[Samba] First Linux Machine Domain Join

John R. Graham john at graham-family.org
Sun Nov 17 17:30:58 UTC 2024


On 11/16/24 16:15, Rowland Penny via samba wrote:
> It isn't really required to run nmbd now, it is the NetBIOS deamon and
> isn't really used. You just need to start the smbd and winbindd deamons.
Understood. I'm working on getting Gentoo's configuration defaults changed.
>> (Note that this machine uses dhcpcd to get its IP address and the
>> contents of /etc/resolv.conf.)
> If by 'dhcpcd' you mean dhcpdc5, then I could never get that to work, I
> always removed it, but you might.

It works very well "out of the box" here; a Gentoo developer is the 
current maintainer. Then again, it's at version 10.1.0 now.

> What should work (well it does on Debian), 'hostname -s' should produce
> the computers short hostname, 'hostname -d' should produce the dns
> domain name, 'hostname -i' should produce the computers ipaddress (but
> could possibly give 127.0.0.1), 'hostname -I' should also produce the
> ipaddress (but could give more)
>
All of these produce the output you've described, except for the last 
one because Gentoo's hostname (from the net-utils package) doesn't have 
an -I option.

I've been working through the Testing Dynamic DNS Updates wiki page. I'm 
getting a slew of "TSIG error with server: tsig verify failure" messages 
from that:

     ceres ~ # samba_dnsupdate --verbose --all-names --debuglevel=10
     ...
     29 DNS updates and 0 DNS deletes needed
     ldb_wrap open of secrets.ldb
     Received smb_krb5 packet of length 352
     Received smb_krb5 packet of length 285
     kinit for CERES$@SAMDOM.EXAMPLE.COM succeeded
     GENSEC backend 'gssapi_spnego' registered
     GENSEC backend 'gssapi_krb5' registered
     GENSEC backend 'gssapi_krb5_sasl' registered
     GENSEC backend 'spnego' registered
     GENSEC backend 'schannel' registered
     GENSEC backend 'ncalrpc_as_system' registered
     GENSEC backend 'sasl-EXTERNAL' registered
     GENSEC backend 'ntlmssp' registered
     GENSEC backend 'ntlmssp_resume_ccache' registered
     GENSEC backend 'http_basic' registered
     GENSEC backend 'http_ntlm' registered
     GENSEC backend 'http_negotiate' registered
     GENSEC backend 'krb5' registered
     GENSEC backend 'fake_gssapi_krb5' registered
     Starting GENSEC mechanism gssapi_krb5_sasl
     Ticket in credentials cache for CERES$@SAMDOM.EXAMPLE.COM will 
expire in 36000 secs
     gensec_update_send: gssapi_krb5_sasl[0x55641a320e90]: subreq: 
0x5564186e3970
     gensec_update_done: gssapi_krb5_sasl[0x55641a320e90]: 
NT_STATUS_MORE_PROCESSING_REQUIRED 
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]: 
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state 
(0x5564186e3b50)] timer[(nil)] 
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
     Successfully obtained Kerberos ticket to 
DNS/ceres.samdom.example.com as CERES$
     update(nsupdate): A ceres.samdom.example.com 192.168.123.250
     Calling nsupdate for A ceres.samdom.example.com 192.168.123.250 (add)
     Starting GENSEC mechanism gssapi_krb5_sasl
     GSSAPI credentials for CERES$@SAMDOM.EXAMPLE.COM will expire in 
36000 secs
     gensec_update_send: gssapi_krb5_sasl[0x55641a320e90]: subreq: 
0x5564186e3970
     gensec_update_done: gssapi_krb5_sasl[0x55641a320e90]: 
NT_STATUS_MORE_PROCESSING_REQUIRED 
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]: 
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state 
(0x5564186e3b50)] timer[(nil)] 
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
     Successfully obtained Kerberos ticket to 
DNS/ceres.samdom.example.com as CERES$
     Outgoing update query:
     ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
     ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
     ;; UPDATE SECTION:
     ceres.samdom.example.com. 900 IN    A   192.168.123.250

     ; TSIG error with server: tsig verify failure
     Failed nsupdate: 2
     update(nsupdate): CNAME 
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com 
ceres.samdom.example.com
     Calling nsupdate for CNAME 
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com 
ceres.samdom.example.com (add)
     Starting GENSEC mechanism gssapi_krb5_sasl
     GSSAPI credentials for CERES$@SAMDOM.EXAMPLE.COM will expire in 
36000 secs
     gensec_update_send: gssapi_krb5_sasl[0x55641a4e9840]: subreq: 
0x5564186e3970
     gensec_update_done: gssapi_krb5_sasl[0x55641a4e9840]: 
NT_STATUS_MORE_PROCESSING_REQUIRED 
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]: 
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state 
(0x5564186e3b50)] timer[(nil)] 
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
     Successfully obtained Kerberos ticket to 
DNS/ceres.samdom.example.com as CERES$
     Outgoing update query:
     ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
     ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
     ;; UPDATE SECTION:
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com. 900 IN 
CNAME ceres.samdom.example.com.

     ; TSIG error with server: tsig verify failure
     ...

I saw some earlier list posts about this error but didn't see a 
definitive diagnosis.

- John


More information about the samba mailing list