
> > override that, so it's always been whatever version is 
> bundled with each
> > samba release, since the DC was first installed. If that's 
> Heimdal, then
> > it's always been Heimdal.
> >
> 
> Ok. mit-krb5 is completely purged from my system. bind-tools 
> (nsupdate) now
> uses heimdal again.
> 
> I'm getting a similar error as before, though the error 
> message is slightly
> different.
> 
> I have very little knowledge about kerberos or gssapi, so I 
> really need
> some guidance on how to investigate this further.
> 
> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.network-1.net dc1.network-1.net 389
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.network-1.net dc1.network-1.net 389 (add)
> Starting GENSEC mechanism gssapi_krb5_sasl
> GSSAPI credentials for DC1$@NETWORK-1.NET will expire in 35991 secs
> gensec_update_send: gssapi_krb5_sasl[0x558a610e5320]: subreq: 
> 0x558a6061eed0
> gensec_update_done: gssapi_krb5_sasl[0x558a610e5320]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x558a6061eed0/../../source4/auth/gensec/gensec_gss
> api.c:1057]:
> state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> (0x558a6061f090)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1068]
> Successfully obtained Kerberos ticket to DNS/dc1.network-1.net as DC1$
> 29-Jan-2022 05:58:01.436 dns_requestmgr_create
> 29-Jan-2022 05:58:01.436 dns_requestmgr_create: 0x7fbbbbf831c8
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.netwo
> rk-1.net. 900
> IN SRV 0 100 389 dc1.network-1.net.
> 
> 29-Jan-2022 05:58:01.446 dns_request_createvia
> 29-Jan-2022 05:58:01.456 request_render
> 29-Jan-2022 05:58:01.456 requestmgr_attach: 0x7fbbbbf831c8: 
> eref 1 iref 1
> 29-Jan-2022 05:58:01.456 mgr_gethash
> 29-Jan-2022 05:58:01.456 req_send: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.456 dns_request_createvia: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.456 req_senddone: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.456 req_response: request 0x7fbbbbf89610: success
> 29-Jan-2022 05:58:01.456 req_cancel: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.456 req_sendevent: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.456 dns_request_getresponse: request 
> 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.466 dns_request_createvia
> 29-Jan-2022 05:58:01.466 request_render
> 29-Jan-2022 05:58:01.466 requestmgr_attach: 0x7fbbbbf831c8: 
> eref 1 iref 2
> 29-Jan-2022 05:58:01.466 mgr_gethash
> 29-Jan-2022 05:58:01.466 dns_request_createvia: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.466 dns_request_destroy: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.466 req_destroy: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.466 requestmgr_detach: 0x7fbbbbf831c8: 
> eref 1 iref 1
> 29-Jan-2022 05:58:01.466 req_connected: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.466 req_send: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.466 req_senddone: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.496 req_response: request 0x7fbbbbf89790: success
> 29-Jan-2022 05:58:01.496 req_cancel: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.506 req_sendevent: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.506 dns_request_getresponse: request 
> 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.506 dns_request_createvia
> 29-Jan-2022 05:58:01.506 request_render
> 29-Jan-2022 05:58:01.506 requestmgr_attach: 0x7fbbbbf831c8: 
> eref 1 iref 2
> 29-Jan-2022 05:58:01.506 mgr_gethash
> 29-Jan-2022 05:58:01.506 dns_request_createvia: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.506 dns_request_destroy: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.506 req_destroy: request 0x7fbbbbf89790
> 29-Jan-2022 05:58:01.506 requestmgr_detach: 0x7fbbbbf831c8: 
> eref 1 iref 1
> 29-Jan-2022 05:58:01.506 req_connected: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.506 req_send: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.506 req_senddone: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.536 req_response: request 0x7fbbbbf89610: success
> 29-Jan-2022 05:58:01.536 req_cancel: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.536 req_sendevent: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.536 dns_request_getresponse: request 
> 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.536 GSS verify error: GSSAPI error: 
> Major =  A token
> had an invalid MIC, Minor = unknown mech-code 2529638943 for 
> mech unknown.
> 29-Jan-2022 05:58:01.536 tsig key '1576010161.sig-dc1.network-1.net'
> (<null>): signature failed to verify(1)
> ; TSIG error with server: tsig verify failure
> 29-Jan-2022 05:58:01.536 dns_request_destroy: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.536 req_destroy: request 0x7fbbbbf89610
> 29-Jan-2022 05:58:01.536 requestmgr_detach: 0x7fbbbbf831c8: 
> eref 1 iref 0
> 29-Jan-2022 05:58:01.536 dns_requestmgr_shutdown: 0x7fbbbbf831c8
> 29-Jan-2022 05:58:01.536 send_shutdown_events: 0x7fbbbbf831c8
> 29-Jan-2022 05:58:01.536 dns_requestmgr_detach: 
> 0x7fbbbbf831c8: eref 0 iref
> 0
> 29-Jan-2022 05:58:01.536 mgr_destroy
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 