[Samba] Secure dynamic update failure with internal DNS

James lingpanda101 at gmail.com
Mon Nov 9 18:20:48 UTC 2015

I't appears all versions of Samba 4.2.X allow secure updates. It's 
transitioning to any version of Samba 4.3.X that prevents secure 
updates. Looking at the Wireshark captures of a successful update


I see two transactions concerning the TKEY. I also see the update 
request from the client signed with the TSIG.

Looking at a failed update


I see three transactions concerning the TKEY. I also am missing the 
TSIG  with the update request from the client. I do see a TSIG with the 
TKEY exchange from the DC.

The TSIG as far as I know, should not be sent in the additional records 
section of the TKEY exchange. Secure update process fails during the 
TKEY exchange. This causes the client to repeat the whole DNS query 

The client should send the dynamic update request immediately after the 
TKEY exchange has taken place. The lack of the TSIG with the client 
update explains why Samba reports 'Update not allowed for unsigned 
packet' on the second update request.


More information about the samba mailing list