[Samba] Secure dynamic update failure with internal DNS
James
lingpanda101 at gmail.com
Mon Nov 9 18:20:48 UTC 2015
I't appears all versions of Samba 4.2.X allow secure updates. It's
transitioning to any version of Samba 4.3.X that prevents secure
updates. Looking at the Wireshark captures of a successful update
https://www.cloudshark.org/captures/79e72c42de44
I see two transactions concerning the TKEY. I also see the update
request from the client signed with the TSIG.
Looking at a failed update
https://www.cloudshark.org/captures/44f706b2cc61
I see three transactions concerning the TKEY. I also am missing the
TSIG with the update request from the client. I do see a TSIG with the
TKEY exchange from the DC.
The TSIG as far as I know, should not be sent in the additional records
section of the TKEY exchange. Secure update process fails during the
TKEY exchange. This causes the client to repeat the whole DNS query
exchange.
The client should send the dynamic update request immediately after the
TKEY exchange has taken place. The lack of the TSIG with the client
update explains why Samba reports 'Update not allowed for unsigned
packet' on the second update request.
--
-James
More information about the samba
mailing list