[Samba] Signed Dynamic DNS Updates with Internal DNS [SEC=UNCLASSIFIED]

Thamm, Russell russell.thamm at dsto.defence.gov.au
Thu Jan 28 06:15:04 UTC 2016 

UNCLASSIFIED
I just installed SAMBA 4 as the PDC on a new standalone Windows network (https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
Everything appears to be working correctly except for signed dynamic updates.

Non-secure updates work fine. A, AAAA and PTR records are added to DNS when a PC joins the domain or I issue ipconfig /registerdns.

Using wireshark, I see the following when I issue "ipconfig /registerdns" (samba configured for signed updates):

An unsigned dynamic update request is rejected.
An apparently successful Tkey handshake occurs.
The client fails to request a signed dynamic update.

I interpret this as the client not being happy with the TKEY response. However, no errors are reported in the client's event log.

In the samba log I see (log level = 3):

Update not allowed for unsigned packet.
Tkey handshake completed
Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED

In the past I used Samba 4 to take over from 2003 server (https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC). Here I used bind and eventually got signed dynamic updates working.

When I compare the Tkey transaction (internal DNS vs bind), I see that the Tkey response packet for internal DNS has an additional RR.
    Additional records
        1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type TSIG, class ANY
            Name: 1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668
            Type: TSIG (Transaction Signature) (250)
            Class: ANY (0x00ff)
            Time to live: 0
            Data length: 46
            Algorithm Name: gss-tsig
            [Expert Info (Warn/Malformed): Trying to fetch an absolute time value with length 6]
                [Trying to fetch an absolute time value with length 6]
                [Severity level: Warn]
                [Group: Malformed]
            Time Signed: Jan  1, 1970 15:39:44.000000000 ACST
            Fudge: 300
            MAC Size: 28
            MAC
                [Expert Info (Warn/Undecoded): No dissector for algorithm:gss-tsig]
                    [No dissector for algorithm:gss-tsig]
                    [Severity level: Warn]
                    [Group: Undecoded]
            Original Id: 38945
            Error: No error (0)
            Other Len: 0

Could the apparently malformed "Time Signed" field be the problem. This is the only whiff of an error that I can detect.

I'd be grateful for any hints

Cheers
Russell




IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.

More information about the samba mailing list