[Samba] TSIG errors when updating DNS

Peter Milesson miles at atmos.eu
Sat Feb 4 15:10:25 UTC 2023

On 04.02.2023 15:41, Rowland Penny via samba wrote:
> On 04/02/2023 13:43, Peter Milesson via samba wrote:
>>> I think what is happening here is that your kerberos ticket is too 
>>> old, it still has the old keys in it.
>> How can I fix that?
> I have never had to do this, but I 'think' you need to run 
> 'chgtdcpass' on the DC, which will change the computers password.
> I have 'CC'ed Andrew on this, so do not do anything until/if he 
> replies, I would not like to steer you in the wrong direction and 
> destroy your domain.
> Rowland
Hi Rowland,

Thanks for your answer.

Just one more bit of information. If I run nslookup, the session looks 
like this on both DCs:

root at konadc3:~# nslookup
 > set type=SRV
 > _ldap._tcp.konstrukce.local
;; communications error to timed out

_ldap._tcp.konstrukce.local     service = 0 100 389 
_ldap._tcp.konstrukce.local     service = 0 100 389 

If I issue _ldap._tcp.konstrukce.local several times in a row with no, 
or a very short delay, the communications error does not show up.

I have checked the ports, and port 53 is opened by a samba task. There 
is no other service, or application grabbing the port.

Everything seems to work normally, however. If I add an A record on one 
of the DCs, it's on the other DC in a snap. Domain member also seem to 
work as they should.

I will wait until further informed.

Best regards,


More information about the samba mailing list