[Samba] Secure dynamic update failure with internal DNS
James
lingpanda101 at gmail.com
Tue Nov 10 14:07:31 UTC 2015
On 11/9/2015 3:09 PM, Jeffrey Earl wrote:
> I've experienced the same issue on Samba 4.3.1 compiled against Centos
> 6.7. It appears to be a known issue. There's a recent bug report on
> bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=11520
>
> On Mon, Nov 9, 2015 at 1:20 PM, James <lingpanda101 at gmail.com
> <mailto:lingpanda101 at gmail.com>> wrote:
>
> I't appears all versions of Samba 4.2.X allow secure updates. It's
> transitioning to any version of Samba 4.3.X that prevents secure
> updates. Looking at the Wireshark captures of a successful update
>
> https://www.cloudshark.org/captures/79e72c42de44
>
> I see two transactions concerning the TKEY. I also see the update
> request from the client signed with the TSIG.
>
> Looking at a failed update
>
> https://www.cloudshark.org/captures/44f706b2cc61
>
> I see three transactions concerning the TKEY. I also am missing
> the TSIG with the update request from the client. I do see a TSIG
> with the TKEY exchange from the DC.
>
> The TSIG as far as I know, should not be sent in the additional
> records section of the TKEY exchange. Secure update process fails
> during the TKEY exchange. This causes the client to repeat the
> whole DNS query exchange.
>
> The client should send the dynamic update request immediately
> after the TKEY exchange has taken place. The lack of the TSIG with
> the client update explains why Samba reports 'Update not allowed
> for unsigned packet' on the second update request.
>
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Thanks Jeffrey. Added info to the bug report.
--
-James
More information about the samba
mailing list