[Samba] Secure dynamic update failure with internal DNS
James
lingpanda101 at gmail.com
Mon Nov 2 20:11:31 UTC 2015
On 10/27/2015 1:51 PM, James wrote:
> Hello,
>
> At one point secure dynamic updates worked. Now I require 'allow
> dns updates = nonsecure' for dynamic updates to work. I can't seem to
> find any trace of updates being performed in the samba logs or
> Windows. I've hit a wall and can't seem to progress. Since I couldn't
> pull anything from the logs I decided to run 'nsupdate -g -d -D -L
> 10'. This was my initial result.
>
> nsupdate -g -d -D -L 10
>
> setup_system()
>
> 27-Oct-2015 13:14:49.420 dns_requestmgr_create
>
> 27-Oct-2015 13:14:49.420 dns_requestmgr_create: 0x7fb3edeaf010
>
> reset_system()
>
> user_interaction()
>
> get_next_command()
>
> > update delete itdept-desktop.domain.local 86400 A 172.16.232.30
>
> evaluate_update()
>
> update_addordelete()
>
> get_next_command()
>
> > send
>
> start_update()
>
> 27-Oct-2015 13:15:15.438 dns_request_createvia
>
> 27-Oct-2015 13:15:15.439 request_render
>
> 27-Oct-2015 13:15:15.439 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1
>
> 27-Oct-2015 13:15:15.439 mgr_gethash
>
> 27-Oct-2015 13:15:15.439 req_send: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.439 dns_request_createvia: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.439 req_senddone: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 req_response: request 0x7fb3edea0eb0: success
>
> 27-Oct-2015 13:15:15.441 req_cancel: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 req_sendevent: request 0x7fb3edea0eb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:15:15.441 dns_request_getresponse: request 0x7fb3edea0eb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:64900
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;itdept-desktop.domain.local.INSOA
>
> 27-Oct-2015 13:15:15.441 dns_request_destroy: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 req_destroy: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 requestmgr_detach: 0x7fb3edeaf010: eref 1 iref 0
>
> 27-Oct-2015 13:15:15.441 dns_request_createvia
>
> 27-Oct-2015 13:15:15.441 request_render
>
> 27-Oct-2015 13:15:15.441 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1
>
> 27-Oct-2015 13:15:15.441 mgr_gethash
>
> 27-Oct-2015 13:15:15.441 req_send: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.441 dns_request_createvia: request 0x7fb3edea0eb0
>
> Out of recvsoa
>
> 27-Oct-2015 13:15:15.441 req_senddone: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.442 req_response: request 0x7fb3edea0eb0: success
>
> 27-Oct-2015 13:15:15.442 req_cancel: request 0x7fb3edea0eb0
>
> 27-Oct-2015 13:15:15.442 req_sendevent: request 0x7fb3edea0eb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:15:15.442 dns_request_getresponse: request 0x7fb3edea0eb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:54937
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;domain.local.INSOA
>
> ;; ANSWER SECTION:
>
> domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 432
> 900 600 86400 3600
>
> Found zone name: domain.local
>
> The master is: pfdc1.domain.local
>
> start_gssrequest
>
> 27-Oct-2015 13:15:15.443 Failure initiating security context: GSSAPI
> error: Major = Unspecified GSS failure.Minor code may provide more
> information, Minor = Credentials cache file '/tmp/krb5cc_0' not found.
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor
> code may provide more information, Minor = Credentials cache file
> '/tmp/krb5cc_0' not found.
>
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> I see this section
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor
> code may provide more information, Minor = Credentials cache file
> '/tmp/krb5cc_0' not found.
>
> I thought the cache file was automatically created? None the less I
> execute 'kinit' for administrator which creates the cache file
> 'krb5cc_0'. I run the following again 'nsupdate -g -d -D -L 10'. This
> time I get this result.
>
> nsupdate -g -d -D -L 10
>
> setup_system()
>
> 27-Oct-2015 13:37:38.729 dns_requestmgr_create
>
> 27-Oct-2015 13:37:38.729 dns_requestmgr_create: 0x7f6b29d2c010
>
> reset_system()
>
> user_interaction()
>
> get_next_command()
>
> > update add itdept-desktop.domain.local 86400 A 172.16.232.30
>
> evaluate_update()
>
> update_addordelete()
>
> get_next_command()
>
> > send
>
> start_update()
>
> 27-Oct-2015 13:38:01.507 dns_request_createvia
>
> 27-Oct-2015 13:38:01.507 request_render
>
> 27-Oct-2015 13:38:01.507 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1
>
> 27-Oct-2015 13:38:01.507 mgr_gethash
>
> 27-Oct-2015 13:38:01.507 req_send: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.507 dns_request_createvia: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.507 req_senddone: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 req_response: request 0x7f6b29d1deb0: success
>
> 27-Oct-2015 13:38:01.509 req_cancel: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 req_sendevent: request 0x7f6b29d1deb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:38:01.509 dns_request_getresponse: request 0x7f6b29d1deb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:63949
>
> ;; flags: qr rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;itdept-desktop.domain.local.INSOA
>
> 27-Oct-2015 13:38:01.509 dns_request_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 req_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0
>
> 27-Oct-2015 13:38:01.509 dns_request_createvia
>
> 27-Oct-2015 13:38:01.509 request_render
>
> 27-Oct-2015 13:38:01.509 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1
>
> 27-Oct-2015 13:38:01.509 mgr_gethash
>
> 27-Oct-2015 13:38:01.509 req_send: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.509 dns_request_createvia: request 0x7f6b29d1deb0
>
> Out of recvsoa
>
> 27-Oct-2015 13:38:01.509 req_senddone: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.511 req_response: request 0x7f6b29d1deb0: success
>
> 27-Oct-2015 13:38:01.511 req_cancel: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.511 req_sendevent: request 0x7f6b29d1deb0
>
> recvsoa()
>
> About to create rcvmsg
>
> 27-Oct-2015 13:38:01.511 dns_request_getresponse: request 0x7f6b29d1deb0
>
> show_message()
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:30700
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;domain.local.INSOA
>
> ;; ANSWER SECTION:
>
> domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 434
> 900 600 86400 3600
>
> Found zone name: domain.local
>
> The master is: pfdc1.domain.local
>
> start_gssrequest
>
> Found realm from ticket: DOMAIN.LOCAL
>
> send_gssrequest
>
> 27-Oct-2015 13:38:01.512 dns_request_createvia
>
> 27-Oct-2015 13:38:01.512 request_render
>
> 27-Oct-2015 13:38:01.512 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2
>
> 27-Oct-2015 13:38:01.512 mgr_gethash
>
> 27-Oct-2015 13:38:01.512 dns_request_createvia: request 0x7f6b29d36010
>
> show_message()
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947
>
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;1384447838.sig-pfdc1.domain.local. ANYTKEY
>
> ;; ADDITIONAL SECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481
> 1445967481 3 NOERROR 1361
> YIIFTQYGKwYBBQUCoIIFQTCCBT2gDTALBgkqhkiG9xIBAgKiggUqBIIF
> JmCCBSIGCSqGSIb3EgECAgEAboIFETCCBQ2gAwIBBaEDAgEOogcDBQAg
> AAAAo4IEB2GCBAMwggP/oAMCAQWhDBsKQ0lNRy5MT0NBTKIiMCCgAwIB
> AaEZMBcbA0ROUxsQcGZkYzEuY2ltZy5sb2NhbKOCA8QwggPAoAMCAReh
> AwIBAaKCA7IEggOuPGo1wWiP4AIoX/nU3Iu4j0f18968rH7oUciBXVUb
> XVZvo+nKKmTnR0dC4ugcxJGj2uwBaDWe4PvGmCOsvhcbd8aCS8bBiH8M
> IF3fgivtxHCMhDQKCID6MTCQapGGddDJBqH6HpBc8sAjfakeGI4kUvjK
> q4vqfbvUTVoiWGkmHLZD648HFmKL3LKmEp2ou2r9MXspswVHjVloJsOA
> hJnPu51txYDi1bb0UrXEpHWjyma8Jap4zMIS47dYjYDZ/Ly/jtsR+eu+
> I5epBr3L8xq9RO5Ta4qzePxAtnzGb1Fpr9hiu5jkrNGAbxVKETCljxB7
> pfGw+tB/lxC0RrvFeEyThGP3jnUpXvPFjdkk7Pdax65IMRF36liriSxm
> tDUTNyE1TYLrqhZnXw2rAMwKESKpv9rOHmocGivZLJIpIW3edLqUY06j
> RgMs7Sc6vI0kJgeuWEjj8knrzWVdvauxoSFAAafsnZ/gfCII0XWg+nU0
> w/uQ4HVY6BhhjX288fZeeVkYds0ZQNhNqgs0osJWfEDvqnZh+0Oe9SkQ
> J13FcT4Smj8I7+caqnsN0kceMbueUi+pyifx1A+qn2Qv6ejOl15DMQAC
> 0joUmB05R/a5eOVocTParEpWKYO1zstdYvLq5F+dj8n6AgQKHl7YMuCo
> vPLLnmbFQvAyzo4wpjkdeC6McdPJQASFFknSd4b7z/82XrnGiJbli8Ag
> IYTjV+AOAfg4NWNnJERAKD3UQmu63r+A/JBtBpetEhyEu/oLnvigWfgo
> xx8lqpQelsPpMfFr/dVCmvSk77xMANTQ11i/Zb8utOV7TMv3AJ1u9LXk
> rcezkT+K0eOPs3MkOgZ+WCIMpWD7cLEGzDcYLBaz73hY/qF3xhsdyKnh
> U04PuT3WE29nUEg1o/9RbcUMsrkQtFQfhwgkCqIVulxjtsWSGwSsi/Je
> ktQjqikSOMKAhnB1kiT8Sj+njIMXjtWU+m/tOlBM7h4gOCOL0aMdBYDE
> l6h8LF4c7I9llF1TcmO0wFIEnjsVTKoEI2oSZfe3buM9weXIGeyEtZ5e
> NLdaWBxzMagq5UNSXiFwRs7OT4WThLr5CkSHpf0EryH0S4EGaAc04L4q
> wXLTJHIBhxYj/dWECQEkEm4yaikkiYiGHbcXTKlcQl5bn9WMfINmwxr5
> N6IAq/U2mrjTlu8yQ+TM6NkWnzEbAAhiH0E0BpJMeFMoyIjMcXJQPhxW
> VZkgnpcPzKDdJCiixuDKHV6TJ30AmaxYgJYC5DeepIHsMIHpoAMCARei
> geEEgd4fCZLEBK9cTemu0+hDgcmiU0jDQSWI4Y1quCYKfus7nNCPJffR
> qhQE991bWWHuVYBQLbkPm2+cR5rAuRtzqXu4yX9M3yzhsAnRnlv/zQg2
> Ahucg0xG6nC6ARV3yoWyV8V1W3/EYowfwUmDfm/pXesFgMxNAO9rygzv
> NTCm0pzJUU/Tq6nL/oDtZO1R6ol+An3+iZB0ZjtEGv8bzq2kKrCrwYut
> AvnR37ol9pLG15HBPni/LG4PQnRqxshr2+krab4/HL38/7ynZizN/KG9
> v0J+EOOiabHrZkAQyHoponA= 0
>
> 27-Oct-2015 13:38:01.512 dns_request_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.512 req_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.512 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1
>
> Out of recvsoa
>
> 27-Oct-2015 13:38:01.512 req_connected: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.513 req_send: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.513 req_senddone: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 req_response: request 0x7f6b29d36010: success
>
> 27-Oct-2015 13:38:01.523 req_cancel: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 req_sendevent: request 0x7f6b29d36010
>
> recvgss()
>
> recvgss creating rcvmsg
>
> 27-Oct-2015 13:38:01.523 dns_request_getresponse: request 0x7f6b29d36010
>
> show_message()
>
> recvmsg reply from GSS-TSIG query
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947
>
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;1384447838.sig-pfdc1.domain.local. ANYTKEY
>
> ;; ANSWER SECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481
> 1445967481 3 NOERROR 182
> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr4rBfZLZEDlMf
> xEOrOtGsFid2hIWdFfFECDMGt9jmstD2wB1yAE3FiVqv0cZd1F3z22zR
> hcMtHSWFx1VhvA8ob0TGBpfe8FagJ0Osgt7tV7z9oKi2sE3QnZcKkkl+
> LrUyTDMe8fqUdCsL+RM= 0
>
> ;; TSIG PSEUDOSECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300
> 28 BAQF//////8AAAAAImyAou7Y6kl8XKcarfaOeQ== 38947 NOERROR 0
>
> send_update()
>
> Sending update to 172.16.232.29#53
>
> 27-Oct-2015 13:38:01.523 dns_request_createvia
>
> 27-Oct-2015 13:38:01.523 request_render
>
> 27-Oct-2015 13:38:01.523 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2
>
> 27-Oct-2015 13:38:01.523 mgr_gethash
>
> 27-Oct-2015 13:38:01.523 dns_request_createvia: request 0x7f6b29d1deb0
>
> show_message()
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024
>
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>
> ;; UPDATE SECTION:
>
> itdept-desktop.domain.local. 86400 INA172.16.232.30
>
> ;; TSIG PSEUDOSECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300
> 28 BAQE//////8AAAAAGCwKBRKMONp5I7ZtKq4gJA== 34024 NOERROR 0
>
> 27-Oct-2015 13:38:01.523 dns_request_destroy: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 req_destroy: request 0x7f6b29d36010
>
> 27-Oct-2015 13:38:01.523 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1
>
> Out of recvgss
>
> 27-Oct-2015 13:38:01.523 req_connected: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.523 req_send: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.524 req_senddone: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 req_response: request 0x7f6b29d1deb0: success
>
> 27-Oct-2015 13:38:01.998 req_cancel: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 req_sendevent: request 0x7f6b29d1deb0
>
> update_completed()
>
> 27-Oct-2015 13:38:01.998 dns_request_getresponse: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 GSS verify error: GSSAPI error: Major = A
> token had an invalid Message Integrity Check (MIC), Minor = Success.
>
> 27-Oct-2015 13:38:01.998 tsig key '1384447838.sig-pfdc1.domain.local'
> (<null>): signature failed to verify(1)
>
> ; TSIG error with server: tsig verify failure
>
> show_message()
>
> Reply from update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>
> ;; ZONE SECTION:
>
> ;domain.local.INSOA
>
> ;; UPDATE SECTION:
>
> itdept-desktop.domain.local. 86400 INA172.16.232.30
>
> ;; TSIG PSEUDOSECTION:
>
> 1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300
> 28 BAQF//////8AAAAAImyAo3PobOaGOyFvcHpIfQ== 34024 NOERROR 0
>
> 27-Oct-2015 13:38:01.998 dns_request_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 req_destroy: request 0x7f6b29d1deb0
>
> 27-Oct-2015 13:38:01.998 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0
>
> done_update()
>
> reset_system()
>
> user_interaction()
>
> get_next_command()
>
>
> -----------------------------------------------------------------------------------------------------------------------------
>
> This time you can see the update succeeded. The TSIG Verify failure
> has always been a issue with the internal DNS. This never stopped
> secure dynamic updates before. What does 'samba_dnsupdate' do
> differently that could cause the updates to fail? I looked through the
> script but couldn't find anything to help. A packet trace with
> Wireshark doesn't give me much help either.
>
> Flags: 0xa805 Dynamic update response, Refused CNAME
>
> Any ideas where I need to look next? Relevant system info below.
>
> Ubuntu 12.04 LTS DC
> Samba 4.3.1
>
> [global]
>
> workgroup = DOMAIN
>
> realm = DOMAIN.LOCAL
>
> netbios name = PFDC1
>
> server role = active directory domain controller
>
> dns forwarder = 8.8.8.8
>
> idmap_ldb:use rfc2307 = Yes
>
> log file = /usr/local/samba/var/log.%m
>
> log level = 1
>
> logging = syslog at 1 file
>
> allow dns updates = secure only
>
> #Disable CUPS Printing
>
> load printers = No
>
> printcap name = /dev/null
>
> disable spoolss = Yes
>
> # Add and Update TLS Key
>
> tls enabled = yes
>
> tls keyfile = tls/sambaKey.pem
>
> tls certfile = tls/sambaCert.pem
>
> tls cafile =
>
> #tls crlfile =
>
> #tls dh parms file =
>
> [netlogon]
>
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>
> read only = No
>
> [sysvol]
>
> path = /usr/local/samba/var/locks/sysvol
>
>
>
>
>
>
>
> --
> -James
Decided to setup a new test DC on a VM. Installed Ubuntu 12.04 and Samba
4.3.1. Installed from wiki
./configure
make
sudo make install
samba-tool domain provision --use-rfc2307 --interactive
No errors during make and provision.
Joined Win 7 VM to Domain. Verified no A record added during join.
Increased log level to 10. Ran 'ipconfig /registerdns' to force update.
Still no A record. Enabled nonsecure updates in smb.conf and tried
again. Samba DC adds the A record. Samba log shows for failed updated
'Update not allowed for unsigned packet'.
Which is normal because a nonsecure update is attempted first followed
by a secure update. I receive the same response however on the second
attempt which should be signed.
I can see in Wireshark the TKEY being queried and responded to.
--
-James
More information about the samba
mailing list