Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Unable to create GPO with rc3 and a few authentication problems
51 views
Skip to first unread message
Dmitry Khromov
Oct 29, 2012, 7:10:01 PM10/29/12
to
Hello.
I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.
1. Unable to create or delete GPOs.
# bin/samba-tool gpo create somegpo
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
self.samdb.add(m)
I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for duplicating, but this is updated).
It looks like this on debug level = 5:
[2012/10/30 02:23:38, 1] ../source4/dns_server/dns_server.c:150(dns_process_send)
Failed to verify TSIG!
Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully, some can succeed some time (say, 5 hours) later, or may still fail. This is weird.
I should mention that we had some problem with Windows 2k3 demotion - during the process it had rewritten the SOA on (the only at that moment) Samba DC and put it's own hostname in SOA's "primary NS" field. We had to fix that manually by replacing the SOA record in corresponding LDB.
Maybe we had just missed something? Any ideas on what's wrong?
3. Some hosts may suddenly reject valid tickets for RPC calls.
Somewhat like the previous one. For example, on some non-DC host I do:
$ kinit
$ #Got a ticket for some admin user, btw MIT is used here
$ net rpc shutdown -S somehost -f -k # Samba 3's "net" command
It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later, before the ticket expires (and DCs still accept this ticket for e.g. samba-tool drs showrepl). Or it may later suceed for a host it was failing for. Renewing the ticket doesn't change anything.
So, something strange for me, too. I had tried to reset some machine accounts and to rejoin some hosts. No luck.
4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to see if this is supposed to happen. But I'd better say that before I forget, just in case.
Try to rename some host using Windows GUI (My Computer -> Properties) and check if CN, sAMAccountName and member for corresponding groups are changed correctly. In my experience, only sAMAccountName is changed.
Once again, sorry if this is OK.
Thanks in advance.
--
Best regards,
Dmitry Khromov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.
1. Unable to create or delete GPOs.
# bin/samba-tool gpo create somegpo
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
self.samdb.add(m)
I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for duplicating, but this is updated).
It looks like this on debug level = 5:
[2012/10/30 02:23:38, 1] ../source4/dns_server/dns_server.c:150(dns_process_send)
Failed to verify TSIG!
Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully, some can succeed some time (say, 5 hours) later, or may still fail. This is weird.
I should mention that we had some problem with Windows 2k3 demotion - during the process it had rewritten the SOA on (the only at that moment) Samba DC and put it's own hostname in SOA's "primary NS" field. We had to fix that manually by replacing the SOA record in corresponding LDB.
Maybe we had just missed something? Any ideas on what's wrong?
3. Some hosts may suddenly reject valid tickets for RPC calls.
Somewhat like the previous one. For example, on some non-DC host I do:
$ kinit
$ #Got a ticket for some admin user, btw MIT is used here
$ net rpc shutdown -S somehost -f -k # Samba 3's "net" command
It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later, before the ticket expires (and DCs still accept this ticket for e.g. samba-tool drs showrepl). Or it may later suceed for a host it was failing for. Renewing the ticket doesn't change anything.
So, something strange for me, too. I had tried to reset some machine accounts and to rejoin some hosts. No luck.
4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to see if this is supposed to happen. But I'd better say that before I forget, just in case.
Try to rename some host using Windows GUI (My Computer -> Properties) and check if CN, sAMAccountName and member for corresponding groups are changed correctly. In my experience, only sAMAccountName is changed.
Once again, sorry if this is OK.
Thanks in advance.
--
Best regards,
Dmitry Khromov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
fe...@epepm.cupet.cu
Oct 30, 2012, 8:20:02 AM10/30/12
to
only with the first user the system had: administrator. None of the new
admin users I created worked, only administrator.
Best regards,
Felix.
Dmitry Khromov
Oct 30, 2012, 7:40:01 PM10/30/12
to
> I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.
>
> 1. Unable to create or delete GPOs.
> # bin/samba-tool gpo create somegpo
> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
> self.samdb.add(m)
>
> I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow "Domain controllers" group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset).
>
> 1. Unable to create or delete GPOs.
> # bin/samba-tool gpo create somegpo
> ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
> self.samdb.add(m)
>
> I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
So, should samba-tool really use machine account for GPO operations?
Andrew Bartlett
Oct 30, 2012, 7:40:02 PM10/30/12
to
On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote:
> > I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.
> >
> > 1. Unable to create or delete GPOs.
> > # bin/samba-tool gpo create somegpo
> > ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
> > self.samdb.add(m)
> >
> > I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
>
> It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow "Domain controllers" group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset).
> So, should samba-tool really use machine account for GPO operations?
Probably not for write operations.
> > I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related.
> >
> > 1. Unable to create or delete GPOs.
> > # bin/samba-tool gpo create somegpo
> > ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com> <>
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
> > self.samdb.add(m)
> >
> > I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated?
>
> It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow "Domain controllers" group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset).
> So, should samba-tool really use machine account for GPO operations?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Dmitry Khromov
Oct 30, 2012, 7:50:02 PM10/30/12
to
--
Best regards,
Dmitry Khromov
Andrew Bartlett
Oct 30, 2012, 8:00:02 PM10/30/12
to
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Dmitry Khromov
Oct 31, 2012, 5:30:02 PM10/31/12
to
Hello.
Samba 4 rc 3.
I had noticed a strange behavior. If host creates a record, it won't be further updated until the record gets deleted manually. What could cause this?
Another question: how could the dynamically added record's TTL be enforced? For example, we have a user-based VLAN assignment in our networks. When Windows host boots, it authenticates with machine account and goes to the one of "parking" VLANs. Later, when user logs in, he gets a different VLAN and different IP address. So, we really want other DNS servers to not cache this records for too long.
Normally, this is done by modifying SOA record (and, as I recall, Samba's internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records, MMC DNS snap-in fails to do it too.
Thanks.
Samba 4 rc 3.
I had noticed a strange behavior. If host creates a record, it won't be further updated until the record gets deleted manually. What could cause this?
Another question: how could the dynamically added record's TTL be enforced? For example, we have a user-based VLAN assignment in our networks. When Windows host boots, it authenticates with machine account and goes to the one of "parking" VLANs. Later, when user logs in, he gets a different VLAN and different IP address. So, we really want other DNS servers to not cache this records for too long.
Normally, this is done by modifying SOA record (and, as I recall, Samba's internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records, MMC DNS snap-in fails to do it too.
Thanks.
Kai Blin
Nov 1, 2012, 4:10:02 AM11/1/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2012-10-31 22:25, Dmitry Khromov wrote:
> Samba 4 rc 3. I had noticed a strange behavior. If host creates a
> record, it won't be further updated until the record gets deleted
> manually. What could cause this?
What updates are you expecting?
> Another question: how could the dynamically added record's TTL be
> enforced? For example, we have a user-based VLAN assignment in our
> networks. When Windows host boots, it authenticates with machine
> account and goes to the one of "parking" VLANs. Later, when user
> logs in, he gets a different VLAN and different IP address. So, we
> really want other DNS servers to not cache this records for too
> long. Normally, this is done by modifying SOA record (and, as I
> recall, Samba's internal DNS respects TTLs in SOA). But samba-tool
> can't edit SOA records, MMC DNS snap-in fails to do it too.
The TTL only affects caching decisions on the resolver side, so the
internal DNS actually doesn't do anything with the TTLs apart from
serving them out with the record.
Now, if your clients register their DNS records, they get to pick the
TTL of the entry themselves. This can probably be affected with a GPO
somehow, but I don't know the AD stuff enough to know where to look.
I don't think the TTL of the SOA record should affect anything apart
from how long resolvers cache the SOA record.
Cheers,
Kai
- --
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCSLckACgkQEKXX/bF2FpSe2wCgjnUF23yZkp4qp7c21o0Kjcj6
M2EAoI2MO2KA5AsoB64OTCORJ7PClAJf
=24+4
-----END PGP SIGNATURE-----
Hash: SHA1
On 2012-10-31 22:25, Dmitry Khromov wrote:
> Samba 4 rc 3. I had noticed a strange behavior. If host creates a
> record, it won't be further updated until the record gets deleted
> manually. What could cause this?
> Another question: how could the dynamically added record's TTL be
> enforced? For example, we have a user-based VLAN assignment in our
> networks. When Windows host boots, it authenticates with machine
> account and goes to the one of "parking" VLANs. Later, when user
> logs in, he gets a different VLAN and different IP address. So, we
> really want other DNS servers to not cache this records for too
> long. Normally, this is done by modifying SOA record (and, as I
> recall, Samba's internal DNS respects TTLs in SOA). But samba-tool
> can't edit SOA records, MMC DNS snap-in fails to do it too.
internal DNS actually doesn't do anything with the TTLs apart from
serving them out with the record.
Now, if your clients register their DNS records, they get to pick the
TTL of the entry themselves. This can probably be affected with a GPO
somehow, but I don't know the AD stuff enough to know where to look.
I don't think the TTL of the SOA record should affect anything apart
from how long resolvers cache the SOA record.
Cheers,
Kai
- --
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCSLckACgkQEKXX/bF2FpSe2wCgjnUF23yZkp4qp7c21o0Kjcj6
M2EAoI2MO2KA5AsoB64OTCORJ7PClAJf
=24+4
-----END PGP SIGNATURE-----
Dmitry Khromov
Nov 1, 2012, 4:50:02 AM11/1/12
to
Hello!
> > Another question: how could the dynamically added record's TTL be
> > enforced? For example, we have a user-based VLAN assignment in our
> > networks. When Windows host boots, it authenticates with machine
> > account and goes to the one of "parking" VLANs. Later, when user
> > logs in, he gets a different VLAN and different IP address. So, we
> > really want other DNS servers to not cache this records for too
> > long. Normally, this is done by modifying SOA record (and, as I
> > recall, Samba's internal DNS respects TTLs in SOA). But samba-tool
> > can't edit SOA records, MMC DNS snap-in fails to do it too.
>
> The TTL only affects caching decisions on the resolver side so the
> Now, if your clients register their DNS records, they get to pick the
> TTL of the entry themselves. This can probably be affected with a GPO
> somehow, but I don't know the AD stuff enough to know where to look.
When I googled last time, I had seen some Microsoft guys saying it's hardcoded. Not sure if that's true, but it looks like, giving the fact Windows just creates a record with TTL of 1200 seconds, even if DHCP server gives a 10 seconds lasting lease.
> I don't think the TTL of the SOA record should affect anything apart
> from how long resolvers cache the SOA record.
And that is what I need.
As a last resort one could modify SOA record directly via LDAP (e.g. using ldbmodify). This is the method we currently use. One needs to change dnsRecord attribute of DC=@ for domain in question. add: in LDIF should appear before delete: or Samba may become inoperable. Or just pkill samba and use ldbmodify on the .ldb directly.
http://msdn.microsoft.com/en-us/library/ee898781(prot.20).aspx describes dnsRecord attribute data format
http://msdn.microsoft.com/en-us/library/cc448905(v=prot.20).aspx describes SOA record format
Thank you!
--
Best regards,
Dmitry Khromov
> > Samba 4 rc 3. I had noticed a strange behavior. If host creates a
> > record, it won't be further updated until the record gets deleted
> > manually. What could cause this?
>
> What updates are you expecting?
When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command, Windows sends out DNS messages (unsigned, then signed if needed) with UPDATE opcode towards a NS specified in NS field of SOA with a new IP address for the record. I expected Samba to behave like MS DNS server and replace the old record with a new one.
> > record, it won't be further updated until the record gets deleted
> > manually. What could cause this?
>
> What updates are you expecting?
> > Another question: how could the dynamically added record's TTL be
> > enforced? For example, we have a user-based VLAN assignment in our
> > networks. When Windows host boots, it authenticates with machine
> > account and goes to the one of "parking" VLANs. Later, when user
> > logs in, he gets a different VLAN and different IP address. So, we
> > really want other DNS servers to not cache this records for too
> > long. Normally, this is done by modifying SOA record (and, as I
> > recall, Samba's internal DNS respects TTLs in SOA). But samba-tool
> > can't edit SOA records, MMC DNS snap-in fails to do it too.
>
> internal DNS actually doesn't do anything with the TTLs apart from
> serving them out with the record.
That's true. But you may specify expire for the whole zone in SOA to force other DNS servers that provide clients with cached recursion to query upstream NS again after the zone is expired, no matter what the TTL for individual records is - that is what I need.
> serving them out with the record.
> Now, if your clients register their DNS records, they get to pick the
> TTL of the entry themselves. This can probably be affected with a GPO
> somehow, but I don't know the AD stuff enough to know where to look.
> I don't think the TTL of the SOA record should affect anything apart
> from how long resolvers cache the SOA record.
As a last resort one could modify SOA record directly via LDAP (e.g. using ldbmodify). This is the method we currently use. One needs to change dnsRecord attribute of DC=@ for domain in question. add: in LDIF should appear before delete: or Samba may become inoperable. Or just pkill samba and use ldbmodify on the .ldb directly.
http://msdn.microsoft.com/en-us/library/ee898781(prot.20).aspx describes dnsRecord attribute data format
http://msdn.microsoft.com/en-us/library/cc448905(v=prot.20).aspx describes SOA record format
Thank you!
--
Best regards,
Dmitry Khromov
Dmitry Khromov
Nov 1, 2012, 5:00:01 AM11/1/12
to
By the way, maybe an option should be added for Samba internal DNS server that will allow to force TTL of individual records since it's not tunable in Windows?
This would be a feature I missed in MS DNS server much. In my opinion, network administrator, not MS DNS client alone, should have a control of records TTL.
P.S.
Thanks.
This would be a feature I missed in MS DNS server much. In my opinion, network administrator, not MS DNS client alone, should have a control of records TTL.
P.S.
> When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command
Sorry, not /renew, I meant /registerdns.
Thanks.
Kai Blin
Nov 1, 2012, 5:10:01 AM11/1/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2012-11-01 09:40, Dmitry Khromov wrote:
Hash: SHA1
Hi,
> When Windows DHCP client receives a lease or when you manually
> issue ipconfig /renew command, Windows sends out DNS messages
> (unsigned, then signed if needed) with UPDATE opcode towards a NS
> specified in NS field of SOA with a new IP address for the record.
> I expected Samba to behave like MS DNS server and replace the old
> record with a new one.
some more details about your smb.conf and maybe provide a network
capture of the failing DNS update.
> That's true. But you may specify expire for the whole zone in SOA
> to force other DNS servers that provide clients with cached
> recursion to query upstream NS again after the zone is expired, no
> matter what the TTL for individual records is - that is what I
> need.
going on with the DNS MMC failing to update the SOA record.
Cheers,
Kai
- --
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
tnMAn1nlhAe0QttmuPuvna+22CYMW2Cv
=SQUJ
-----END PGP SIGNATURE-----
Dmitry Khromov
Nov 1, 2012, 7:00:01 AM11/1/12
to
> > I expected Samba to behave like MS DNS server and replace the old
> > record with a new one.
>
> Yes, that should work. If it doesn't work for you, you need to tell us
> some more details about your smb.conf and maybe provide a network
> capture of the failing DNS update.
# cat etc/smb.conf
> > record with a new one.
>
> Yes, that should work. If it doesn't work for you, you need to tell us
> some more details about your smb.conf and maybe provide a network
> capture of the failing DNS update.
# Global parameters
[global]
workgroup = MK_KLIN
realm = klin.kifato-mk.com
netbios name = DC1
interfaces = 192.168.1.24, 127.0.0.1
bind interfaces only = Yes
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
debug level = 1
wins server = 192.168.1.31
allow dns updates = secure only
[netlogon]
path = /usr/local/samba/var/locks/sysvol/klin.kifato-mk.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
PCAP-formatted dump is attached. According to the dump, Windows just doesn't try to send a signed update after receiveng TKEY. However, this host had succeded at least once today. Rebooted it, now no updates happen, but Samba started to say:
[2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send)
Failed to verify TSIG!
Some background: we already had the same symptoms this week for most of our Windows hosts (and some Samba 3 based, too). Yesterday we had to delete the zone (it was somewhat dirty after years on Windows, e.g. MMC DNS said "Server couldn't load the zone" when you open it on Samba server) and rebuilt it from scratch. As a side effect those TSIG-related messages had gone and records had started to update (one time until deletion). Now it looks like nothing had actually changed.
> Again, we probably need a network capture to see what's
> going on with the DNS MMC failing to update the SOA record.
Thanks in advance.
Dmitry Khromov
Nov 1, 2012, 4:20:03 PM11/1/12
to
> According to the dump, Windows just doesn't try to send a signed update after receiveng TKEY. However, this host had succeded at least once today. Rebooted it, now no updates happen, but Samba started to say:
> [2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send)
> Failed to verify TSIG!
Things get even more interesting. Looks like in fact there are two problems.
> [2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send)
> Failed to verify TSIG!
I have another two dumps, illustrating the original issue I was talking about. In dump 1 the host is just booted and the record from the previous boot exists. As you can see Samba says SERVFAIL. debug level = 1 says:
[2012/11/01 23:59:44, 1] ../source4/dns_server/dns_query.c:501(handle_tkey)
Tkey handshake completed
[2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates)
update count is 3
[2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates)
update count is 3
[2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates)
update count is 3
[2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates)
update count is 3
In dump 2 I have just deleted the record. As you can see, only the first update succeeds, then - SERVFAIL again.
P.S. Just in case you're suprised with the updates frequency - it's what we really have in production on "parking" subnets, as a workaround for the Windows 7 DHCPINFORM on non-authoritative subnets problem.
0 new messages