[Samba] Secure dynamic update failure with internal DNS
Jeffrey Earl
jeffearl at gmail.com
Mon Nov 9 20:09:58 UTC 2015
I've experienced the same issue on Samba 4.3.1 compiled against Centos 6.7.
It appears to be a known issue. There's a recent bug report on bugzilla:
https://bugzilla.samba.org/show_bug.cgi?id=11520
On Mon, Nov 9, 2015 at 1:20 PM, James <lingpanda101 at gmail.com> wrote:
> I't appears all versions of Samba 4.2.X allow secure updates. It's
> transitioning to any version of Samba 4.3.X that prevents secure updates.
> Looking at the Wireshark captures of a successful update
>
> https://www.cloudshark.org/captures/79e72c42de44
>
> I see two transactions concerning the TKEY. I also see the update request
> from the client signed with the TSIG.
>
> Looking at a failed update
>
> https://www.cloudshark.org/captures/44f706b2cc61
>
> I see three transactions concerning the TKEY. I also am missing the TSIG
> with the update request from the client. I do see a TSIG with the TKEY
> exchange from the DC.
>
> The TSIG as far as I know, should not be sent in the additional records
> section of the TKEY exchange. Secure update process fails during the TKEY
> exchange. This causes the client to repeat the whole DNS query exchange.
>
> The client should send the dynamic update request immediately after the
> TKEY exchange has taken place. The lack of the TSIG with the client update
> explains why Samba reports 'Update not allowed for unsigned packet' on the
> second update request.
>
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list