[Samba] TSIG errors when updating DNS

Peter Milesson miles at atmos.eu
Sat Feb 4 11:46:08 UTC 2023 

Hi folks,

I get the following errors when running samba_dnsupdate --verbose 
--all-names on both my samba AD DCs. I have cut the list, as it repeats 
the TSIG error

The resolvconf package is not installed, each DC points to itself with 
its 172.16.10.xx in resolv.conf. The hosts file is OK on both DCs.

I have tried to add the following line to smb.conf and restart, it does 
not help, however.

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

I've seen this subject being brought up previously on this list, but it 
beats me why it pops up now.

OS is Debian Bullseye with backports. Samba was upgraded to 4.17.5 from 
the backports packages today on both DCs.

I would very much appreciate some help on this.

Best regards,

Peter



IPs: ['172.16.10.10']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.konstrukce.local 
konadc2.konstrukce.local 389) as we are not a PDC
force update: A konadc2.konstrukce.local 172.16.10.10
force update: NS konstrukce.local konadc2.konstrukce.local
force update: NS _msdcs.konstrukce.local konadc2.konstrukce.local
...
...
28 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/konadc2.konstrukce.local as 
KONADC2$
update(nsupdate): A konadc2.konstrukce.local 172.16.10.10
Calling nsupdate for A konadc2.konstrukce.local 172.16.10.10 (add)
Successfully obtained Kerberos ticket to DNS/konadc2.konstrukce.local as 
KONADC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
konadc2.konstrukce.local. 900   IN      A       172.16.10.10

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): NS konstrukce.local konadc2.konstrukce.local
Calling nsupdate for NS konstrukce.local konadc2.konstrukce.local (add)
Successfully obtained Kerberos ticket to DNS/konadc2.konstrukce.local as 
KONADC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
konstrukce.local.       900     IN      NS konadc2.konstrukce.local.
...
...

More information about the samba mailing list