Dynamic DNS updates with the internal DNS are not working in master and 4.7. [2017/09/06 11:03:50.958794, 1, pid=17121, effective(0, 0), real(0, 0)] ../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet) GSS VerifyMic failed: A token had an invalid Message Integrity Check (MIC): Success [2017/09/06 11:03:50.958805, 0, pid=17121, effective(0, 0), real(0, 0)] ../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet) gssapi_check_packet(hdr_signing=0,sig_size=28,data=124,pdu=124) failed: NT_STATUS_ACCESS_DENIED Reproducer: Provision an AD DC with internal DNS samba_dnsupdate --verbose --all-names
How was this not picked up by the dns_tkey tests, or the samba_dnsupdate tests? What do we need to extend those tests to do?
Marking as blocking 4.7 until triaged.
I dunno. Do we run: samba_dnsupdate --verbose --all-names I don't think so because it looks for the current interfaces and ip addresses of it ...
I've just tried this on a Debian Stretch with a 4.7.0rc5 build, which uses Samba's Heimdal. All records were created successfully (besides the tsig verify failures).
I also get this with: HEAD is now at 07bb954d929... VERSION: Bump version up to 4.5.0pre1 Seems like the MIC verification is broken since quite some time or the issue is with nssupdate which we really should get rid of.
BTW, Bug 11520 tracks the previous failure up to 4.5.
I've tested the fixes from bug #11520. I guess it is a change in nsupdate or nsupdate is broken?
Removing the regression flag, as this clearly isn't a regression.
It's also not working in - 4.5.14-SerNet-Ubuntu-17.trusty - 4.6.9-SerNet-Ubuntu-12.trusty