10718 – TSIG verify failure updating DNS records from domain member

Bug 10718 - TSIG verify failure updating DNS records from domain member

Summary: TSIG verify failure updating DNS records from domain member

Status:	RESOLVED DUPLICATE of bug 11520

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS server (internal) (show other bugs)
Version:	4.1.9
Hardware:	All Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Kai Blin
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-16 12:28 UTC by Robin McCorkell
Modified:	2016-05-25 15:24 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin McCorkell 2014-07-16 12:28:37 UTC

I've joined a Linux machine (tested with client Samba3 and Samba4) to a Samba4 DC, with the 'kerberos method = system keytab' option set to get a keytab (tested with 'secrets and keytab' as well). I can confirm the keytab is valid, as I can `kinit -k HOSTNAME$` then access shares, GSSAPI HTTP sites etc. However, running `nsupdate -g` fails with 'TSIG error with server: tsig verify failure' then 'update failed: SERVFAIL'.

I can prevent the SERVFAIL by setting 'allow dns updates = nonsecure', but this seems highly insecure since it allows any client to update any DNS record. This options also does not prevent the TSIG error, although the DNS update still succeeds.

This is the nsupdate query being used:

server server.example.com
realm EXAMPLE.COM
update delete client in A
update add client 900 in A 192.0.2.2
send

Comment 1 Ralph Böhme 2016-05-25 15:24:52 UTC


*** This bug has been marked as a duplicate of bug 11520 ***