samba - Nov 2023 - DNS: Update not allowed for unsigned packet

DNS is suddenly not working properly for some machines.

We had a bunch of machines that were joined to the domain, but the computer
name was wrong.

To fix this, we unjoined the machines and deleted the computer accounts out
of Samba (because renames while joined will leave LDAP attributes with the
previous machine name and there will be connectivity problems for some
reason), and we deleted them out of DNS (dnsmgmt.msc) so there were no
mismatched SIDs.

Then we renamed and restarted the machines (All Windows 11 Pro), then we
joined them back to the domain.

Now most of them aren't able to register themselves with DNS (ipconfig
/registerdns):

[2023/11/06 09:55:39.585469,  2]
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
  Got a dns update request.
[2023/11/06 09:55:39.585579,  2]
../../source4/dns_server/dns_update.c:781(dns_update_allowed)
  Update not allowed for unsigned packet.
[2023/11/06 09:55:39.585965,  2]
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
  Got a dns update request.
[2023/11/06 09:55:39.586254,  2]
../../source4/dns_server/dns_update.c:397(handle_one_update)
  Looking at record:
[2023/11/06 09:55:39.586268,  1]
../../source4/dns_server/dns_update.c:399(handle_one_update)
       discard_const(update): struct dns_res_rec
          name                     : 'USSIF1DOFC07.--redacted--'
          rr_type                  : DNS_QTYPE_AAAA (0x1C)
          rr_class                 : DNS_QCLASS_ANY (0xFF)
          ttl                      : 0x00000000 (0)
          length                   : 0x0000 (0)
          rdata                    : union dns_rdata(case 0x1C)
          ipv6_record              : (null)
          unexpected               : DATA_BLOB length=0
[2023/11/06 09:55:39.586693,  2]
../../source4/dns_server/dns_update.c:397(handle_one_update)
  Looking at record:
[2023/11/06 09:55:39.586709,  1]
../../source4/dns_server/dns_update.c:399(handle_one_update)
       discard_const(update): struct dns_res_rec
          name                     : 'USSIF1DOFC07.--redacted--'
          rr_type                  : DNS_QTYPE_A (0x1)
          rr_class                 : DNS_QCLASS_ANY (0xFF)
          ttl                      : 0x00000000 (0)
          length                   : 0x0000 (0)
          rdata                    : union dns_rdata(case 0x1)
          ipv4_record              : (null)
          unexpected               : DATA_BLOB length=0
[2023/11/06 09:55:39.587107,  2]
../../source4/dns_server/dns_update.c:397(handle_one_update)
  Looking at record:
[2023/11/06 09:55:39.587130,  1]
../../source4/dns_server/dns_update.c:399(handle_one_update)
       discard_const(update): struct dns_res_rec
          name                     : 'USSIF1DOFC07.--redacted--'
          rr_type                  : DNS_QTYPE_A (0x1)
          rr_class                 : DNS_QCLASS_IN (0x1)
          ttl                      : 0x000004b0 (1200)
          length                   : 0x0004 (4)
          rdata                    : union dns_rdata(case 0x1)
          ipv4_record              : 10.142.14.136
          unexpected               : DATA_BLOB length=0
[2023/11/06 09:55:39.601377,  2]
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
  Got a dns update request.
[2023/11/06 09:55:39.601524,  2]
../../source4/dns_server/dns_update.c:781(dns_update_allowed)
  Update not allowed for unsigned packet.
[2023/11/06 09:55:39.603329,  2]
../../source4/dns_server/dns_update.c:824(dns_server_process_update)
  Got a dns update request.
[2023/11/06 09:55:39.603610,  2]
../../source4/dns_server/dns_update.c:397(handle_one_update)
  Looking at record:

I've been digging around, and all the machines appear to be joined properly
and working fine.  They can authenticate, connect to shares, etc...  nltest
/sc_query:domain.tld returns success.

Anyone have thoughts on what I might have missed?

Thanks,

-A

On Mon, 2023-11-06 at 10:02 -0800, Aaron C. de Bruyn via samba
wrote:
> DNS is suddenly not working properly for some machines.
> 
> 
> 
> We had a bunch of machines that were joined to the domain, but the
> computer
> 
> name was wrong.
> 
> 
> 
> To fix this, we unjoined the machines and deleted the computer
> accounts out
> 
> of Samba (because renames while joined will leave LDAP attributes
> with the
> 
> previous machine name and there will be connectivity problems for
> some
> 
> reason), and we deleted them out of DNS (dnsmgmt.msc) so there were
> no
> 
> mismatched SIDs.
> 
> 
> 
> Then we renamed and restarted the machines (All Windows 11 Pro), then
> we
> 
> joined them back to the domain.
The unsigned packet is a red herring, all first DNS updates are
unsigned, then a signed one comes after the DC disallows it.

The issues is that you deleted accounts, but did not clean out DNS, so
the old name is still owned by the old account (now gone), so the update fails
due to simple permissions (DNS is secured on a first-to-claim basis).

Clean out your DNS records and it should work.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions