thr3ads.net - samba - [Samba] samab-4.10 nsupdate [Jul 2020]

If this information is useful, please help other people find it:
Share via:
James B. Byrne
2020-Jul-03 15:15 UTC
[Samba] samab-4.10 nsupdate

I changed the entries in smb4.conf (smb.conf) to this:

[global]
. . .
  dns update command = /usr/local/sbin/samba_dnsupdate
  nsupdate command = /usr/local/bin/samba-nsupdate -d -g

And this is what results when I run: samba_dnsupdate --verbose -d8 --all-names

. . .
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   1151
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
IN SOA

;; AUTHORITY SECTION:
brockley.harte-lyne.ca.	3600	IN	SOA	SMB4-1.brockley.harte-lyne.ca.
hostmaster.brockley.harte-lyne.ca. 1 900 600 86400 3600

Found zone name: brockley.harte-lyne.ca
The master is: SMB4-1.brockley.harte-lyne.ca
start_gssrequest
Found realm from ticket: BROCKLEY.HARTE-LYNE.CA
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  13304
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY

;; ADDITIONAL SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY	gss-tsig. 1593782418
1593782418 3 NOERROR 1515
YIIF5wYGKwYBBQUCoIIF2zCCBdegDTALBgkqhkiG9xIBAgKiggXEBIIF
wGCCBbwGCSqGSIb3EgECAgEAboIFqzCCBaegAwIBBaEDAgEOogcDBQAg
AAAAo4IEgmGCBH4wggR6oAMCAQWhGBsWQlJPQ0tMRVkuSEFSVEUtTFlO
RS5DQaIvMC2gAwIBAaEmMCQbA0ROUxsdU01CNC0xLmJyb2NrbGV5Lmhh
cnRlLWx5bmUuY2GjggQmMIIEIqADAgESoQMCAQGiggQUBIIEEPKZxwM3
nlYxG19pmsozHjqDZmkRoogbsckJAOKM3wPAupRfZJk8nsmqppFalVBV
fpvjV2U2otzwV9FbIivz3U3vjjZ1k9jmda1iBQ4pPEwLy/QXmrUdmWAA
A48xYE35w6TBdfd13XxKbKAKYD4w7gJ5D1u7PxSakmmelko5fs9UPZ0v
bJG+tQcwn+qAWc9TQMOmIl/zWxp7sZdhQLaC66frd0liUFz15lmbbE5m
IKF+i+cfHxsfe0TLzZ7lCOmaZjHacHq+pF94VYQ1y/9FmSL/qs7+Vz3B
GcPF1I+KfRsQyE3C5cecVMVRJVUlyFYYDB9j+4wkiQOgSMPajxl7G1TB
+7esXerD5u+JBYQHU0ArEZvTNIea00ArA16HWlgqpku8GK+y3Gfs5q5e
WPyADUIqctMiO0T34pUUxmeNgt1UdVyH8ayQikN17xATkqHkek2jzemI
VaPWOlZRJt0UKTPUCoufChdPwxD3b4NHpRpbxxof9MkcUU+ZZcV5nocB
X75yOZmK6YdHFGITzIv8zpx1Vp9sqtzXsk7QH7rTfLnosiM9DbPXZPbx
W92JRCUdc6IrVWq4/qVk1IC5uZ2fq4aCJgAMAlKMyTmXljqecXIxQ6J2
J0LK34otl3XAzxGJHBD/95P2uk2NeCPE+0Cpgm0CeDO0DDNAYcAYCFJb
UVovHAAqetLrxYRcgNegici7CNV7jjSz0KGKq4S+hq+6onOe7lu10Qkg
enkAsKy269M3kkexFiJqr6zKGRdoDHDUxzmGzFMsLgp8Ib16dJHQ3mTX
PUrYQMnUwh98VxpUnRl83Tg7MQalZon7ZjcJ2+VnL/sUcM4KuUo1hW7O
8nydXR2F2Kjh7ACySsUBmpVVwn5t0LihMrQm6VwPih+eKw0iTGKY12Uz
VnV2/fDWtmYzM26a3z5fKkavbkTlJNIwebRI4zz1taOIyCqNUDFcxnTx
7/2aGbnXLskQirvx47RSgNyVAcKPneudt3UePS/Vp/2ntAXIB/ZnmBPi
rvkuz/uVqLqxW/ytC5hLUINP0su9pRXLlXWjYSwuu47sDEOQQCToZAuc
BodLA9tkut/Wx3vpiLKmTNYPOU735BBy1OrpCXJEJzzahA73x0TNpQi9
8j7dH6dlQqzcds69EzQ6NfW2YwXDXTvM8hg+r/BvarvHGYDuLj/Zm96o
vUr9vNoY4uCvFxym7jnbp0tW0A4Lh2jYMoi7BicJ9tQRHrVi10inhPkU
z835kJjL5HfYXYFRsKcHBVu3RjVUW6KH+9jWmxqdIfbgEbMw/KhEH5z4
WdsTfSX1fXpasF+R3e/4fuLmqy/sY3u6r8vus1dqRMGsFQfxp3HGH15b
BPID9ZlvCL6kFqOP9ZObYgi4HyBp5WRfVuRUpIIBCjCCAQagAwIBEqKB
/gSB+yqrzpMkt6mBL8datfhCA8QkVoxhRkR9p8cEpb4wu9cbVrXkQAkq
jq6endFOstiWEHM9Yv6da4M3HmVgoQr+yeECguvqL9TKBA87E5yUbAEO
R090LciiZnRpU8g+vUDZ7cvF7Nx/doshmy82l/pxPUUyBXEJcDm+a6R5
fF5JYpSy/AI0GsoDh6brHBg8AcyNC8SDL/bOybQS/6KiskoZwrBsmumX
UVudMMpbGyd2113i5jgccxE2UfUoJp5DU8LBekIux4KKXh8QE8ctewkX
j1uT7BIv8CJ64BKsyR5qfk3AWdqM1+Ma0ejtOEGtuLhPKQXf8YnBW5zv 4EzB 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  13304
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY

;; ANSWER SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY	gss-tsig. 1593782418
1593782418 3 NOERROR 186
oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB
AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvuDJDPZTRZw4t
rumU7CUM54QqUWXZEf6MQ5ZeOQhrzV8cOQAwx0mMTkLIQm+YAu4Bysim
Qn+Dfqy1qLL8mPSCes86vUp4l/Sa8a6mKjQ91+FeGqsorgsAEYrLaGXl
vSBcP+Qxi+FC1e07Iuv3LXF/ 0

;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG	gss-tsig. 1593782418
300 28 BAQF//////8AAAAAMRP+/dHMO1zAtXPIT0vu4A== 13304 NOERROR 0

Sending update to 192.168.18.161#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  38762
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
489873631.sig-smb4-1.brockley.harte-lyne.ca. 0 ANY TSIG	gss-tsig. 1593782418
300 28 BAQE//////8AAAAAJXvohvDbm2q9Fel/zluw/w== 38762 NOERROR 0

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  38762
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;brockley.harte-lyne.ca.		IN	SOA

;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG	gss-tsig. 1593782418
300 0 38762 BADSIG 0

Failed nsupdate: 2
. . .


root at smb4-1 ~ (master)]# netstat -an | grep -i listen | grep 53
. . .
tcp4       0      0 192.168.18.161.53      *.*                    LISTEN
tcp4       0      0 127.0.161.1.53         *.*                    LISTEN


As far as I can determine the secret key and signature are not configured
manually.  What is causing the bad signature error?  How is it fixed?

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3
Apparently Analagous Threads

Search for more reasonably related threads
samba - Jul 2020 - samab-4.10 nsupdate

[Samba] samab-4.10 nsupdate

Apparently Analagous Threads

Wisdom of the Ancients
