[Samba] Secure dynamic update failure with internal DNS

d tbsky tbskyd at gmail.com
Mon Nov 16 07:08:24 UTC 2015

2015-11-10 22:07 GMT+08:00 James <lingpanda101 at gmail.com>:

>     I't appears all versions of Samba 4.2.X allow secure updates. It's
>>     transitioning to any version of Samba 4.3.X that prevents secure
>>     updates. Looking at the Wireshark captures of a successful update
>>     https://www.cloudshark.org/captures/79e72c42de44
>>     I see two transactions concerning the TKEY. I also see the update
>>     request from the client signed with the TSIG.
>>     Looking at a failed update
>>     https://www.cloudshark.org/captures/44f706b2cc61
>>     I see three transactions concerning the TKEY. I also am missing
>>     the TSIG  with the update request from the client. I do see a TSIG
>>     with the TKEY exchange from the DC.
>>     The TSIG as far as I know, should not be sent in the additional
>>     records section of the TKEY exchange. Secure update process fails
>>     during the TKEY exchange. This causes the client to repeat the
>>     whole DNS query exchange.
>>     The client should send the dynamic update request immediately
>>     after the TKEY exchange has taken place. The lack of the TSIG with
>>     the client update explains why Samba reports 'Update not allowed
>>     for unsigned packet' on the second update request.
>>     --     -James
    just upgrade to 4.3.1 and got the same issue. the good part is: after
reading your mail, I now understand better how secure dns update is working.
thanks a lot for your information.


More information about the samba mailing list