Andreas Schneider
2017-Nov-08 08:28 UTC
[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote:> Hi Johannes, > > Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba: > > a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ > > as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The > > logs show a kerberos error "Request is a replay". Logs attached here: > > https://bugzilla.samba.org/show_bug.cgi?id=13066. > > > > Since I have not received any feedback on the bug report, I am trying > > this channel if someone has any idea how to fix this. Thanks a lot in > > advance. > > A while ago I tested a git branch from Andreas' about moving some > BIND-related files from the private to a separate directory. During > testing I discovered some DNS update problems if the system used MIT > Kerberos. He fixed everything in his branch, and updates worked. > > > @Andreas: Do you remember if these fixes are all in master/4.7? I can > confirm that dynamic updates fail here on F27 with self-compiled 4.7.1 > and latest master (both with MIT). > > > # smbd -b | grep HAVE_LIBKADM5SRV_MIT > HAVE_LIBKADM5SRV_MIT > > # samba_dnsupdate --verbose --all-namesThis command does not work correctly because MIT Kerberos has a replay cache to circumvent attacks. This command does replay attacks :-) http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html It is not the right command to verify that dynamic dns updates are working!> ... > update failed: REFUSED > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com > DC3.samdom.example.com 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com > DC3.samdom.example.com 389 (add) > Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com. > 900 IN SRV 0 100 389 DC3.samdom.example.com. > > update failed: REFUSED > Failed nsupdate: 2 > Failed update of 29 entries > > > > Regards, > Marc
Johannes Engel
2017-Nov-08 08:40 UTC
[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
Hi Andreas, thanks a lot for the explanation, sounds reasonable to me. ;) But what would be the right way to test DNS updates in this scenario? Best regards Johannes Am 08.11.2017 um 09:28 schrieb Andreas Schneider:> On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote: >> Hi Johannes, >> >> Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba: >>> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ >>> as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The >>> logs show a kerberos error "Request is a replay". Logs attached here: >>> https://bugzilla.samba.org/show_bug.cgi?id=13066. >>> >>> Since I have not received any feedback on the bug report, I am trying >>> this channel if someone has any idea how to fix this. Thanks a lot in >>> advance. >> A while ago I tested a git branch from Andreas' about moving some >> BIND-related files from the private to a separate directory. During >> testing I discovered some DNS update problems if the system used MIT >> Kerberos. He fixed everything in his branch, and updates worked. >> >> >> @Andreas: Do you remember if these fixes are all in master/4.7? I can >> confirm that dynamic updates fail here on F27 with self-compiled 4.7.1 >> and latest master (both with MIT). >> >> >> # smbd -b | grep HAVE_LIBKADM5SRV_MIT >> HAVE_LIBKADM5SRV_MIT >> >> # samba_dnsupdate --verbose --all-names > This command does not work correctly because MIT Kerberos has a replay cache > to circumvent attacks. > > This command does replay attacks :-) > > > http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html > > It is not the right command to verify that dynamic dns updates are working! > >> ... >> update failed: REFUSED >> Failed nsupdate: 2 >> update(nsupdate): SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com >> DC3.samdom.example.com 389 >> Calling nsupdate for SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com >> DC3.samdom.example.com 389 (add) >> Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$ >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com. >> 900 IN SRV 0 100 389 DC3.samdom.example.com. >> >> update failed: REFUSED >> Failed nsupdate: 2 >> Failed update of 29 entries >> >> >> >> Regards, >> Marc >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20171108/f1d1c438/signature.sig>
Andreas Schneider
2017-Nov-08 16:46 UTC
[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
On Wednesday, 8 November 2017 09:40:30 CET Johannes Engel via samba wrote:> Hi Andreas, > > thanks a lot for the explanation, sounds reasonable to me. ;) > > But what would be the right way to test DNS updates in this scenario?Use a joined workstation and run 'net ads dns register'? Or you disable the replay cache on the server side ... The tool should be fixed, it is enough to only authenticate once. However I don't have time for that, but feel free to open a bug. Andreas
Possibly Parallel Threads
- Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
- Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
- Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
- Trouble joining DC Bind9_DLZ
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed