samba - Jan 2016 - Signed Dynamic DNS Updates with Internal DNS [SEC=UNCLASSIFIED]

UNCLASSIFIED
I just installed SAMBA 4 as the PDC on a new standalone Windows network
(https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
Everything appears to be working correctly except for signed dynamic updates.

Non-secure updates work fine. A, AAAA and PTR records are added to DNS when a PC
joins the domain or I issue ipconfig /registerdns.

Using wireshark, I see the following when I issue "ipconfig
/registerdns" (samba configured for signed updates):

An unsigned dynamic update request is rejected.
An apparently successful Tkey handshake occurs.
The client fails to request a signed dynamic update.

I interpret this as the client not being happy with the TKEY response. However,
no errors are reported in the client's event log.

In the samba log I see (log level = 3):

Update not allowed for unsigned packet.
Tkey handshake completed
Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED

In the past I used Samba 4 to take over from 2003 server
(https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC). Here I
used bind and eventually got signed dynamic updates working.

When I compare the Tkey transaction (internal DNS vs bind), I see that the Tkey
response packet for internal DNS has an additional RR.
    Additional records
        1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type TSIG,
class ANY
            Name: 1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668
            Type: TSIG (Transaction Signature) (250)
            Class: ANY (0x00ff)
            Time to live: 0
            Data length: 46
            Algorithm Name: gss-tsig
            [Expert Info (Warn/Malformed): Trying to fetch an absolute time
value with length 6]
                [Trying to fetch an absolute time value with length 6]
                [Severity level: Warn]
                [Group: Malformed]
            Time Signed: Jan  1, 1970 15:39:44.000000000 ACST
            Fudge: 300
            MAC Size: 28
            MAC
                [Expert Info (Warn/Undecoded): No dissector for
algorithm:gss-tsig]
                    [No dissector for algorithm:gss-tsig]
                    [Severity level: Warn]
                    [Group: Undecoded]
            Original Id: 38945
            Error: No error (0)
            Other Len: 0

Could the apparently malformed "Time Signed" field be the problem.
This is the only whiff of an error that I can detect.

I'd be grateful for any hints

Cheers
Russell




IMPORTANT: This email remains the property of the Department of Defence and is
subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have
received this email in error, you are requested to contact the sender and delete
the email.

Hi,

That's a fact I'm lacking knowledge regarding authentication of DNS
update
requests but I was (almost?) never able to make updates working with
internal DNS.

I don't looked into Windows clients pushing update but only played with
samba_dnsupdate which is responsible to push DNS update into Samba DB when
needed.

I should have missed something as for me samba_dnsupdate is working
identically when using internal or bind-dlz dns backend and, still for me,
this can't be.

When using Bind-dlz dns backend an AD user and associated keytab is created
when adding a new DC with DNS service. This user and keytab are used to
authenticate updates. When switching back to internal DNS this user is
deleted, the keytab becomes obviously invalid.

But, if my understanding is correct, samba_dnsupdate still uses gssapi
during update against internal DNS, but as no user is existing, it fails.

This little story is to give you some hint. No more.

Greetings,

mathias

2016-01-28 7:15 GMT+01:00 Thamm, Russell <russell.thamm at
dsto.defence.gov.au>
:
> UNCLASSIFIED
> I just installed SAMBA 4 as the PDC on a new standalone Windows network (
> https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
> Everything appears to be working correctly except for signed dynamic
> updates.
>
> Non-secure updates work fine. A, AAAA and PTR records are added to DNS
> when a PC joins the domain or I issue ipconfig /registerdns.
>
> Using wireshark, I see the following when I issue "ipconfig
/registerdns"
> (samba configured for signed updates):
>
> An unsigned dynamic update request is rejected.
> An apparently successful Tkey handshake occurs.
> The client fails to request a signed dynamic update.
>
> I interpret this as the client not being happy with the TKEY response.
> However, no errors are reported in the client's event log.
>
> In the samba log I see (log level = 3):
>
> Update not allowed for unsigned packet.
> Tkey handshake completed
> Terminating connection - 'dns_tcp_call_loop:
tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED
>
> In the past I used Samba 4 to take over from 2003 server (
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC).
> Here I used bind and eventually got signed dynamic updates working.
>
> When I compare the Tkey transaction (internal DNS vs bind), I see that the
> Tkey response packet for internal DNS has an additional RR.
>     Additional records
>         1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type
> TSIG, class ANY
>             Name: 1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668
>             Type: TSIG (Transaction Signature) (250)
>             Class: ANY (0x00ff)
>             Time to live: 0
>             Data length: 46
>             Algorithm Name: gss-tsig
>             [Expert Info (Warn/Malformed): Trying to fetch an absolute
> time value with length 6]
>                 [Trying to fetch an absolute time value with length 6]
>                 [Severity level: Warn]
>                 [Group: Malformed]
>             Time Signed: Jan  1, 1970 15:39:44.000000000 ACST
>             Fudge: 300
>             MAC Size: 28
>             MAC
>                 [Expert Info (Warn/Undecoded): No dissector for
> algorithm:gss-tsig]
>                     [No dissector for algorithm:gss-tsig]
>                     [Severity level: Warn]
>                     [Group: Undecoded]
>             Original Id: 38945
>             Error: No error (0)
>             Other Len: 0
>
> Could the apparently malformed "Time Signed" field be the
problem. This is
> the only whiff of an error that I can detect.
>
> I'd be grateful for any hints
>
> Cheers
> Russell
>
>
>
>
> IMPORTANT: This email remains the property of the Department of Defence
> and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If
> you have received this email in error, you are requested to contact the
> sender and delete the email.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 1/28/2016 1:15 AM, Thamm, Russell wrote:
> UNCLASSIFIED
> I just installed SAMBA 4 as the PDC on a new standalone Windows network
(https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
> Everything appears to be working correctly except for signed dynamic
updates.
>
> Non-secure updates work fine. A, AAAA and PTR records are added to DNS when
a PC joins the domain or I issue ipconfig /registerdns.
>
> Using wireshark, I see the following when I issue "ipconfig
/registerdns" (samba configured for signed updates):
>
> An unsigned dynamic update request is rejected.
> An apparently successful Tkey handshake occurs.
> The client fails to request a signed dynamic update.
>
> I interpret this as the client not being happy with the TKEY response.
However, no errors are reported in the client's event log.
>
> In the samba log I see (log level = 3):
>
> Update not allowed for unsigned packet.
> Tkey handshake completed
> Terminating connection - 'dns_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED
>
> In the past I used Samba 4 to take over from 2003 server
(https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC). Here I
used bind and eventually got signed dynamic updates working.
>
> When I compare the Tkey transaction (internal DNS vs bind), I see that the
Tkey response packet for internal DNS has an additional RR.
>      Additional records
>          1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type
TSIG, class ANY
>              Name:
1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668
>              Type: TSIG (Transaction Signature) (250)
>              Class: ANY (0x00ff)
>              Time to live: 0
>              Data length: 46
>              Algorithm Name: gss-tsig
>              [Expert Info (Warn/Malformed): Trying to fetch an absolute
time value with length 6]
>                  [Trying to fetch an absolute time value with length 6]
>                  [Severity level: Warn]
>                  [Group: Malformed]
>              Time Signed: Jan  1, 1970 15:39:44.000000000 ACST
>              Fudge: 300
>              MAC Size: 28
>              MAC
>                  [Expert Info (Warn/Undecoded): No dissector for
algorithm:gss-tsig]
>                      [No dissector for algorithm:gss-tsig]
>                      [Severity level: Warn]
>                      [Group: Undecoded]
>              Original Id: 38945
>              Error: No error (0)
>              Other Len: 0
>
> Could the apparently malformed "Time Signed" field be the
problem. This is the only whiff of an error that I can detect.
>
> I'd be grateful for any hints
>
> Cheers
> Russell
>
>
>
>
> IMPORTANT: This email remains the property of the Department of Defence and
is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have
received this email in error, you are requested to contact the sender and delete
the email.
See https://bugzilla.samba.org/show_bug.cgi?id=11520 for bug.

-- 
-James