2015-11-10 22:07 GMT+08:00 James <lingpanda101 at gmail.com>:> I't appears all versions of Samba 4.2.X allow secure updates. It's >> transitioning to any version of Samba 4.3.X that prevents secure >> updates. Looking at the Wireshark captures of a successful update >> >> https://www.cloudshark.org/captures/79e72c42de44 >> >> I see two transactions concerning the TKEY. I also see the update >> request from the client signed with the TSIG. >> >> Looking at a failed update >> >> https://www.cloudshark.org/captures/44f706b2cc61 >> >> I see three transactions concerning the TKEY. I also am missing >> the TSIG with the update request from the client. I do see a TSIG >> with the TKEY exchange from the DC. >> >> The TSIG as far as I know, should not be sent in the additional >> records section of the TKEY exchange. Secure update process fails >> during the TKEY exchange. This causes the client to repeat the >> whole DNS query exchange. >> >> The client should send the dynamic update request immediately >> after the TKEY exchange has taken place. The lack of the TSIG with >> the client update explains why Samba reports 'Update not allowed >> for unsigned packet' on the second update request. >> >> >> -- -James >> >hi: just upgrade to 4.3.1 and got the same issue. the good part is: after reading your mail, I now understand better how secure dns update is working. thanks a lot for your information. Regards, tbskyd
Thierry Hotelier
2015-Nov-19 14:44 UTC
[Samba] Samba 4.3.0 and DNS entries missing for DCs
hello, we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different sites. Replication between DCs is ok as we can see with "samba-tool drs showrepl". We configured them like it is described on the wiki and used the RSAT tool "Sites and services" to add sites, subnets, links ... But for the 4 DCs not on our main site, some DNS entries are missing and it is not possible to add them with samba_dnsupdate (part of the result of the command below). As described by other people recently we need to put "allow dns updates = nonsecure" in smb.conf in order to have dynamic DNS to work. Is it correct to think that these DCs are not used by the clients ? And that adding the dns entries missing is sufficient to correct the problem ? I've slightly modified samba_dnsupdate in order to collect the commands send to nsupdate (the temporay files are not deleted). What is the better way to add these entries ? I think of either executing them on the "pdc" or trying executing nsupdate without option -g. Regards, Thierry # samba_dnsupdate --verbose IPs: ['192.168.0.1'] Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as dc-site1.samdom.example.lan. Looking for DNS entry A samdom.example.lan 192.168.0.1 as samdom.example.lan. Failed to find matching DNS entry A samdom.example.lan 192.168.0.1 Looking for DNS entry SRV _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan. Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 as _ldap._tcp.dc._msdcs.samdom.example.lan. Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 Failed to find matching DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 Looking for DNS entry SRV _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 as _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan. Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 Failed to find matching DNS entry SRV _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 [.....] Calling nsupdate for A samdom.example.lan 192.168.0.1 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: samdom.example.lan. 900 IN A 192.168.0.1 dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Calling nsupdate for SRV _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.samdom.example.lan. 900 IN SRV 0 100 389 dc-site1.samdom.example.lan. dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389 dc-site1.samdom.example.lan. dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Calling nsupdate for SRV _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan. 900 IN SRV 0 100 389 dc-site1.samdom.example.lan. [.....] dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Calling nsupdate for SRV _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan dc-site1.samdom.example.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV 0 100 389 dc-site1.samdom.example.lan. dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Failed update of 24 entries
On 11/19/2015 9:44 AM, Thierry Hotelier wrote:> hello, > we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using > INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different > sites. Replication between DCs is ok as we can see with "samba-tool > drs showrepl". We configured them like it is described on the wiki and > used the RSAT tool "Sites and services" to add sites, subnets, links > ... But for the 4 DCs not on our main site, some DNS entries are > missing and it is not possible to add them with samba_dnsupdate (part > of the result of the command below). > As described by other people recently we need to put "allow dns > updates = nonsecure" in smb.conf in order to have dynamic DNS to work. > Is it correct to think that these DCs are not used by the clients ? > And that adding the dns entries missing is sufficient to correct the > problem ? > I've slightly modified samba_dnsupdate in order to collect the > commands send to nsupdate (the temporay files are not deleted). What > is the better way to add these entries ? I think of either executing > them on the "pdc" or trying executing nsupdate without option -g. > > Regards, > Thierry > > # samba_dnsupdate --verbose > IPs: ['192.168.0.1'] > Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as > dc-site1.samdom.example.lan. > Looking for DNS entry A samdom.example.lan 192.168.0.1 as > samdom.example.lan. > Failed to find matching DNS entry A samdom.example.lan 192.168.0.1 > Looking for DNS entry SRV _ldap._tcp.samdom.example.lan > dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan. > Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV > _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 > Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV > _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389 > Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan > dc-site1.samdom.example.lan 389 > Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 as > _ldap._tcp.dc._msdcs.samdom.example.lan. > Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV > _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 > Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV > _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 > Failed to find matching DNS entry SRV > _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389 > Looking for DNS entry SRV > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 as > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan. > Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 > Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 > Failed to find matching DNS entry SRV > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 > > [.....] > > Calling nsupdate for A samdom.example.lan 192.168.0.1 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > samdom.example.lan. 900 IN A 192.168.0.1 > > dns_tkey_negotiategss: TKEY is unacceptable > Failed nsupdate: 1 > Calling nsupdate for SRV _ldap._tcp.samdom.example.lan > dc-site1.samdom.example.lan 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.samdom.example.lan. 900 IN SRV 0 100 389 > dc-site1.samdom.example.lan. > > dns_tkey_negotiategss: TKEY is unacceptable > Failed nsupdate: 1 > Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389 > dc-site1.samdom.example.lan. > > dns_tkey_negotiategss: TKEY is unacceptable > Failed nsupdate: 1 > Calling nsupdate for SRV > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan > dc-site1.samdom.example.lan 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan. > 900 IN SRV 0 100 389 dc-site1.samdom.example.lan. > > [.....] > > dns_tkey_negotiategss: TKEY is unacceptable > Failed nsupdate: 1 > Calling nsupdate for SRV > _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan > dc-site1.samdom.example.lan 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV > 0 100 389 dc-site1.samdom.example.lan. > > dns_tkey_negotiategss: TKEY is unacceptable > Failed nsupdate: 1 > Failed update of 24 entries > > >*"Is it correct to think that these DCs are not used by the clients ?" *Your clients will not be able to use any DC where SRV records are missing for a requested service. *"And that adding the dns entries missing is sufficient to correct the problem ?" *It should be. You can verify by using nslookup from a client in each site. *"What is the better way to add these entries ?" *I would use the Windows DNS snap in or samba-tool -- -James
Reasonably Related Threads
- Secure dynamic update failure with internal DNS
- Samba 4.3.0 and DNS entries missing for DCs
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline