thr3ads.net - samba - [Samba] Secure dynamic update failure with internal DNS [Nov 2015]

If this information is useful, please help other people find it:
Share via:

James

2015-Oct-27 17:51 UTC

[Samba] Secure dynamic update failure with internal DNS

Hello,

     At one point secure dynamic updates worked. Now I require 'allow 
dns updates = nonsecure' for dynamic updates to work. I can't seem to 
find any trace of updates being performed in the samba logs or Windows. 
I've hit a wall and can't seem to progress. Since I couldn't pull 
anything from the logs I decided to run 'nsupdate -g -d -D -L 10'. This 
was my initial result.

nsupdate -g -d -D -L 10

setup_system()

27-Oct-2015 13:14:49.420 dns_requestmgr_create

27-Oct-2015 13:14:49.420 dns_requestmgr_create: 0x7fb3edeaf010

reset_system()

user_interaction()

get_next_command()

 > update delete itdept-desktop.domain.local 86400 A 172.16.232.30

evaluate_update()

update_addordelete()

get_next_command()

 > send

start_update()

27-Oct-2015 13:15:15.438 dns_request_createvia

27-Oct-2015 13:15:15.439 request_render

27-Oct-2015 13:15:15.439 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1

27-Oct-2015 13:15:15.439 mgr_gethash

27-Oct-2015 13:15:15.439 req_send: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.439 dns_request_createvia: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.439 req_senddone: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.441 req_response: request 0x7fb3edea0eb0: success

27-Oct-2015 13:15:15.441 req_cancel: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.441 req_sendevent: request 0x7fb3edea0eb0

recvsoa()

About to create rcvmsg

27-Oct-2015 13:15:15.441 dns_request_getresponse: request 0x7fb3edea0eb0

show_message()

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:64900

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;itdept-desktop.domain.local.INSOA

27-Oct-2015 13:15:15.441 dns_request_destroy: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.441 req_destroy: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.441 requestmgr_detach: 0x7fb3edeaf010: eref 1 iref 0

27-Oct-2015 13:15:15.441 dns_request_createvia

27-Oct-2015 13:15:15.441 request_render

27-Oct-2015 13:15:15.441 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1

27-Oct-2015 13:15:15.441 mgr_gethash

27-Oct-2015 13:15:15.441 req_send: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.441 dns_request_createvia: request 0x7fb3edea0eb0

Out of recvsoa

27-Oct-2015 13:15:15.441 req_senddone: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.442 req_response: request 0x7fb3edea0eb0: success

27-Oct-2015 13:15:15.442 req_cancel: request 0x7fb3edea0eb0

27-Oct-2015 13:15:15.442 req_sendevent: request 0x7fb3edea0eb0

recvsoa()

About to create rcvmsg

27-Oct-2015 13:15:15.442 dns_request_getresponse: request 0x7fb3edea0eb0

show_message()

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:54937

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;domain.local.INSOA

;; ANSWER SECTION:

domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 432 
900 600 86400 3600

Found zone name: domain.local

The master is: pfdc1.domain.local

start_gssrequest

27-Oct-2015 13:15:15.443 Failure initiating security context: GSSAPI 
error: Major = Unspecified GSS failure.Minor code may provide more 
information, Minor = Credentials cache file '/tmp/krb5cc_0' not found.

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor 
code may provide more information, Minor = Credentials cache file 
'/tmp/krb5cc_0' not found.

--------------------------------------------------------------------------------------------------------------------------------------------

I see this section

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor 
code may provide more information, Minor = Credentials cache file 
'/tmp/krb5cc_0' not found.

I thought the cache file was automatically created? None the less I 
execute 'kinit' for administrator which creates the cache file 
'krb5cc_0'. I run the following again 'nsupdate -g -d -D -L 10'.
This
time I get this result.

nsupdate -g -d -D -L 10

setup_system()

27-Oct-2015 13:37:38.729 dns_requestmgr_create

27-Oct-2015 13:37:38.729 dns_requestmgr_create: 0x7f6b29d2c010

reset_system()

user_interaction()

get_next_command()

 > update add itdept-desktop.domain.local 86400 A 172.16.232.30

evaluate_update()

update_addordelete()

get_next_command()

 > send

start_update()

27-Oct-2015 13:38:01.507 dns_request_createvia

27-Oct-2015 13:38:01.507 request_render

27-Oct-2015 13:38:01.507 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1

27-Oct-2015 13:38:01.507 mgr_gethash

27-Oct-2015 13:38:01.507 req_send: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.507 dns_request_createvia: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.507 req_senddone: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.509 req_response: request 0x7f6b29d1deb0: success

27-Oct-2015 13:38:01.509 req_cancel: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.509 req_sendevent: request 0x7f6b29d1deb0

recvsoa()

About to create rcvmsg

27-Oct-2015 13:38:01.509 dns_request_getresponse: request 0x7f6b29d1deb0

show_message()

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:63949

;; flags: qr rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;itdept-desktop.domain.local.INSOA

27-Oct-2015 13:38:01.509 dns_request_destroy: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.509 req_destroy: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.509 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0

27-Oct-2015 13:38:01.509 dns_request_createvia

27-Oct-2015 13:38:01.509 request_render

27-Oct-2015 13:38:01.509 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1

27-Oct-2015 13:38:01.509 mgr_gethash

27-Oct-2015 13:38:01.509 req_send: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.509 dns_request_createvia: request 0x7f6b29d1deb0

Out of recvsoa

27-Oct-2015 13:38:01.509 req_senddone: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.511 req_response: request 0x7f6b29d1deb0: success

27-Oct-2015 13:38:01.511 req_cancel: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.511 req_sendevent: request 0x7f6b29d1deb0

recvsoa()

About to create rcvmsg

27-Oct-2015 13:38:01.511 dns_request_getresponse: request 0x7f6b29d1deb0

show_message()

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:30700

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;domain.local.INSOA

;; ANSWER SECTION:

domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 434 
900 600 86400 3600

Found zone name: domain.local

The master is: pfdc1.domain.local

start_gssrequest

Found realm from ticket: DOMAIN.LOCAL

send_gssrequest

27-Oct-2015 13:38:01.512 dns_request_createvia

27-Oct-2015 13:38:01.512 request_render

27-Oct-2015 13:38:01.512 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2

27-Oct-2015 13:38:01.512 mgr_gethash

27-Oct-2015 13:38:01.512 dns_request_createvia: request 0x7f6b29d36010

show_message()

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;1384447838.sig-pfdc1.domain.local. ANYTKEY

;; ADDITIONAL SECTION:

1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481 
1445967481 3 NOERROR 1361 
YIIFTQYGKwYBBQUCoIIFQTCCBT2gDTALBgkqhkiG9xIBAgKiggUqBIIF 
JmCCBSIGCSqGSIb3EgECAgEAboIFETCCBQ2gAwIBBaEDAgEOogcDBQAg 
AAAAo4IEB2GCBAMwggP/oAMCAQWhDBsKQ0lNRy5MT0NBTKIiMCCgAwIB 
AaEZMBcbA0ROUxsQcGZkYzEuY2ltZy5sb2NhbKOCA8QwggPAoAMCAReh 
AwIBAaKCA7IEggOuPGo1wWiP4AIoX/nU3Iu4j0f18968rH7oUciBXVUb 
XVZvo+nKKmTnR0dC4ugcxJGj2uwBaDWe4PvGmCOsvhcbd8aCS8bBiH8M 
IF3fgivtxHCMhDQKCID6MTCQapGGddDJBqH6HpBc8sAjfakeGI4kUvjK 
q4vqfbvUTVoiWGkmHLZD648HFmKL3LKmEp2ou2r9MXspswVHjVloJsOA 
hJnPu51txYDi1bb0UrXEpHWjyma8Jap4zMIS47dYjYDZ/Ly/jtsR+eu+ 
I5epBr3L8xq9RO5Ta4qzePxAtnzGb1Fpr9hiu5jkrNGAbxVKETCljxB7 
pfGw+tB/lxC0RrvFeEyThGP3jnUpXvPFjdkk7Pdax65IMRF36liriSxm 
tDUTNyE1TYLrqhZnXw2rAMwKESKpv9rOHmocGivZLJIpIW3edLqUY06j 
RgMs7Sc6vI0kJgeuWEjj8knrzWVdvauxoSFAAafsnZ/gfCII0XWg+nU0 
w/uQ4HVY6BhhjX288fZeeVkYds0ZQNhNqgs0osJWfEDvqnZh+0Oe9SkQ 
J13FcT4Smj8I7+caqnsN0kceMbueUi+pyifx1A+qn2Qv6ejOl15DMQAC 
0joUmB05R/a5eOVocTParEpWKYO1zstdYvLq5F+dj8n6AgQKHl7YMuCo 
vPLLnmbFQvAyzo4wpjkdeC6McdPJQASFFknSd4b7z/82XrnGiJbli8Ag 
IYTjV+AOAfg4NWNnJERAKD3UQmu63r+A/JBtBpetEhyEu/oLnvigWfgo 
xx8lqpQelsPpMfFr/dVCmvSk77xMANTQ11i/Zb8utOV7TMv3AJ1u9LXk 
rcezkT+K0eOPs3MkOgZ+WCIMpWD7cLEGzDcYLBaz73hY/qF3xhsdyKnh 
U04PuT3WE29nUEg1o/9RbcUMsrkQtFQfhwgkCqIVulxjtsWSGwSsi/Je 
ktQjqikSOMKAhnB1kiT8Sj+njIMXjtWU+m/tOlBM7h4gOCOL0aMdBYDE 
l6h8LF4c7I9llF1TcmO0wFIEnjsVTKoEI2oSZfe3buM9weXIGeyEtZ5e 
NLdaWBxzMagq5UNSXiFwRs7OT4WThLr5CkSHpf0EryH0S4EGaAc04L4q 
wXLTJHIBhxYj/dWECQEkEm4yaikkiYiGHbcXTKlcQl5bn9WMfINmwxr5 
N6IAq/U2mrjTlu8yQ+TM6NkWnzEbAAhiH0E0BpJMeFMoyIjMcXJQPhxW 
VZkgnpcPzKDdJCiixuDKHV6TJ30AmaxYgJYC5DeepIHsMIHpoAMCARei 
geEEgd4fCZLEBK9cTemu0+hDgcmiU0jDQSWI4Y1quCYKfus7nNCPJffR 
qhQE991bWWHuVYBQLbkPm2+cR5rAuRtzqXu4yX9M3yzhsAnRnlv/zQg2 
Ahucg0xG6nC6ARV3yoWyV8V1W3/EYowfwUmDfm/pXesFgMxNAO9rygzv 
NTCm0pzJUU/Tq6nL/oDtZO1R6ol+An3+iZB0ZjtEGv8bzq2kKrCrwYut 
AvnR37ol9pLG15HBPni/LG4PQnRqxshr2+krab4/HL38/7ynZizN/KG9 
v0J+EOOiabHrZkAQyHoponA= 0

27-Oct-2015 13:38:01.512 dns_request_destroy: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.512 req_destroy: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.512 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1

Out of recvsoa

27-Oct-2015 13:38:01.512 req_connected: request 0x7f6b29d36010

27-Oct-2015 13:38:01.513 req_send: request 0x7f6b29d36010

27-Oct-2015 13:38:01.513 req_senddone: request 0x7f6b29d36010

27-Oct-2015 13:38:01.523 req_response: request 0x7f6b29d36010: success

27-Oct-2015 13:38:01.523 req_cancel: request 0x7f6b29d36010

27-Oct-2015 13:38:01.523 req_sendevent: request 0x7f6b29d36010

recvgss()

recvgss creating rcvmsg

27-Oct-2015 13:38:01.523 dns_request_getresponse: request 0x7f6b29d36010

show_message()

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947

;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;1384447838.sig-pfdc1.domain.local. ANYTKEY

;; ANSWER SECTION:

1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481 
1445967481 3 NOERROR 182 
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB 
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr4rBfZLZEDlMf 
xEOrOtGsFid2hIWdFfFECDMGt9jmstD2wB1yAE3FiVqv0cZd1F3z22zR 
hcMtHSWFx1VhvA8ob0TGBpfe8FagJ0Osgt7tV7z9oKi2sE3QnZcKkkl+ 
LrUyTDMe8fqUdCsL+RM= 0

;; TSIG PSEUDOSECTION:

1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 28 
BAQF//////8AAAAAImyAou7Y6kl8XKcarfaOeQ== 38947 NOERROR 0

send_update()

Sending update to 172.16.232.29#53

27-Oct-2015 13:38:01.523 dns_request_createvia

27-Oct-2015 13:38:01.523 request_render

27-Oct-2015 13:38:01.523 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2

27-Oct-2015 13:38:01.523 mgr_gethash

27-Oct-2015 13:38:01.523 dns_request_createvia: request 0x7f6b29d1deb0

show_message()

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024

;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1

;; UPDATE SECTION:

itdept-desktop.domain.local. 86400 INA172.16.232.30

;; TSIG PSEUDOSECTION:

1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 28 
BAQE//////8AAAAAGCwKBRKMONp5I7ZtKq4gJA== 34024 NOERROR 0

27-Oct-2015 13:38:01.523 dns_request_destroy: request 0x7f6b29d36010

27-Oct-2015 13:38:01.523 req_destroy: request 0x7f6b29d36010

27-Oct-2015 13:38:01.523 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1

Out of recvgss

27-Oct-2015 13:38:01.523 req_connected: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.523 req_send: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.524 req_senddone: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.998 req_response: request 0x7f6b29d1deb0: success

27-Oct-2015 13:38:01.998 req_cancel: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.998 req_sendevent: request 0x7f6b29d1deb0

update_completed()

27-Oct-2015 13:38:01.998 dns_request_getresponse: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.998 GSS verify error: GSSAPI error: Major = A token 
had an invalid Message Integrity Check (MIC), Minor = Success.

27-Oct-2015 13:38:01.998 tsig key '1384447838.sig-pfdc1.domain.local' 
(<null>): signature failed to verify(1)

; TSIG error with server: tsig verify failure

show_message()

Reply from update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1

;; ZONE SECTION:

;domain.local.INSOA

;; UPDATE SECTION:

itdept-desktop.domain.local. 86400 INA172.16.232.30

;; TSIG PSEUDOSECTION:

1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 28 
BAQF//////8AAAAAImyAo3PobOaGOyFvcHpIfQ== 34024 NOERROR 0

27-Oct-2015 13:38:01.998 dns_request_destroy: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.998 req_destroy: request 0x7f6b29d1deb0

27-Oct-2015 13:38:01.998 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0

done_update()

reset_system()

user_interaction()

get_next_command()


-----------------------------------------------------------------------------------------------------------------------------

This time you can see the update succeeded. The TSIG Verify failure has 
always been a issue with the internal DNS. This never stopped secure 
dynamic updates before. What does 'samba_dnsupdate' do differently that 
could cause the updates to fail? I looked through the script but 
couldn't find anything to help. A packet trace with Wireshark doesn't 
give me much help either.

Flags: 0xa805 Dynamic update response, Refused CNAME

Any ideas where I need to look next? Relevant system info below.

Ubuntu 12.04 LTS DC
Samba 4.3.1

[global]

workgroup = DOMAIN

realm = DOMAIN.LOCAL

netbios name = PFDC1

server role = active directory domain controller

dns forwarder = 8.8.8.8

idmap_ldb:use rfc2307 = Yes

log file = /usr/local/samba/var/log.%m

log level = 1

logging = syslog at 1 file

allow dns updates = secure only

#Disable CUPS Printing

load printers = No

printcap name = /dev/null

disable spoolss = Yes

# Add and Update TLS Key

tls enabled = yes

tls keyfile = tls/sambaKey.pem

tls certfile = tls/sambaCert.pem

tls cafile 
#tls crlfile 
#tls dh parms file 
[netlogon]

path = /usr/local/samba/var/locks/sysvol/domain.local/scripts

read only = No

[sysvol]

path = /usr/local/samba/var/locks/sysvol







-- 
-James

James

2015-Nov-02 20:11 UTC

head link

[Samba] Secure dynamic update failure with internal DNS

On 10/27/2015 1:51 PM, James wrote:> Hello,
>
>     At one point secure dynamic updates worked. Now I require 'allow 
> dns updates = nonsecure' for dynamic updates to work. I can't seem
to
> find any trace of updates being performed in the samba logs or 
> Windows. I've hit a wall and can't seem to progress. Since I
couldn't
> pull anything from the logs I decided to run 'nsupdate -g -d -D -L 
> 10'. This was my initial result.
>
> nsupdate -g -d -D -L 10
>
> setup_system()
>
> 27-Oct-2015 13:14:49.420 dns_requestmgr_create
>
> 27-Oct-2015 13:14:49.420 dns_requestmgr_create: 0x7fb3edeaf010
>
> reset_system()
>
> user_interaction()
>
> get_next_command()
>
> > update delete itdept-desktop.domain.local 86400 A 172.16.232.30
>
> evaluate_update()
>
> update_addordelete()
>
> get_next_command()
>
> > send
>
> start_update()
>
> 27-Oct-2015 13:15:15.438 dns_request_createvia
>
> 27-Oct-2015 13:15:15.439 request_render
>
> 27-Oct-2015 13:15:15.439 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1
>
> 27-Oct-2015 13:15:15.439 mgr_gethash
>
> 27-Oct-2015 13:15:15.439 req_send: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.439 dns_request_createvia: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.439 req_senddone: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 req_response: request 0x7fb3edea0eb0: success
>
> 27-Oct-2015 13:15:15.441 req_cancel: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 req_sendevent: request 0x7fb3edea0eb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:15:15.441 dns_request_getresponse: request 0x7fb3edea0eb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:64900
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;itdept-desktop.domain.local.INSOA
>
> 27-Oct-2015 13:15:15.441 dns_request_destroy: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 req_destroy: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 requestmgr_detach: 0x7fb3edeaf010: eref 1 iref 0
>
> 27-Oct-2015 13:15:15.441 dns_request_createvia
>
> 27-Oct-2015 13:15:15.441 request_render
>
> 27-Oct-2015 13:15:15.441 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1
>
> 27-Oct-2015 13:15:15.441 mgr_gethash
>
> 27-Oct-2015 13:15:15.441 req_send: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 dns_request_createvia: request 0x7fb3edea0eb0
>
> Out of recvsoa
>
> 27-Oct-2015 13:15:15.441 req_senddone: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.442 req_response: request 0x7fb3edea0eb0: success
>
> 27-Oct-2015 13:15:15.442 req_cancel: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.442 req_sendevent: request 0x7fb3edea0eb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:15:15.442 dns_request_getresponse: request 0x7fb3edea0eb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:54937
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;domain.local.INSOA
>
> ;; ANSWER SECTION:
>
> domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 432 
> 900 600 86400 3600
>
> Found zone name: domain.local
>
> The master is: pfdc1.domain.local
>
> start_gssrequest
>
> 27-Oct-2015 13:15:15.443 Failure initiating security context: GSSAPI 
> error: Major = Unspecified GSS failure.Minor code may provide more 
> information, Minor = Credentials cache file '/tmp/krb5cc_0' not
found.
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor 
> code may provide more information, Minor = Credentials cache file 
> '/tmp/krb5cc_0' not found.
>
>
--------------------------------------------------------------------------------------------------------------------------------------------
>
> I see this section
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor 
> code may provide more information, Minor = Credentials cache file 
> '/tmp/krb5cc_0' not found.
>
> I thought the cache file was automatically created? None the less I 
> execute 'kinit' for administrator which creates the cache file 
> 'krb5cc_0'. I run the following again 'nsupdate -g -d -D -L
10'. This
> time I get this result.
>
> nsupdate -g -d -D -L 10
>
> setup_system()
>
> 27-Oct-2015 13:37:38.729 dns_requestmgr_create
>
> 27-Oct-2015 13:37:38.729 dns_requestmgr_create: 0x7f6b29d2c010
>
> reset_system()
>
> user_interaction()
>
> get_next_command()
>
> > update add itdept-desktop.domain.local 86400 A 172.16.232.30
>
> evaluate_update()
>
> update_addordelete()
>
> get_next_command()
>
> > send
>
> start_update()
>
> 27-Oct-2015 13:38:01.507 dns_request_createvia
>
> 27-Oct-2015 13:38:01.507 request_render
>
> 27-Oct-2015 13:38:01.507 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1
>
> 27-Oct-2015 13:38:01.507 mgr_gethash
>
> 27-Oct-2015 13:38:01.507 req_send: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.507 dns_request_createvia: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.507 req_senddone: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 req_response: request 0x7f6b29d1deb0: success
>
> 27-Oct-2015 13:38:01.509 req_cancel: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 req_sendevent: request 0x7f6b29d1deb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:38:01.509 dns_request_getresponse: request 0x7f6b29d1deb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:63949
>
> ;; flags: qr rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;itdept-desktop.domain.local.INSOA
>
> 27-Oct-2015 13:38:01.509 dns_request_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 req_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0
>
> 27-Oct-2015 13:38:01.509 dns_request_createvia
>
> 27-Oct-2015 13:38:01.509 request_render
>
> 27-Oct-2015 13:38:01.509 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1
>
> 27-Oct-2015 13:38:01.509 mgr_gethash
>
> 27-Oct-2015 13:38:01.509 req_send: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 dns_request_createvia: request 0x7f6b29d1deb0
>
> Out of recvsoa
>
> 27-Oct-2015 13:38:01.509 req_senddone: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.511 req_response: request 0x7f6b29d1deb0: success
>
> 27-Oct-2015 13:38:01.511 req_cancel: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.511 req_sendevent: request 0x7f6b29d1deb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:38:01.511 dns_request_getresponse: request 0x7f6b29d1deb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:30700
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;domain.local.INSOA
>
> ;; ANSWER SECTION:
>
> domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 434 
> 900 600 86400 3600
>
> Found zone name: domain.local
>
> The master is: pfdc1.domain.local
>
> start_gssrequest
>
> Found realm from ticket: DOMAIN.LOCAL
>
> send_gssrequest
>
> 27-Oct-2015 13:38:01.512 dns_request_createvia
>
> 27-Oct-2015 13:38:01.512 request_render
>
> 27-Oct-2015 13:38:01.512 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2
>
> 27-Oct-2015 13:38:01.512 mgr_gethash
>
> 27-Oct-2015 13:38:01.512 dns_request_createvia: request 0x7f6b29d36010
>
> show_message()
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947
>
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;1384447838.sig-pfdc1.domain.local. ANYTKEY
>
> ;; ADDITIONAL SECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481 
> 1445967481 3 NOERROR 1361 
> YIIFTQYGKwYBBQUCoIIFQTCCBT2gDTALBgkqhkiG9xIBAgKiggUqBIIF 
> JmCCBSIGCSqGSIb3EgECAgEAboIFETCCBQ2gAwIBBaEDAgEOogcDBQAg 
> AAAAo4IEB2GCBAMwggP/oAMCAQWhDBsKQ0lNRy5MT0NBTKIiMCCgAwIB 
> AaEZMBcbA0ROUxsQcGZkYzEuY2ltZy5sb2NhbKOCA8QwggPAoAMCAReh 
> AwIBAaKCA7IEggOuPGo1wWiP4AIoX/nU3Iu4j0f18968rH7oUciBXVUb 
> XVZvo+nKKmTnR0dC4ugcxJGj2uwBaDWe4PvGmCOsvhcbd8aCS8bBiH8M 
> IF3fgivtxHCMhDQKCID6MTCQapGGddDJBqH6HpBc8sAjfakeGI4kUvjK 
> q4vqfbvUTVoiWGkmHLZD648HFmKL3LKmEp2ou2r9MXspswVHjVloJsOA 
> hJnPu51txYDi1bb0UrXEpHWjyma8Jap4zMIS47dYjYDZ/Ly/jtsR+eu+ 
> I5epBr3L8xq9RO5Ta4qzePxAtnzGb1Fpr9hiu5jkrNGAbxVKETCljxB7 
> pfGw+tB/lxC0RrvFeEyThGP3jnUpXvPFjdkk7Pdax65IMRF36liriSxm 
> tDUTNyE1TYLrqhZnXw2rAMwKESKpv9rOHmocGivZLJIpIW3edLqUY06j 
> RgMs7Sc6vI0kJgeuWEjj8knrzWVdvauxoSFAAafsnZ/gfCII0XWg+nU0 
> w/uQ4HVY6BhhjX288fZeeVkYds0ZQNhNqgs0osJWfEDvqnZh+0Oe9SkQ 
> J13FcT4Smj8I7+caqnsN0kceMbueUi+pyifx1A+qn2Qv6ejOl15DMQAC 
> 0joUmB05R/a5eOVocTParEpWKYO1zstdYvLq5F+dj8n6AgQKHl7YMuCo 
> vPLLnmbFQvAyzo4wpjkdeC6McdPJQASFFknSd4b7z/82XrnGiJbli8Ag 
> IYTjV+AOAfg4NWNnJERAKD3UQmu63r+A/JBtBpetEhyEu/oLnvigWfgo 
> xx8lqpQelsPpMfFr/dVCmvSk77xMANTQ11i/Zb8utOV7TMv3AJ1u9LXk 
> rcezkT+K0eOPs3MkOgZ+WCIMpWD7cLEGzDcYLBaz73hY/qF3xhsdyKnh 
> U04PuT3WE29nUEg1o/9RbcUMsrkQtFQfhwgkCqIVulxjtsWSGwSsi/Je 
> ktQjqikSOMKAhnB1kiT8Sj+njIMXjtWU+m/tOlBM7h4gOCOL0aMdBYDE 
> l6h8LF4c7I9llF1TcmO0wFIEnjsVTKoEI2oSZfe3buM9weXIGeyEtZ5e 
> NLdaWBxzMagq5UNSXiFwRs7OT4WThLr5CkSHpf0EryH0S4EGaAc04L4q 
> wXLTJHIBhxYj/dWECQEkEm4yaikkiYiGHbcXTKlcQl5bn9WMfINmwxr5 
> N6IAq/U2mrjTlu8yQ+TM6NkWnzEbAAhiH0E0BpJMeFMoyIjMcXJQPhxW 
> VZkgnpcPzKDdJCiixuDKHV6TJ30AmaxYgJYC5DeepIHsMIHpoAMCARei 
> geEEgd4fCZLEBK9cTemu0+hDgcmiU0jDQSWI4Y1quCYKfus7nNCPJffR 
> qhQE991bWWHuVYBQLbkPm2+cR5rAuRtzqXu4yX9M3yzhsAnRnlv/zQg2 
> Ahucg0xG6nC6ARV3yoWyV8V1W3/EYowfwUmDfm/pXesFgMxNAO9rygzv 
> NTCm0pzJUU/Tq6nL/oDtZO1R6ol+An3+iZB0ZjtEGv8bzq2kKrCrwYut 
> AvnR37ol9pLG15HBPni/LG4PQnRqxshr2+krab4/HL38/7ynZizN/KG9 
> v0J+EOOiabHrZkAQyHoponA= 0
>
> 27-Oct-2015 13:38:01.512 dns_request_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.512 req_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.512 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1
>
> Out of recvsoa
>
> 27-Oct-2015 13:38:01.512 req_connected: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.513 req_send: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.513 req_senddone: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 req_response: request 0x7f6b29d36010: success
>
> 27-Oct-2015 13:38:01.523 req_cancel: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 req_sendevent: request 0x7f6b29d36010
>
> recvgss()
>
> recvgss creating rcvmsg
>
> 27-Oct-2015 13:38:01.523 dns_request_getresponse: request 0x7f6b29d36010
>
> show_message()
>
> recvmsg reply from GSS-TSIG query
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947
>
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;1384447838.sig-pfdc1.domain.local. ANYTKEY
>
> ;; ANSWER SECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481 
> 1445967481 3 NOERROR 182 
> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB 
> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr4rBfZLZEDlMf 
> xEOrOtGsFid2hIWdFfFECDMGt9jmstD2wB1yAE3FiVqv0cZd1F3z22zR 
> hcMtHSWFx1VhvA8ob0TGBpfe8FagJ0Osgt7tV7z9oKi2sE3QnZcKkkl+ 
> LrUyTDMe8fqUdCsL+RM= 0
>
> ;; TSIG PSEUDOSECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 
> 28 BAQF//////8AAAAAImyAou7Y6kl8XKcarfaOeQ== 38947 NOERROR 0
>
> send_update()
>
> Sending update to 172.16.232.29#53
>
> 27-Oct-2015 13:38:01.523 dns_request_createvia
>
> 27-Oct-2015 13:38:01.523 request_render
>
> 27-Oct-2015 13:38:01.523 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2
>
> 27-Oct-2015 13:38:01.523 mgr_gethash
>
> 27-Oct-2015 13:38:01.523 dns_request_createvia: request 0x7f6b29d1deb0
>
> show_message()
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024
>
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>
> ;; UPDATE SECTION:
>
> itdept-desktop.domain.local. 86400 INA172.16.232.30
>
> ;; TSIG PSEUDOSECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 
> 28 BAQE//////8AAAAAGCwKBRKMONp5I7ZtKq4gJA== 34024 NOERROR 0
>
> 27-Oct-2015 13:38:01.523 dns_request_destroy: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 req_destroy: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1
>
> Out of recvgss
>
> 27-Oct-2015 13:38:01.523 req_connected: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.523 req_send: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.524 req_senddone: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 req_response: request 0x7f6b29d1deb0: success
>
> 27-Oct-2015 13:38:01.998 req_cancel: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 req_sendevent: request 0x7f6b29d1deb0
>
> update_completed()
>
> 27-Oct-2015 13:38:01.998 dns_request_getresponse: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 GSS verify error: GSSAPI error: Major = A 
> token had an invalid Message Integrity Check (MIC), Minor = Success.
>
> 27-Oct-2015 13:38:01.998 tsig key
'1384447838.sig-pfdc1.domain.local'
> (<null>): signature failed to verify(1)
>
> ; TSIG error with server: tsig verify failure
>
> show_message()
>
> Reply from update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>
> ;; ZONE SECTION:
>
> ;domain.local.INSOA
>
> ;; UPDATE SECTION:
>
> itdept-desktop.domain.local. 86400 INA172.16.232.30
>
> ;; TSIG PSEUDOSECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 
> 28 BAQF//////8AAAAAImyAo3PobOaGOyFvcHpIfQ== 34024 NOERROR 0
>
> 27-Oct-2015 13:38:01.998 dns_request_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 req_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0
>
> done_update()
>
> reset_system()
>
> user_interaction()
>
> get_next_command()
>
>
>
-----------------------------------------------------------------------------------------------------------------------------
>
> This time you can see the update succeeded. The TSIG Verify failure 
> has always been a issue with the internal DNS. This never stopped 
> secure dynamic updates before. What does 'samba_dnsupdate' do 
> differently that could cause the updates to fail? I looked through the 
> script but couldn't find anything to help. A packet trace with 
> Wireshark doesn't give me much help either.
>
> Flags: 0xa805 Dynamic update response, Refused CNAME
>
> Any ideas where I need to look next? Relevant system info below.
>
> Ubuntu 12.04 LTS DC
> Samba 4.3.1
>
> [global]
>
> workgroup = DOMAIN
>
> realm = DOMAIN.LOCAL
>
> netbios name = PFDC1
>
> server role = active directory domain controller
>
> dns forwarder = 8.8.8.8
>
> idmap_ldb:use rfc2307 = Yes
>
> log file = /usr/local/samba/var/log.%m
>
> log level = 1
>
> logging = syslog at 1 file
>
> allow dns updates = secure only
>
> #Disable CUPS Printing
>
> load printers = No
>
> printcap name = /dev/null
>
> disable spoolss = Yes
>
> # Add and Update TLS Key
>
> tls enabled = yes
>
> tls keyfile = tls/sambaKey.pem
>
> tls certfile = tls/sambaCert.pem
>
> tls cafile >
> #tls crlfile >
> #tls dh parms file >
> [netlogon]
>
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>
> read only = No
>
> [sysvol]
>
> path = /usr/local/samba/var/locks/sysvol
>
>
>
>
>
>
>
> -- 
> -JamesDecided to setup a new test DC on a VM. Installed Ubuntu 12.04 and Samba 
4.3.1. Installed from wiki

./configure
make
sudo make install

samba-tool domain provision --use-rfc2307 --interactive

No errors during make and provision.

Joined Win 7 VM to Domain. Verified no A record added during join. 
Increased log level to 10. Ran 'ipconfig /registerdns' to force update. 
Still no A record. Enabled nonsecure updates in smb.conf and tried 
again. Samba DC adds the A record. Samba log shows for failed updated

'Update not allowed for unsigned packet'.

Which is normal because a nonsecure update is attempted first followed 
by a secure update. I receive the same response however on the second 
attempt which should be signed.

I can see in Wireshark the TKEY being queried and responded to.




-- 
-James

James

2015-Nov-09 18:20 UTC

head link

[Samba] Secure dynamic update failure with internal DNS

I't appears all versions of Samba 4.2.X allow secure updates. It's 
transitioning to any version of Samba 4.3.X that prevents secure 
updates. Looking at the Wireshark captures of a successful update

https://www.cloudshark.org/captures/79e72c42de44

I see two transactions concerning the TKEY. I also see the update 
request from the client signed with the TSIG.

Looking at a failed update

https://www.cloudshark.org/captures/44f706b2cc61

I see three transactions concerning the TKEY. I also am missing the 
TSIG  with the update request from the client. I do see a TSIG with the 
TKEY exchange from the DC.

The TSIG as far as I know, should not be sent in the additional records 
section of the TKEY exchange. Secure update process fails during the 
TKEY exchange. This causes the client to repeat the whole DNS query 
exchange.

The client should send the dynamic update request immediately after the 
TKEY exchange has taken place. The lack of the TSIG with the client 
update explains why Samba reports 'Update not allowed for unsigned 
packet' on the second update request.


-- 
-James

Jeffrey Earl

2015-Nov-09 20:09 UTC

head link

[Samba] Secure dynamic update failure with internal DNS

I've experienced the same issue on Samba 4.3.1 compiled against Centos 6.7.
It appears to be a known issue. There's a recent bug report on bugzilla:
https://bugzilla.samba.org/show_bug.cgi?id=11520

On Mon, Nov 9, 2015 at 1:20 PM, James <lingpanda101 at gmail.com> wrote:
> I't appears all versions of Samba 4.2.X allow secure updates. It's
> transitioning to any version of Samba 4.3.X that prevents secure updates.
> Looking at the Wireshark captures of a successful update
>
> https://www.cloudshark.org/captures/79e72c42de44
>
> I see two transactions concerning the TKEY. I also see the update request
> from the client signed with the TSIG.
>
> Looking at a failed update
>
> https://www.cloudshark.org/captures/44f706b2cc61
>
> I see three transactions concerning the TKEY. I also am missing the TSIG
> with the update request from the client. I do see a TSIG with the TKEY
> exchange from the DC.
>
> The TSIG as far as I know, should not be sent in the additional records
> section of the TKEY exchange. Secure update process fails during the TKEY
> exchange. This causes the client to repeat the whole DNS query exchange.
>
> The client should send the dynamic update request immediately after the
> TKEY exchange has taken place. The lack of the TSIG with the client update
> explains why Samba reports 'Update not allowed for unsigned packet'
on the
> second update request.
>
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Possibly Parallel Threads

Search for more reasonably related threads

samba - Nov 2015 - Secure dynamic update failure with internal DNS

[Samba] Secure dynamic update failure with internal DNS

[Samba] Secure dynamic update failure with internal DNS

[Samba] Secure dynamic update failure with internal DNS

[Samba] Secure dynamic update failure with internal DNS

Possibly Parallel Threads