[Samba] Signed Dynamic DNS Updates with Internal DNS [SEC=UNCLASSIFIED]

mathias dufresne infractory at gmail.com
Thu Jan 28 10:18:47 UTC 2016


Hi,

That's a fact I'm lacking knowledge regarding authentication of DNS update
requests but I was (almost?) never able to make updates working with
internal DNS.

I don't looked into Windows clients pushing update but only played with
samba_dnsupdate which is responsible to push DNS update into Samba DB when
needed.

I should have missed something as for me samba_dnsupdate is working
identically when using internal or bind-dlz dns backend and, still for me,
this can't be.

When using Bind-dlz dns backend an AD user and associated keytab is created
when adding a new DC with DNS service. This user and keytab are used to
authenticate updates. When switching back to internal DNS this user is
deleted, the keytab becomes obviously invalid.

But, if my understanding is correct, samba_dnsupdate still uses gssapi
during update against internal DNS, but as no user is existing, it fails.

This little story is to give you some hint. No more.

Greetings,

mathias

2016-01-28 7:15 GMT+01:00 Thamm, Russell <russell.thamm at dsto.defence.gov.au>
:

> UNCLASSIFIED
> I just installed SAMBA 4 as the PDC on a new standalone Windows network (
> https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
> Everything appears to be working correctly except for signed dynamic
> updates.
>
> Non-secure updates work fine. A, AAAA and PTR records are added to DNS
> when a PC joins the domain or I issue ipconfig /registerdns.
>
> Using wireshark, I see the following when I issue "ipconfig /registerdns"
> (samba configured for signed updates):
>
> An unsigned dynamic update request is rejected.
> An apparently successful Tkey handshake occurs.
> The client fails to request a signed dynamic update.
>
> I interpret this as the client not being happy with the TKEY response.
> However, no errors are reported in the client's event log.
>
> In the samba log I see (log level = 3):
>
> Update not allowed for unsigned packet.
> Tkey handshake completed
> Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED
>
> In the past I used Samba 4 to take over from 2003 server (
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC).
> Here I used bind and eventually got signed dynamic updates working.
>
> When I compare the Tkey transaction (internal DNS vs bind), I see that the
> Tkey response packet for internal DNS has an additional RR.
>     Additional records
>         1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type
> TSIG, class ANY
>             Name: 1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668
>             Type: TSIG (Transaction Signature) (250)
>             Class: ANY (0x00ff)
>             Time to live: 0
>             Data length: 46
>             Algorithm Name: gss-tsig
>             [Expert Info (Warn/Malformed): Trying to fetch an absolute
> time value with length 6]
>                 [Trying to fetch an absolute time value with length 6]
>                 [Severity level: Warn]
>                 [Group: Malformed]
>             Time Signed: Jan  1, 1970 15:39:44.000000000 ACST
>             Fudge: 300
>             MAC Size: 28
>             MAC
>                 [Expert Info (Warn/Undecoded): No dissector for
> algorithm:gss-tsig]
>                     [No dissector for algorithm:gss-tsig]
>                     [Severity level: Warn]
>                     [Group: Undecoded]
>             Original Id: 38945
>             Error: No error (0)
>             Other Len: 0
>
> Could the apparently malformed "Time Signed" field be the problem. This is
> the only whiff of an error that I can detect.
>
> I'd be grateful for any hints
>
> Cheers
> Russell
>
>
>
>
> IMPORTANT: This email remains the property of the Department of Defence
> and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If
> you have received this email in error, you are requested to contact the
> sender and delete the email.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list