samba - Sep 2018 - Bind 9.12.x support status

Hi,

I recently noticed that when doing "samba_dns --all-names --verbose"
against Bind-9.12, I can't update dns records. I'm getting these error
messages for each record to update:

.
.
.
update failed: REFUSED
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com
alpine.samdom.com 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com
alpine.samdom.com 389 (add)
Successfully obtained Kerberos ticket to DNS/alpine.samdom.com as ALPINE$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com. 900 IN SRV
0 100 389 alpine.samdom.com.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 34 entrier

-----
This is Bind-9.12 log during operation:

daemon.err [6942]: samba_dlz: spnego update failed
daemon.info [6942]: client @0x562790c4cc40 127.0.0.1#53705/key
ALPINE\$\@samdom.com: updating zone 'samdom.com/NONE': update failed:
rejected by secure update (REFUSED)
daemon.info [6942]: samba_dlz: cancelling transaction on zone samdom.com
daemon.info [6942]: samba_dlz: starting transaction on zone samdom.com
daemon.err [6942]: samba_dlz: spnego update failed
daemon.info [6942]: client @0x562790c45d20 127.0.0.1#43211/key
ALPINE\$\@samdom.com: updating zone 'samdom.com/NONE': update failed:
rejected by secure update (REFUSED)
daemon.info [6942]: samba_dlz: cancelling transaction on zone samdom.com

-----
Same setup works on Bind-9.11. I didn't encounter this problem
earlier because "samba_dnsupdate" runs fine but since it doesn't
force
an update, its behaviour has misled me. When bind service first launch,
dlz module is loading fine:

daemon.info named[7317]: Loading 'AD DNS Zone' using driver dlopen
daemon.info [7317]: samba_dlz: started for DN DC=samdom,DC=som
daemon.info [7317]: samba_dlz: starting configure
daemon.info [7317]: samba_dlz: configured writeable zone 'samdom.com'
daemon.info [7317]: samba_dlz: configured writeable
zone'_msdcs.samdom.com'
daemon.info [7317]: none:103: 'max-cache-size 90%' - setting to 7185MB
(out of 7984MB) alpine
daemon.info [7317]: set up managed keys zone for view _default, file
'managed-keys.bind'

-----
I'm trying to find the cause of the problem. Maybe related to this:

"Previously, update-policy local; accepted updates from any source so
long as they were signed by the locally-generated session key. This has
been further restricted; updates are now only accepted from locally
configured addresses. [RT #45492]"

https://kb.isc.org/article/AA-01554/0/BIND-9.12.0-Release-Notes.html

---
Taner Tas

On Thu, 2018-09-06 at 00:01 +0300, Taner Tas via samba
wrote:
> Hi,
> 
> I recently noticed that when doing "samba_dns --all-names
--verbose"
> against Bind-9.12, I can't update dns records. I'm getting these
error
> messages for each record to update:
> 
I think this is the key (pardon the pun):
> daemon.err [6942]: samba_dlz: spnego update failed
Are you running a build with MIT Kerberos?

There is a replay cache implemented in that codebase that we need to
disable/work around in Samba, because we do a deliberate replay (we
parse/decrypt it a second time to get the PAC) of the Kerberos ticket
here.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

On Thu, 06 Sep 2018 09:29:15 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2018-09-06 at 00:01 +0300, Taner Tas via samba wrote:
> > Hi,
> > 
> > I recently noticed that when doing "samba_dns --all-names
--verbose"
> > against Bind-9.12, I can't update dns records. I'm getting
these
> > error messages for each record to update:
> >   
> 
> I think this is the key (pardon the pun):
> 
> > daemon.err [6942]: samba_dlz: spnego update failed  
> 
> Are you running a build with MIT Kerberos?
> 
> There is a replay cache implemented in that codebase that we need to
> disable/work around in Samba, because we do a deliberate replay (we
> parse/decrypt it a second time to get the PAC) of the Kerberos ticket
> here.
> 
> Andrew Bartlett

You're spot on about MIT Kerberos. I mistakenly compiled Bind-9.12
against MIT Kerberos. It took me hours to find the cause the problem.
I re-compiled with Heimdal and I confirm that "samba_dns --all-names
--verbose" command runs just fine with Bind-9.12. So, we can assume
that there no issues with the bind-9.12.patch here:

https://github.com/alpinelinux/aports/tree/master/main/samba

I created a PR for Alpine Linux to solve my fault at first place:

https://github.com/alpinelinux/aports/pull/5112

---
Taner Tas