Bug 10718 - TSIG verify failure updating DNS records from domain member
Summary: TSIG verify failure updating DNS records from domain member
Status: RESOLVED DUPLICATE of bug 11520
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.1.9
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-07-16 12:28 UTC by Robin McCorkell
Modified: 2016-05-25 15:24 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Robin McCorkell 2014-07-16 12:28:37 UTC
I've joined a Linux machine (tested with client Samba3 and Samba4) to a Samba4 DC, with the 'kerberos method = system keytab' option set to get a keytab (tested with 'secrets and keytab' as well). I can confirm the keytab is valid, as I can `kinit -k HOSTNAME$` then access shares, GSSAPI HTTP sites etc. However, running `nsupdate -g` fails with 'TSIG error with server: tsig verify failure' then 'update failed: SERVFAIL'.

I can prevent the SERVFAIL by setting 'allow dns updates = nonsecure', but this seems highly insecure since it allows any client to update any DNS record. This options also does not prevent the TSIG error, although the DNS update still succeeds.

This is the nsupdate query being used:

server server.example.com
update delete client in A
update add client 900 in A
Comment 1 Ralph Böhme 2016-05-25 15:24:52 UTC

*** This bug has been marked as a duplicate of bug 11520 ***