Hi team, I recently upgrade some servers from v4.3.5 (affected by https://bugzilla.samba.org/show_bug.cgi?id=11520 ) to v4.5.8 (default in Debian Stretch) and was expecting secure DNS updates to be working again, but they are not. My logs show the same issues reported on bug 11520: [2017/08/29 15:21:01.990467, 2] ../source4/dns_server/dns_update.c:773(dns_server_process_update) Got a dns update request. [2017/08/29 15:21:01.990841, 2] ../source4/dns_server/dns_update.c:730(dns_update_allowed) Update not allowed for unsigned packet. [2017/08/29 15:21:02.001791, 1] ../source4/dns_server/dns_query.c:880(handle_tkey) Tkey handshake completed DNS records are not updated by Win7 clients and a Wireshark capture shows Samba returns "Refused" to the request (I'm using Samba internal DNS). Setting "allow dns updates = nonsecure" works fine, as before. Can anyone confirm that this was indeed fixed? What else could be the reason for the failures? Thanks, George
On 8/29/2017 3:27 PM, George via samba wrote:> Hi team, > > I recently upgrade some servers from v4.3.5 (affected by > https://bugzilla.samba.org/show_bug.cgi?id=11520 ) to v4.5.8 (default in > Debian Stretch) and was expecting secure DNS updates to be working again, > but they are not. > > My logs show the same issues reported on bug 11520: > > [2017/08/29 15:21:01.990467, 2] > ../source4/dns_server/dns_update.c:773(dns_server_process_update) > Got a dns update request. > [2017/08/29 15:21:01.990841, 2] > ../source4/dns_server/dns_update.c:730(dns_update_allowed) > Update not allowed for unsigned packet. > [2017/08/29 15:21:02.001791, 1] > ../source4/dns_server/dns_query.c:880(handle_tkey) > Tkey handshake completed > > DNS records are not updated by Win7 clients and a Wireshark capture shows > Samba returns "Refused" to the request (I'm using Samba internal DNS). > Setting "allow dns updates = nonsecure" works fine, as before. > > Can anyone confirm that this was indeed fixed? What else could be the > reason for the failures? > > Thanks, > > GeorgeI can confirm they work on 4.6.7. I do recall they have worked for several prior versions as well. I can't seem to get PTR records to register though. The refused request doesn't necessarily mean it's not working. Windows will send an un-secure request first, followed by a secure request if required. -- -- James
On Tue, Aug 29, 2017 at 6:55 PM, lingpanda101 <lingpanda101 at gmail.com > wrote:> I can confirm they work on 4.6.7. I do recall they have worked for > several prior versions as well. I can't seem to get PTR records to > register though. > > The refused request doesn't necessarily mean it's not working. Windows > will send an un-secure request first, followed by a secure request if > required. > > > -- > -- > James > >You are right with that, I was looking at the first unauthenticated attempt. Still, the 2nd authenticated attempt fails. Wireshark reports "Server failure" in this case, and Samba log as follows: [2017/08/29 19:25:27.837126, 2] ../source4/dns_server/dns_update.c:773(dns_server_process_update) Got a dns update request. [2017/08/29 19:25:27.837704, 1] ../source4/dns_server/dns_update.c:684(handle_updates) update count is 3 [2017/08/29 19:25:27.837734, 2] ../source4/dns_server/dns_update.c:389(handle_one_update) Looking at record: [2017/08/29 19:25:27.837743, 2] ../source4/dns_server/dns_update.c:390(handle_one_update) [2017/08/29 19:25:27.837748, 1] ../librpc/ndr/ndr.c:413(ndr_print_debug) discard_const(update): struct dns_res_rec name : 'foo.domain.com' rr_type : DNS_QTYPE_AAAA (0x1C) rr_class : DNS_QCLASS_ANY (0xFF) ttl : 0x00000000 (0) length : 0x0000 (0) rdata : union dns_rdata(case 0x1C) ipv6_record : (null) unexpected : DATA_BLOB length=0 Any ideas? -- George
On 8/29/2017 6:54 PM, George via samba wrote:> On Tue, Aug 29, 2017 at 6:55 PM, lingpanda101 <lingpanda101 at gmail.com > > wrote: > >> I can confirm they work on 4.6.7. I do recall they have worked for >> several prior versions as well. I can't seem to get PTR records to >> register though. >> >> The refused request doesn't necessarily mean it's not working. Windows >> will send an un-secure request first, followed by a secure request if >> required. >> >> >> -- >> -- >> James >> >> > You are right with that, I was looking at the first unauthenticated > attempt. Still, the 2nd authenticated attempt fails. Wireshark reports > "Server failure" in this case, and Samba log as follows: > > [2017/08/29 19:25:27.837126, 2] > ../source4/dns_server/dns_update.c:773(dns_server_process_update) > Got a dns update request. > [2017/08/29 19:25:27.837704, 1] > ../source4/dns_server/dns_update.c:684(handle_updates) > update count is 3 > [2017/08/29 19:25:27.837734, 2] > ../source4/dns_server/dns_update.c:389(handle_one_update) > Looking at record: > [2017/08/29 19:25:27.837743, 2] > ../source4/dns_server/dns_update.c:390(handle_one_update) > [2017/08/29 19:25:27.837748, 1] ../librpc/ndr/ndr.c:413(ndr_print_debug) > discard_const(update): struct dns_res_rec > name : 'foo.domain.com' > rr_type : DNS_QTYPE_AAAA (0x1C) > rr_class : DNS_QCLASS_ANY (0xFF) > ttl : 0x00000000 (0) > length : 0x0000 (0) > rdata : union dns_rdata(case 0x1C) > ipv6_record : (null) > unexpected : DATA_BLOB length=0 > > > Any ideas? > > -- > GeorgeWhat you posted was a response to a IPv6 request (AAAA) record. What type of record are you attempting to register? -- -- James