[cifs-protocol] [EXTERNAL] [MS-DNSP] sticky static dns updates - TrackingID#2106070040005009

Jeff McCashland jeffm at microsoft.com
Thu Jun 10 18:08:10 UTC 2021

Hi Douglas,

I added the Keytab file on the Wireshark Preferences page under Protocols -> KRB5, and checked 'Try to decrypt Kerberos blobs', then reloaded the trace. 

The LDAP frames still aren't decrypted. Did I miss a step? 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org> 
Sent: Monday, June 7, 2021 5:20 PM
To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; Jeff McCashland <jeffm at microsoft.com>; cifs-protocol <cifs-protocol at lists.samba.org>
Cc: Jeff McCashland <jeffm at microsoftsupport.com>
Subject: Re: [cifs-protocol] [EXTERNAL] [MS-DNSP] sticky static dns updates - TrackingID#2106070040005009

On Tue, 2021-06-08 at 10:11 +1200, Douglas Bagnall via cifs-protocol
> hi Jeff,
> The client side is Samba. If you are able to compile and run Samba 
> testcases, I can prepare a git branch or patch that contains this 
> test.
> Attached is a network capture, though the ldap is all encrypted.
> I have not tried with a Windows client.
> Douglas
> On 8/06/21 5:46 am, Jeff McCashland wrote:
> > 
> > -----Original Message-----
> > From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> > Sent: Sunday, June 6, 2021 11:55 PM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>; 
> > cifs-protocol <cifs-protocol at lists.samba.org>
> > Subject: [EXTERNAL] [MS-DNSP] sticky static dns updates
> > 
> > hi Dochelp,
> > 
> > Another question around DNS nodes and records, based on tests 
> > against 2012r2.
> > 8. A new record D is added using DNS update. This record also gets a 
> > zero timestamp, although there is nothing in the LDAP node object to 
> > tell it that. Record A still has its original timestamp.

> > My questions relate to the behaviour in step 8.
> > 
> > As far as I can see, there is no method in the documented protocols 
> > to determine that a node has the "static bit" set (short of creating 
> > a record). It is not recorded in the ldap objects, and not revealed 
> > over RPC. Is this correct?


I think the issue here may relate to the Windows DNS server being backed onto AD in an odd way, it isn't a live backing like we use, but something more complex, meaning we get these kind of cache coherency issues.  It might be that the DNS server code pre-dated AD, the the AD backend is synced or such, perhaps MS might be willing to say.

I'm pretty sure we have seen things like this before, even in your earlier step where you had to tickle the server to make it realise that LDAP had changed.

Andrew Bartlett

Andrew Bartlett (he/him)       https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cjeffm%40microsoft.com%7C57ac0451352448cc391208d92a1322d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637587084969720871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=U2E8xT1lizfMHQkWtq3WYpljEaRspxh%2Bp0mzv2b5Z%2Bk%3D&reserved=0
Samba Team Member (since 2001) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7C57ac0451352448cc391208d92a1322d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637587084969720871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MuT0yuedxWwjrtrxcEUmxOeBnEfeRXQSR90PXI9jXNQ%3D&reserved=0
Samba Team Lead, Catalyst IT   https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cjeffm%40microsoft.com%7C57ac0451352448cc391208d92a1322d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637587084969720871%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7cvYy%2BUbCw%2FDXJkhzQ1LBwnLYJgaL2EUvix6XA46sb8%3D&reserved=0

Samba Development and Support, Catalyst IT - Expert Open Source Solutions

More information about the cifs-protocol mailing list