[Samba] Signed Dynamic DNS Updates with Internal DNS [SEC=UNCLASSIFIED]
russell.thamm at dsto.defence.gov.au
Thu Jan 28 06:15:04 UTC 2016
I just installed SAMBA 4 as the PDC on a new standalone Windows network (https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
Everything appears to be working correctly except for signed dynamic updates.
Non-secure updates work fine. A, AAAA and PTR records are added to DNS when a PC joins the domain or I issue ipconfig /registerdns.
Using wireshark, I see the following when I issue "ipconfig /registerdns" (samba configured for signed updates):
An unsigned dynamic update request is rejected.
An apparently successful Tkey handshake occurs.
The client fails to request a signed dynamic update.
I interpret this as the client not being happy with the TKEY response. However, no errors are reported in the client's event log.
In the samba log I see (log level = 3):
Update not allowed for unsigned packet.
Tkey handshake completed
Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED
In the past I used Samba 4 to take over from 2003 server (https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC). Here I used bind and eventually got signed dynamic updates working.
When I compare the Tkey transaction (internal DNS vs bind), I see that the Tkey response packet for internal DNS has an additional RR.
1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type TSIG, class ANY
Type: TSIG (Transaction Signature) (250)
Class: ANY (0x00ff)
Time to live: 0
Data length: 46
Algorithm Name: gss-tsig
[Expert Info (Warn/Malformed): Trying to fetch an absolute time value with length 6]
[Trying to fetch an absolute time value with length 6]
[Severity level: Warn]
Time Signed: Jan 1, 1970 15:39:44.000000000 ACST
MAC Size: 28
[Expert Info (Warn/Undecoded): No dissector for algorithm:gss-tsig]
[No dissector for algorithm:gss-tsig]
[Severity level: Warn]
Original Id: 38945
Error: No error (0)
Other Len: 0
Could the apparently malformed "Time Signed" field be the problem. This is the only whiff of an error that I can detect.
I'd be grateful for any hints
IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
More information about the samba