[SAMBA AC DC][DNS ISSUE] secure dns updates problem
Chirana Gheorghita Eugeniu Theodor
office at adaptcom.ro
Sun Feb 17 01:32:33 MST 2013
Aha, ok.
I am jusp paranoid about errors.
On Sun, Feb 17, 2013 at 10:20 AM, Andrew Bartlett <abartlet at samba.org>wrote:
> On Sun, 2013-02-17 at 09:37 +0200, Chirana Gheorghita Eugeniu Theodor
> wrote:
> > Hello,
> > Just finnished configurng the new Samba DC and there are some errors in
> the
> > logs related to dns updates:
> >
> > Got a dns update request.
> > Update not allowed for unsigned packet.
> > Kerberos: TGS-REQ managementdc$@OFFICE.AVIAMOTORS.RO from ipv4:
> > 10.124.112.23:49188 for DNS/
> > cerberus.office.aviamotors.ro at OFFICE.AVIAMOTORS.RO [canonicalize,
> > renewable, forwardable]
> > Kerberos: TGS-REQ authtime: 2013-02-17T09:31:51 starttime:
> > 2013-02-17T09:31:57 endtime: 2013-02-17T19:31:51 renew till:
> > 2013-02-24T09:31:51
> > Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> -
> > NT_STATUS_CONNECTION_DISCONNECTED]
> > Tkey handshake completed
> > Terminating connection - 'dns_tcp_call_loop:
> tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv()
> -
> > NT_STATUS_CONNECTION_DISCONNECTED]
> > Got a dns update request.
> > update count is 3
> > Looking at record:
> > discard_const(update): struct dns_res_rec
> > name : 'managementdc.office.aviamotors.ro'
> > rr_type : DNS_QTYPE_AAAA (0x1C)
> > rr_class : DNS_QCLASS_ANY (0xFF)
> > ttl : 0x00000000 (0)
> > length : 0x0000 (0)
> > rdata : union dns_rdata(case 0x1C)
> > ipv6_record : (null)
> > unexpected : DATA_BLOB length=0
> > Looking at record:
> > discard_const(update): struct dns_res_rec
> > name : 'managementdc.office.aviamotors.ro'
> > rr_type : DNS_QTYPE_A (0x1)
> > rr_class : DNS_QCLASS_ANY (0xFF)
> > ttl : 0x00000000 (0)
> > length : 0x0000 (0)
> > rdata : union dns_rdata(case 0x1)
> > ipv4_record : (null)
> > unexpected : DATA_BLOB length=0
> > Looking at record:
> > discard_const(update): struct dns_res_rec
> > name : 'managementdc.office.aviamotors.ro'
> > rr_type : DNS_QTYPE_A (0x1)
> > rr_class : DNS_QCLASS_IN (0x1)
> > ttl : 0x000004b0 (1200)
> > length : 0x0004 (4)
> > rdata : union dns_rdata(case 0x1)
> > ipv4_record : 10.124.112.23
> > unexpected : DATA_BLOB length=0
> > dreplsrv_notify_schedule(5) scheduled for: Sun Feb 17 09:32:04 2013 EET
> > ldb_wrap open of secrets.ldb
> > ldb_wrap open of secrets.ldb
> > Kerberos: AS-REQ MANAGEMENTDC$@OFFICE.AVIAMOTORS.RO from ipv4:
> > 10.124.112.23:50584 for krbtgt/OFFICE.AVIAMOTORS.RO at OFFICE.AVIAMOTORS.RO
> > Kerberos: Client sent patypes: encrypted-timestamp, 128
> > Kerberos: Looking for PKINIT pa-data -- MANAGEMENTDC$@
> OFFICE.AVIAMOTORS.RO
>
> I don't see any errors here. It is normal for a client to attempt an
> unsigned update, and then a signed on when we correctly refuse that.
>
> > Dns is the internal samba dns server. in samba/private i cannot see the
> > dns.keytab or other fles related to dns TSIG. Maibe I can generate these
> > files, because seems that the provision script did not create them.
>
> The dns.keytab is not needed by the internal server, it uses the main
> secrets.ldb and secrets.keytab.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
--
________________________________________
Cu stima/Best regards/Mit freundlichen Grüßen,
Chirana-Gheorghita Eugeniu-Theodor
Bucharest, Romania
e-mail : office at adaptcom.ro
mobile: 0743 698721
0747 447675
More information about the samba-technical
mailing list