[Samba] Secure dynamic update failure with internal DNS
jeffearl at gmail.com
Mon Nov 9 20:09:58 UTC 2015
I've experienced the same issue on Samba 4.3.1 compiled against Centos 6.7.
It appears to be a known issue. There's a recent bug report on bugzilla:
On Mon, Nov 9, 2015 at 1:20 PM, James <lingpanda101 at gmail.com> wrote:
> I't appears all versions of Samba 4.2.X allow secure updates. It's
> transitioning to any version of Samba 4.3.X that prevents secure updates.
> Looking at the Wireshark captures of a successful update
> I see two transactions concerning the TKEY. I also see the update request
> from the client signed with the TSIG.
> Looking at a failed update
> I see three transactions concerning the TKEY. I also am missing the TSIG
> with the update request from the client. I do see a TSIG with the TKEY
> exchange from the DC.
> The TSIG as far as I know, should not be sent in the additional records
> section of the TKEY exchange. Secure update process fails during the TKEY
> exchange. This causes the client to repeat the whole DNS query exchange.
> The client should send the dynamic update request immediately after the
> TKEY exchange has taken place. The lack of the TSIG with the client update
> explains why Samba reports 'Update not allowed for unsigned packet' on the
> second update request.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba