[SAMBA AC DC][DNS ISSUE] secure dns updates problem
Andrew Bartlett
abartlet at samba.org
Sun Feb 17 01:20:37 MST 2013
On Sun, 2013-02-17 at 09:37 +0200, Chirana Gheorghita Eugeniu Theodor
wrote:
> Hello,
> Just finnished configurng the new Samba DC and there are some errors in the
> logs related to dns updates:
>
> Got a dns update request.
> Update not allowed for unsigned packet.
> Kerberos: TGS-REQ managementdc$@OFFICE.AVIAMOTORS.RO from ipv4:
> 10.124.112.23:49188 for DNS/
> cerberus.office.aviamotors.ro at OFFICE.AVIAMOTORS.RO [canonicalize,
> renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2013-02-17T09:31:51 starttime:
> 2013-02-17T09:31:57 endtime: 2013-02-17T19:31:51 renew till:
> 2013-02-24T09:31:51
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> Tkey handshake completed
> Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> Got a dns update request.
> update count is 3
> Looking at record:
> discard_const(update): struct dns_res_rec
> name : 'managementdc.office.aviamotors.ro'
> rr_type : DNS_QTYPE_AAAA (0x1C)
> rr_class : DNS_QCLASS_ANY (0xFF)
> ttl : 0x00000000 (0)
> length : 0x0000 (0)
> rdata : union dns_rdata(case 0x1C)
> ipv6_record : (null)
> unexpected : DATA_BLOB length=0
> Looking at record:
> discard_const(update): struct dns_res_rec
> name : 'managementdc.office.aviamotors.ro'
> rr_type : DNS_QTYPE_A (0x1)
> rr_class : DNS_QCLASS_ANY (0xFF)
> ttl : 0x00000000 (0)
> length : 0x0000 (0)
> rdata : union dns_rdata(case 0x1)
> ipv4_record : (null)
> unexpected : DATA_BLOB length=0
> Looking at record:
> discard_const(update): struct dns_res_rec
> name : 'managementdc.office.aviamotors.ro'
> rr_type : DNS_QTYPE_A (0x1)
> rr_class : DNS_QCLASS_IN (0x1)
> ttl : 0x000004b0 (1200)
> length : 0x0004 (4)
> rdata : union dns_rdata(case 0x1)
> ipv4_record : 10.124.112.23
> unexpected : DATA_BLOB length=0
> dreplsrv_notify_schedule(5) scheduled for: Sun Feb 17 09:32:04 2013 EET
> ldb_wrap open of secrets.ldb
> ldb_wrap open of secrets.ldb
> Kerberos: AS-REQ MANAGEMENTDC$@OFFICE.AVIAMOTORS.RO from ipv4:
> 10.124.112.23:50584 for krbtgt/OFFICE.AVIAMOTORS.RO at OFFICE.AVIAMOTORS.RO
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> Kerberos: Looking for PKINIT pa-data -- MANAGEMENTDC$@OFFICE.AVIAMOTORS.RO
I don't see any errors here. It is normal for a client to attempt an
unsigned update, and then a signed on when we correctly refuse that.
> Dns is the internal samba dns server. in samba/private i cannot see the
> dns.keytab or other fles related to dns TSIG. Maibe I can generate these
> files, because seems that the provision script did not create them.
The dns.keytab is not needed by the internal server, it uses the main
secrets.ldb and secrets.keytab.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list