Re: [Samba] S4 nsupdate tsig error with internal server

[steve]

On 11/05/13 12:01, Rowland Penny wrote:
On 11/05/13 09:54, steve wrote:
Hi
I know that this has been addressed before but I couldn't find a
solution. Summary: when attempting to write a dns record using
nsupdate, nothing gets written to the zone due to the error:
; TSIG error with server: tsig verify failure
Everything is working. We can login to the domain from the same client
and we have sssd sending the dyndns update requests which also produce
the same error but still send the correct IP to the server after a
change in I on the client but still nothing is written.

Test: we can't ping the client by name from the DC after the update
request is sent. The DC responds correctly as for e.g. successful
updates from xp clients.

Question, does this work against a DC with bind dlz? Any solution
meanwhile?
Thanks,
Steve

Here is the output:

 sudo nsupdate -g -d
[sudo] password for steve:
> server 192.168.1.16
> realm HH3.SITE
> update add pinoso.hh3.site 3600 A 192.168.1.100
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7006
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pinoso.hh3.site.        IN    SOA

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25384
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;hh3.site.            IN    SOA

;; ANSWER SECTION:
hh3.site.        3600    IN    SOA    hh16.hh3.site.
hostmaster.hh3.site. 6 900 600 86400 0

Found zone name: hh3.site
The master is: hh16.hh3.site
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3099
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3768628576.sig-hh16.hh3.site.    ANY    TKEY

;; ADDITIONAL SECTION:
3768628576.sig-hh16.hh3.site. 0    ANY    TKEY    gss-tsig. 1368261695
1368261695 3 NOERROR 1244
YIIE2AYGKwYBBQUCoIIEzDCCBMigDTALBgkqhkiG9xIBAgKiggS1BIIE
sWCCBK0GCSqGSIb3EgECAgEAboIEnDCCBJigAwIBBaEDAgEOogcDBQAg
AAAAo4IDmmGCA5YwggOSoAMCAQWhChsISEgzLlNJVEWiHzAdoAMCAQGh
FjAUGwNETlMbDWhoMTYuaGgzLnNpdGWjggNcMIIDWKADAgEXoQMCAQGi
ggNKBIIDRlUabLy43CC30nH0ztt7pJM4GMIzCsGtI/fq2Cpy9+xiLCFi
s0cK6oMdAgTxXBXKHBugCAw/2Nc/Bq2hueJp+mgkO0YrNklk0KqNCHcT
xlsa2+Iysb3JAeOQKFiF3rfirW8GNP+5c7d79ZVf6vXPRXnKCQ/waxum
BJhUZkzcUZT1d34E4xIdZJBSp7vD3kFk5odFPMCehkXt/122hMAbvOKu
0QG0dI3hVhadgAN8RUDyCyAOaAcY2hwfdLnodQACSdJBc3mnw6y6UJvp
RjyaibVx8rbDY3kLE5qDPR+ttB46B1kkrRqzbFAQU9bju63Ipbb/naa+
KxoA753ImXCCpDYA/biXGu0tLz8EsWk1HoO+Ij+aqjtqNPAa4u6+qS/0
XtZTeRPzjNBs2nkleWVHwr6PRB5Lfa8W9POZwAw5+CiY1DHN7BbmYqwW
kIxTO4pFg6mrOe9IaYspfO6bVmrNS45snNJraURPEwXIwAm2O0RwBvZR
wG+W8tP04yFyI7eszyvU1IJJTwaFX8DO/abSrmIaMPvgvoTi9eDb5YYo
mqJmOQKFQkJMmSOkBkc+KIqIJXuXPVtz3ArRY6gE44Ju+1WAJvMDXopz
fIxRydSxbu1Fyd1UR0YkBqRs0KfnGAY4YnnjspfgcrQFmCTROauBidea
MkyJOaeARZZDfA/9D4b/giHEjZxDxQ8roWrv1eggaQSGqa3kILma5rB3
IZzbGmCkXz1QRPMNncxtoA+MU/63S0Ebd0ubcyqkG0fImZFFYkpTO4BS
7R/0u1E1iIb2jAkxZT6H0EtpeC/yPAYzCkgSphfT6rbpqZvET3W2q2Sp
Ig3fwlOFGWTz8GvFH8aBjSnAQkaNarTvlaxt1D0pcn3kSLhpV1SzpYMA
DL+mnSXGhCxypvVYyZ8scXf+eW0jXy/th4B6tzrocz/x9d76hWYlIzFd
Fhs78rz8yKauXn/1H2sJRldg0atYOFMTjfMAgTigLDuDOBt4YPFfArow
OYtBkA/ykZBCjlIgV5BmrqOBpNqBeeGWPRxUrXrnO3W4nebQUH3LRYie
WaEaUbeBnCR8QD1ekQJ1rKIYC8tEKK17tTiYW2YSgrlUYPPt8FvL526H
5sjZFu2kgeQwgeGgAwIBF6KB2QSB1hA7lI/olfXairjMfhodpVSAOTgu
lM1BFzb44h8+Mu5to6ZiG/ZBPC3EdXkHKiyy1Z3tzOJIA6MRtU971vNp
FVj8WCG8r+0MJNi2EpgbrSJswRcJER2TPdZt7LROdztKM30WEaSOH+5W
mVWdgrzdJnt1CnAu+Xgt9ZryB+D/ClHgoc8x9ubJqJsAGb2HkoKx5wL6
0INBenMRvUcpGBGQpwm5TTzLhWm8PzgY8fgXq0tHKupIEhKhGtWCOLa3
4KLM1vg/cpf92sL6O+4vBiFHtVzMwTBW1iE= 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3099
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3768628576.sig-hh16.hh3.site.    ANY    TKEY

;; ANSWER SECTION:
3768628576.sig-hh16.hh3.site. 0    ANY    TKEY    gss-tsig. 1368261695
1368261695 3 NOERROR 182
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrSKJ1+4+PHfd7
OARWsz4211kkiXorLDD3Q/cA99dJ3KVNpfjTza9+5jQ9cvygULCqo73Q
70a8Or+USG3q+TAaCzEUuJ/McPpmcly5fXFkY3ES5xtIXv/yp0tJXXsA
ixNl/6pt2FqLT+10SI4= 0

;; TSIG PSEUDOSECTION:
3768628576.sig-hh16.hh3.site. 0    ANY    TSIG    gss-tsig. 1368261704
300 28 BAQF//////8AAAAAFKquCK9Y5B2dtDDIUnGo8g== 3099 NOERROR 0

Sending update to 192.168.1.16#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49895
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
pinoso.hh3.site.    3600    IN    A    192.168.1.100

;; TSIG PSEUDOSECTION:
3768628576.sig-hh16.hh3.site. 0    ANY    TSIG    gss-tsig. 1368261695
300 28 BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0

; TSIG error with server: tsig verify failure

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 49895
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;hh3.site.            IN    SOA

;; UPDATE SECTION:
pinoso.hh3.site.    3600    IN    A    192.168.1.100

;; TSIG PSEUDOSECTION:
3768628576.sig-hh16.hh3.site. 0    ANY    TSIG    gss-tsig. 1368261695
300 28 BAQE//////8AAAAACnjz67DpwRhWZSDZ2gT5HQ== 49895 NOERROR 0

Hi Steve, I use a script (run by dhcp) that runs nsupdate and this
works, I can ping clients by name & ip from the server, but I am using
bind9 instead of the internal dns.

Rowland


Hi Rowland
Does your script work with the internal server? I like the idea of the 
latest sssd which does dyndns (using nsupdate) as it takes us one step 
closer toward one-config-file-for everything for Linux clients. I 
wouldn't mind switching to bind if it's the internal server which is the 
problem.
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba