# samba-4.10.15 AD DC dynamic DNS updates fail



## byrnejb (Jul 3, 2020)

I am trying to discover hold to eliminate this error when running samba_dnsupdate


```
. . .
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  13304
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY

;; ANSWER SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY    gss-tsig. 1593782418
1593782418 3 NOERROR 186
oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB
AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvuDJDPZTRZw4t
rumU7CUM54QqUWXZEf6MQ5ZeOQhrzV8cOQAwx0mMTkLIQm+YAu4Bysim
Qn+Dfqy1qLL8mPSCes86vUp4l/Sa8a6mKjQ91+FeGqsorgsAEYrLaGXl
vSBcP+Qxi+FC1e07Iuv3LXF/ 0

;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG    gss-tsig. 1593782418
300 28 BAQF//////8AAAAAMRP+/dHMO1zAtXPIT0vu4A== 13304 NOERROR 0

Sending update to 192.168.18.161#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  38762
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN    SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
489873631.sig-smb4-1.brockley.harte-lyne.ca. 0 ANY TSIG    gss-tsig. 1593782418
300 28 BAQE//////8AAAAAJXvohvDbm2q9Fel/zluw/w== 38762 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  38762
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;brockley.harte-lyne.ca.        IN    SOA

;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN    SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG    gss-tsig. 1593782418
300 0 38762 BADSIG 0

Failed nsupdate: 2
```
On the face of it this tells me that the secret key used by samba internal dns service does not match the key used by the updating client, which is the same host.  But I have no idea how this happens with samba's internal dns.  There is no separate`rndc` program and any keys involved are automatically created and managed by samba so how it cannot sign its own keys I am at a loss to explain.  Does secure dynamic updates with samba internal dns simply not work at all?


----------

