[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba
Subject:    [Samba] DNS update errors after a second DC is added to domain
From:       Roy Eastwood via samba <samba () lists ! samba ! org>
Date:       2018-02-26 21:18:31
Message-ID: 002d01d3af47$5adda3d0$1098eb70$ () gmail ! com
[Download RAW message or body]

Hi,
I have a test system consisting of two samba 4.7.5 DCs and a member server based
on Gentoo 4.9.76-gentoo-r1.   Both servers using SAMBA_INTERNAL dns.

When I added the second DC to the domain, the join went OK with no errors
reported, but the log shows errors relating to dns updates and the SRV records
etc for the new DC have not been created.   Running samba_dnsupdate on the new
DC results in "Failed update of 26 entries", all with NOTAUTH(BADSIG) errors
(also TSIG errors, but I understand that's to be expected as the internal dns
server doesn't support TSIG).

The log on the original DC shows these errors:

[2018/02/26 21:08:10.634806,  1]
../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet)
  GSS VerifyMic failed:  A token had an invalid MIC: unknown mech-code
2529638943 for mech 1 2 840 113554 1 2 2
[2018/02/26 21:08:10.634820,  0]
../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=171,pdu=171) failed:
NT_STATUS_ACCESS_DENIED

Any help trying to resolve this will be appreciated,

Roy


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]