Johannes Engel
2017-Nov-07 17:35 UTC
[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
Dear all, a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The logs show a kerberos error "Request is a replay". Logs attached here: https://bugzilla.samba.org/show_bug.cgi?id=13066. Since I have not received any feedback on the bug report, I am trying this channel if someone has any idea how to fix this. Thanks a lot in advance. Best regards Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20171107/0151ff9f/signature.sig>
Marc Muehlfeld
2017-Nov-07 20:04 UTC
[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
Hi Johannes, Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ > as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The > logs show a kerberos error "Request is a replay". Logs attached here: > https://bugzilla.samba.org/show_bug.cgi?id=13066. > > Since I have not received any feedback on the bug report, I am trying > this channel if someone has any idea how to fix this. Thanks a lot in > advance.A while ago I tested a git branch from Andreas' about moving some BIND-related files from the private to a separate directory. During testing I discovered some DNS update problems if the system used MIT Kerberos. He fixed everything in his branch, and updates worked. @Andreas: Do you remember if these fixes are all in master/4.7? I can confirm that dynamic updates fail here on F27 with self-compiled 4.7.1 and latest master (both with MIT). # smbd -b | grep HAVE_LIBKADM5SRV_MIT HAVE_LIBKADM5SRV_MIT # samba_dnsupdate --verbose --all-names ... update failed: REFUSED Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com DC3.samdom.example.com 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com DC3.samdom.example.com 389 (add) Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 DC3.samdom.example.com. update failed: REFUSED Failed nsupdate: 2 Failed update of 29 entries Regards, Marc
Andreas Schneider
2017-Nov-08 08:28 UTC
[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote:> Hi Johannes, > > Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba: > > a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ > > as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The > > logs show a kerberos error "Request is a replay". Logs attached here: > > https://bugzilla.samba.org/show_bug.cgi?id=13066. > > > > Since I have not received any feedback on the bug report, I am trying > > this channel if someone has any idea how to fix this. Thanks a lot in > > advance. > > A while ago I tested a git branch from Andreas' about moving some > BIND-related files from the private to a separate directory. During > testing I discovered some DNS update problems if the system used MIT > Kerberos. He fixed everything in his branch, and updates worked. > > > @Andreas: Do you remember if these fixes are all in master/4.7? I can > confirm that dynamic updates fail here on F27 with self-compiled 4.7.1 > and latest master (both with MIT). > > > # smbd -b | grep HAVE_LIBKADM5SRV_MIT > HAVE_LIBKADM5SRV_MIT > > # samba_dnsupdate --verbose --all-namesThis command does not work correctly because MIT Kerberos has a replay cache to circumvent attacks. This command does replay attacks :-) http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html It is not the right command to verify that dynamic dns updates are working!> ... > update failed: REFUSED > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com > DC3.samdom.example.com 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com > DC3.samdom.example.com 389 (add) > Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com. > 900 IN SRV 0 100 389 DC3.samdom.example.com. > > update failed: REFUSED > Failed nsupdate: 2 > Failed update of 29 entries > > > > Regards, > Marc
Apparently Analagous Threads
- Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
- Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
- Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
- Trouble joining DC Bind9_DLZ
- dnsupdate_nameupdate_done - Failed DNS update