On Thu, July 2, 2020 14:47:42 UTC, Rowland penny wrote:> Looks like you need to recompile nsupdate, you need GSSAPI.
>
> Failing that, try adding:
>
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> To your DC's smb.conf
Further investigation has uncovered (for me) the cause of this error:
/usr/local/bin/samba-nsupdate: cannot specify -g or -o, program not linked with
GSSAPI Library
The problem with the program is not the absence of the GSSAPI library. The
problem is that FreeBSD ships with a GSSAPI library as part of the BASE system
corresponding to the OpenSSL that also is part of the BASE system (OpenSSL
1.1.1d-freebsd 10 Sep 2019 as of this writing). However, FreeBSD also
provides packaged alternatives to OpenSSL including a couple of OpenSSLs.
On the system I was testing with I installed a package called sslscan. This
package brings with it as a prerequisite the package openssl-unsafe. This is
the source of the trouble. The build options for the samba-nsupdate package
are:
Options :
GSSAPI_BASE : on
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
IPV6 : on
With an alternative OpenSSL package installed the BASE OpenSSL is overridden in
effect. And that causes samba-nsupdate to report that there is no GSSAPI
library linked to it. The bind-tools package is built with no GSSAPI support
so nsupdate is useless:
Comment : Command line tools from BIND: delv, dig, host, nslookup...
Options :
FIXED_RRSET : off
GSSAPI_BASE : off
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
GSSAPI_NONE : on
. . .
Which, no doubt, is the reason that the package samba-nsupdate exists on
FreeBSD.
Removing the offending ssl packages (sslscn and openssl-unsafe) and altering
/usr/local/etc/smb4.conf (smb.conf) to hold these settings:
dns update command = /usr/local/bin/samba-nsupdate
nsupdate command = /usr/local/bin/samba-nsupdate -g
Thereafter changes the error messages in samba-dnsupdate to this:
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
So, where are the dynamic update keys kept and why is the key signature wrong,
or missing)?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
