samba - Nov 2015 - Samba 4.3.0 and DNS entries missing for DCs

2015-11-10 22:07 GMT+08:00 James <lingpanda101 at gmail.com>:
>     I't appears all versions of Samba 4.2.X allow secure updates.
It's
>>     transitioning to any version of Samba 4.3.X that prevents secure
>>     updates. Looking at the Wireshark captures of a successful update
>>
>>     https://www.cloudshark.org/captures/79e72c42de44
>>
>>     I see two transactions concerning the TKEY. I also see the update
>>     request from the client signed with the TSIG.
>>
>>     Looking at a failed update
>>
>>     https://www.cloudshark.org/captures/44f706b2cc61
>>
>>     I see three transactions concerning the TKEY. I also am missing
>>     the TSIG  with the update request from the client. I do see a TSIG
>>     with the TKEY exchange from the DC.
>>
>>     The TSIG as far as I know, should not be sent in the additional
>>     records section of the TKEY exchange. Secure update process fails
>>     during the TKEY exchange. This causes the client to repeat the
>>     whole DNS query exchange.
>>
>>     The client should send the dynamic update request immediately
>>     after the TKEY exchange has taken place. The lack of the TSIG with
>>     the client update explains why Samba reports 'Update not
allowed
>>     for unsigned packet' on the second update request.
>>
>>
>>     --     -James
>>
>
hi:
    just upgrade to 4.3.1 and got the same issue. the good part is: after
reading your mail, I now understand better how secure dns update is working.
thanks a lot for your information.

Regards,
tbskyd

hello,
we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using 
INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different 
sites. Replication between DCs is ok as we can see with "samba-tool drs 
showrepl". We configured them like it is described on the wiki and used 
the RSAT tool "Sites and services" to add sites, subnets, links ...
But
for the 4 DCs not on our main site, some DNS entries are missing and it 
is not possible to add them with samba_dnsupdate (part of the result of 
the command below).
As described by other people recently we need to put "allow dns updates 
= nonsecure" in smb.conf in order to have dynamic DNS to work.
Is it correct to think that these DCs are not used by the clients ? And 
that adding the dns entries missing is sufficient to correct the problem ?
I've slightly modified samba_dnsupdate in order to collect the commands 
send to nsupdate (the temporay files are not deleted). What is the 
better way to add these entries ? I think of either executing them on 
the "pdc" or trying executing nsupdate without option -g.

Regards,
Thierry

# samba_dnsupdate --verbose
IPs: ['192.168.0.1']
Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as 
dc-site1.samdom.example.lan.
Looking for DNS entry A samdom.example.lan 192.168.0.1 as 
samdom.example.lan.
Failed to find matching DNS entry A samdom.example.lan 192.168.0.1
Looking for DNS entry SRV _ldap._tcp.samdom.example.lan 
dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan.
Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
_ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
_ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan 
dc-site1.samdom.example.lan 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389 as _ldap._tcp.dc._msdcs.samdom.example.lan.
Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
_ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
_ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
Failed to find matching DNS entry SRV 
_ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
Looking for DNS entry SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
dc-site1.samdom.example.lan 389 as 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
dc-site1.samdom.example.lan 389
Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
dc-site1.samdom.example.lan 389
Failed to find matching DNS entry SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
dc-site1.samdom.example.lan 389

[.....]

Calling nsupdate for A samdom.example.lan 192.168.0.1 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samdom.example.lan.    900    IN    A    192.168.0.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.samdom.example.lan. 900 IN    SRV    0 100 389 
dc-site1.samdom.example.lan.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389 
dc-site1.samdom.example.lan.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
900 IN    SRV 0 100 389 dc-site1.samdom.example.lan.

[.....]

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV 
_ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV 0 
100 389 dc-site1.samdom.example.lan.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 24 entries

On 11/19/2015 9:44 AM, Thierry Hotelier wrote:
> hello,
> we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using 
> INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different 
> sites. Replication between DCs is ok as we can see with "samba-tool 
> drs showrepl". We configured them like it is described on the wiki and
> used the RSAT tool "Sites and services" to add sites, subnets,
links
> ... But for the 4 DCs not on our main site, some DNS entries are 
> missing and it is not possible to add them with samba_dnsupdate (part 
> of the result of the command below).
> As described by other people recently we need to put "allow dns 
> updates = nonsecure" in smb.conf in order to have dynamic DNS to work.
> Is it correct to think that these DCs are not used by the clients ? 
> And that adding the dns entries missing is sufficient to correct the 
> problem ?
> I've slightly modified samba_dnsupdate in order to collect the 
> commands send to nsupdate (the temporay files are not deleted). What 
> is the better way to add these entries ? I think of either executing 
> them on the "pdc" or trying executing nsupdate without option -g.
>
> Regards,
> Thierry
>
> # samba_dnsupdate --verbose
> IPs: ['192.168.0.1']
> Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as 
> dc-site1.samdom.example.lan.
> Looking for DNS entry A samdom.example.lan 192.168.0.1 as 
> samdom.example.lan.
> Failed to find matching DNS entry A samdom.example.lan 192.168.0.1
> Looking for DNS entry SRV _ldap._tcp.samdom.example.lan 
> dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan.
> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
> _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
> _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
> Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan 
> dc-site1.samdom.example.lan 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan 
> dc-site1.samdom.example.lan 389 as 
> _ldap._tcp.dc._msdcs.samdom.example.lan.
> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
> Looking for DNS entry SRV 
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389 as 
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389
> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389
> Failed to find matching DNS entry SRV 
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389
>
> [.....]
>
> Calling nsupdate for A samdom.example.lan 192.168.0.1 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> samdom.example.lan.    900    IN    A    192.168.0.1
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV _ldap._tcp.samdom.example.lan 
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.samdom.example.lan. 900 IN    SRV    0 100 389 
> dc-site1.samdom.example.lan.
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan 
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389 
> dc-site1.samdom.example.lan.
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV 
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
>
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
> 900 IN    SRV 0 100 389 dc-site1.samdom.example.lan.
>
> [.....]
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV 
> _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan 
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV 
> 0 100 389 dc-site1.samdom.example.lan.
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Failed update of 24 entries
>
>
>
*"Is it correct to think that these DCs are not used by the clients ?"
*Your clients will not be able to use any DC where SRV records are 
missing for a requested service.

*"And that adding the dns entries missing is sufficient to correct the 
problem ?"
*It should be. You can verify by using nslookup from a client in each site.

*"What is the better way to add these entries ?"
*I would use the Windows DNS snap in or samba-tool



-- 
-James