Jeffrey Earl
2015-Nov-09 20:09 UTC
[Samba] Secure dynamic update failure with internal DNS
I've experienced the same issue on Samba 4.3.1 compiled against Centos 6.7. It appears to be a known issue. There's a recent bug report on bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=11520 On Mon, Nov 9, 2015 at 1:20 PM, James <lingpanda101 at gmail.com> wrote:> I't appears all versions of Samba 4.2.X allow secure updates. It's > transitioning to any version of Samba 4.3.X that prevents secure updates. > Looking at the Wireshark captures of a successful update > > https://www.cloudshark.org/captures/79e72c42de44 > > I see two transactions concerning the TKEY. I also see the update request > from the client signed with the TSIG. > > Looking at a failed update > > https://www.cloudshark.org/captures/44f706b2cc61 > > I see three transactions concerning the TKEY. I also am missing the TSIG > with the update request from the client. I do see a TSIG with the TKEY > exchange from the DC. > > The TSIG as far as I know, should not be sent in the additional records > section of the TKEY exchange. Secure update process fails during the TKEY > exchange. This causes the client to repeat the whole DNS query exchange. > > The client should send the dynamic update request immediately after the > TKEY exchange has taken place. The lack of the TSIG with the client update > explains why Samba reports 'Update not allowed for unsigned packet' on the > second update request. > > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 11/9/2015 3:09 PM, Jeffrey Earl wrote:> I've experienced the same issue on Samba 4.3.1 compiled against Centos > 6.7. It appears to be a known issue. There's a recent bug report on > bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=11520 > > On Mon, Nov 9, 2015 at 1:20 PM, James <lingpanda101 at gmail.com > <mailto:lingpanda101 at gmail.com>> wrote: > > I't appears all versions of Samba 4.2.X allow secure updates. It's > transitioning to any version of Samba 4.3.X that prevents secure > updates. Looking at the Wireshark captures of a successful update > > https://www.cloudshark.org/captures/79e72c42de44 > > I see two transactions concerning the TKEY. I also see the update > request from the client signed with the TSIG. > > Looking at a failed update > > https://www.cloudshark.org/captures/44f706b2cc61 > > I see three transactions concerning the TKEY. I also am missing > the TSIG with the update request from the client. I do see a TSIG > with the TKEY exchange from the DC. > > The TSIG as far as I know, should not be sent in the additional > records section of the TKEY exchange. Secure update process fails > during the TKEY exchange. This causes the client to repeat the > whole DNS query exchange. > > The client should send the dynamic update request immediately > after the TKEY exchange has taken place. The lack of the TSIG with > the client update explains why Samba reports 'Update not allowed > for unsigned packet' on the second update request. > > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >Thanks Jeffrey. Added info to the bug report. -- -James
2015-11-10 22:07 GMT+08:00 James <lingpanda101 at gmail.com>:> I't appears all versions of Samba 4.2.X allow secure updates. It's >> transitioning to any version of Samba 4.3.X that prevents secure >> updates. Looking at the Wireshark captures of a successful update >> >> https://www.cloudshark.org/captures/79e72c42de44 >> >> I see two transactions concerning the TKEY. I also see the update >> request from the client signed with the TSIG. >> >> Looking at a failed update >> >> https://www.cloudshark.org/captures/44f706b2cc61 >> >> I see three transactions concerning the TKEY. I also am missing >> the TSIG with the update request from the client. I do see a TSIG >> with the TKEY exchange from the DC. >> >> The TSIG as far as I know, should not be sent in the additional >> records section of the TKEY exchange. Secure update process fails >> during the TKEY exchange. This causes the client to repeat the >> whole DNS query exchange. >> >> The client should send the dynamic update request immediately >> after the TKEY exchange has taken place. The lack of the TSIG with >> the client update explains why Samba reports 'Update not allowed >> for unsigned packet' on the second update request. >> >> >> -- -James >> >hi: just upgrade to 4.3.1 and got the same issue. the good part is: after reading your mail, I now understand better how secure dns update is working. thanks a lot for your information. Regards, tbskyd