samba - Aug 2016 - Win 10 Pro /registerdns issue with Samba 4.3.9 / TKEY Refused SOA

Hi,

We have an issue where an existing Win 10 client is already part of the
domain, however it's DNS entry isn't updated,
Is this bug related? https://bugzilla.samba.org/show_bug.cgi?id=11520

please see details below

Ubuntu: 16.04.01 LTS
Samba: Version 4.3.9-Ubuntu
Samba Internal DNS

'allow dns updates = nonsecure' is not specified
>ipconfig /registerdns
Samba-Log: sudo tail -f /var/log/samba/log.samba
[2016/08/16 14:57:53.551309, 2]
../source4/dns_server/dns_update.c:773(dns_server_process_update)
Got a dns update request.
[2016/08/16 14:57:53.551714, 2]
../source4/dns_server/dns_update.c:730(dns_update_allowed)
Update not allowed for unsigned packet.
[2016/08/16 14:57:53.566702, 1]
../source4/dns_server/dns_query.c:523(handle_tkey)
Tkey handshake completed
[2016/08/16 14:57:53.570610, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
[2016/08/16 14:57:53.570808, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]

in the wireshark dump we see:

71 4.964295 172.16.10.5 172.20.0.39 DNS 156 Dynamic update response
0x4806 *Refused
SOA *testsamba.domain.com CNAME AAAA A A 172.20.0.39

77 4.970157 172.20.0.39 172.16.10.5 DNS 448 Standard query 0x59f6 TKEY
1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY

80 4.978315 172.16.10.5 172.20.0.39 DNS 412 Standard query response 0x59f6
TKEY 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY TSIG

Refused SOA is interesting above

Thanks in Advance

Grealish

On 8/23/2016 8:58 AM, D Grealish via samba wrote:
> Hi,
>
> We have an issue where an existing Win 10 client is already part of the
> domain, however it's DNS entry isn't updated,
> Is this bug related? https://bugzilla.samba.org/show_bug.cgi?id=11520
>
> please see details below
>
> Ubuntu: 16.04.01 LTS
> Samba: Version 4.3.9-Ubuntu
> Samba Internal DNS
>
> 'allow dns updates = nonsecure' is not specified
>
>> ipconfig /registerdns
> Samba-Log: sudo tail -f /var/log/samba/log.samba
> [2016/08/16 14:57:53.551309, 2]
> ../source4/dns_server/dns_update.c:773(dns_server_process_update)
> Got a dns update request.
> [2016/08/16 14:57:53.551714, 2]
> ../source4/dns_server/dns_update.c:730(dns_update_allowed)
> Update not allowed for unsigned packet.
> [2016/08/16 14:57:53.566702, 1]
> ../source4/dns_server/dns_query.c:523(handle_tkey)
> Tkey handshake completed
> [2016/08/16 14:57:53.570610, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dns_tcp_call_loop:
tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/08/16 14:57:53.570808, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
>
> in the wireshark dump we see:
>
> 71 4.964295 172.16.10.5 172.20.0.39 DNS 156 Dynamic update response
> 0x4806 *Refused
> SOA *testsamba.domain.com CNAME AAAA A A 172.20.0.39
>
> 77 4.970157 172.20.0.39 172.16.10.5 DNS 448 Standard query 0x59f6 TKEY
> 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY
>
> 80 4.978315 172.16.10.5 172.20.0.39 DNS 412 Standard query response 0x59f6
> TKEY 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY TSIG
>
> Refused SOA is interesting above
>
> Thanks in Advance
>
> Grealish
Yes. See https://bugzilla.samba.org/show_bug.cgi?id=11520

-- 
-James

On 8/23/2016 8:58 AM, D Grealish via samba wrote:
> Hi,
>
> We have an issue where an existing Win 10 client is already part of the
> domain, however it's DNS entry isn't updated,
> Is this bug related? https://bugzilla.samba.org/show_bug.cgi?id=11520
>
> please see details below
>
> Ubuntu: 16.04.01 LTS
> Samba: Version 4.3.9-Ubuntu
> Samba Internal DNS
>
> 'allow dns updates = nonsecure' is not specified
>
>> ipconfig /registerdns
> Samba-Log: sudo tail -f /var/log/samba/log.samba
> [2016/08/16 14:57:53.551309, 2]
> ../source4/dns_server/dns_update.c:773(dns_server_process_update)
> Got a dns update request.
> [2016/08/16 14:57:53.551714, 2]
> ../source4/dns_server/dns_update.c:730(dns_update_allowed)
> Update not allowed for unsigned packet.
> [2016/08/16 14:57:53.566702, 1]
> ../source4/dns_server/dns_query.c:523(handle_tkey)
> Tkey handshake completed
> [2016/08/16 14:57:53.570610, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dns_tcp_call_loop:
tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/08/16 14:57:53.570808, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
>
> in the wireshark dump we see:
>
> 71 4.964295 172.16.10.5 172.20.0.39 DNS 156 Dynamic update response
> 0x4806 *Refused
> SOA *testsamba.domain.com CNAME AAAA A A 172.20.0.39
>
> 77 4.970157 172.20.0.39 172.16.10.5 DNS 448 Standard query 0x59f6 TKEY
> 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY
>
> 80 4.978315 172.16.10.5 172.20.0.39 DNS 412 Standard query response 0x59f6
> TKEY 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY TSIG
>
> Refused SOA is interesting above
>
> Thanks in Advance
>
> Grealish
It's also normal to receive refused requests in Wireshark. Windows will 
attempt a nonsecure update followed by a secure update by default.

-- 
-James

On Tue, Aug 23, 2016 at 02:58:55PM +0200, D Grealish via samba
wrote:
> Hi,
> 
> We have an issue where an existing Win 10 client is already part of the
> domain, however it's DNS entry isn't updated,
> Is this bug related? https://bugzilla.samba.org/show_bug.cgi?id=11520
> 
> please see details below
> 
> Ubuntu: 16.04.01 LTS
> Samba: Version 4.3.9-Ubuntu
> Samba Internal DNS
> 
> 'allow dns updates = nonsecure' is not specified
> 
> >ipconfig /registerdns
> 
> Samba-Log: sudo tail -f /var/log/samba/log.samba
> [2016/08/16 14:57:53.551309, 2]
> ../source4/dns_server/dns_update.c:773(dns_server_process_update)
> Got a dns update request.
> [2016/08/16 14:57:53.551714, 2]
> ../source4/dns_server/dns_update.c:730(dns_update_allowed)
> Update not allowed for unsigned packet.
> [2016/08/16 14:57:53.566702, 1]
> ../source4/dns_server/dns_query.c:523(handle_tkey)
> Tkey handshake completed
> [2016/08/16 14:57:53.570610, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dns_tcp_call_loop:
tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/08/16 14:57:53.570808, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> 
> in the wireshark dump we see:
> 
> 71 4.964295 172.16.10.5 172.20.0.39 DNS 156 Dynamic update response
> 0x4806 *Refused
> SOA *testsamba.domain.com CNAME AAAA A A 172.20.0.39
> 
> 77 4.970157 172.20.0.39 172.16.10.5 DNS 448 Standard query 0x59f6 TKEY
> 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY
> 
> 80 4.978315 172.16.10.5 172.20.0.39 DNS 412 Standard query response 0x59f6
> TKEY 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY TSIG
can you post your full config, a level 10 debug log and a packet
capture of the issue please? Thanks!

Cheerio!
-slow

On Tue, Aug 23, 2016 at 04:56:03PM +0200, Ralph Böhme via samba
wrote:
> On Tue, Aug 23, 2016 at 02:58:55PM +0200, D Grealish via samba wrote:
> > Hi,
> > 
> > We have an issue where an existing Win 10 client is already part of
the
> > domain, however it's DNS entry isn't updated,
> > Is this bug related? https://bugzilla.samba.org/show_bug.cgi?id=11520
> > 
> > please see details below
> > 
> > Ubuntu: 16.04.01 LTS
> > Samba: Version 4.3.9-Ubuntu
> > Samba Internal DNS
> > 
> > 'allow dns updates = nonsecure' is not specified
> > 
> > >ipconfig /registerdns
> > 
> > Samba-Log: sudo tail -f /var/log/samba/log.samba
> > [2016/08/16 14:57:53.551309, 2]
> > ../source4/dns_server/dns_update.c:773(dns_server_process_update)
> > Got a dns update request.
> > [2016/08/16 14:57:53.551714, 2]
> > ../source4/dns_server/dns_update.c:730(dns_update_allowed)
> > Update not allowed for unsigned packet.
> > [2016/08/16 14:57:53.566702, 1]
> > ../source4/dns_server/dns_query.c:523(handle_tkey)
> > Tkey handshake completed
> > [2016/08/16 14:57:53.570610, 3]
> > ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> > Terminating connection - 'dns_tcp_call_loop:
tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2016/08/16 14:57:53.570808, 3]
> > ../source4/smbd/process_single.c:114(single_terminate)
> > single_terminate: reason[dns_tcp_call_loop:
tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED]
> > 
> > in the wireshark dump we see:
> > 
> > 71 4.964295 172.16.10.5 172.20.0.39 DNS 156 Dynamic update response
> > 0x4806 *Refused
> > SOA *testsamba.domain.com CNAME AAAA A A 172.20.0.39
> > 
> > 77 4.970157 172.20.0.39 172.16.10.5 DNS 448 Standard query 0x59f6 TKEY
> > 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY
> > 
> > 80 4.978315 172.16.10.5 172.20.0.39 DNS 412 Standard query response
0x59f6
> > TKEY 1116-ms-7.90-49f0535.97c7139d-6398-11e6-30bf-a01d48f78dbb TKEY
TSIG
> 
> can you post your full config, a level 10 debug log and a packet
> capture of the issue please? Thanks!
ah, I forgot: the real fix is only available in 4.4 and upwards, but
4.3.11 should ship a hack to make it working there as well. Alas,
looks like the release notes for 4.3.11 don't mention this fix.

Cheerio!
-slow