[Samba] Signed Dynamic DNS Updates with Internal DNS [SEC=UNCLASSIFIED]

James lingpanda101 at gmail.com
Thu Jan 28 12:56:17 UTC 2016

On 1/28/2016 1:15 AM, Thamm, Russell wrote:
> I just installed SAMBA 4 as the PDC on a new standalone Windows network (https://wiki.samba.org/index.php/Samba4/HOWTO#Samba_AD_management).
> Everything appears to be working correctly except for signed dynamic updates.
> Non-secure updates work fine. A, AAAA and PTR records are added to DNS when a PC joins the domain or I issue ipconfig /registerdns.
> Using wireshark, I see the following when I issue "ipconfig /registerdns" (samba configured for signed updates):
> An unsigned dynamic update request is rejected.
> An apparently successful Tkey handshake occurs.
> The client fails to request a signed dynamic update.
> I interpret this as the client not being happy with the TKEY response. However, no errors are reported in the client's event log.
> In the samba log I see (log level = 3):
> Update not allowed for unsigned packet.
> Tkey handshake completed
> Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED
> In the past I used Samba 4 to take over from 2003 server (https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC). Here I used bind and eventually got signed dynamic updates working.
> When I compare the Tkey transaction (internal DNS vs bind), I see that the Tkey response packet for internal DNS has an additional RR.
>      Additional records
>          1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668: type TSIG, class ANY
>              Name: 1252-ms-7.1-247ed95d.4c1a5028-c4b1-11e5-f7a4-5065f335d668
>              Type: TSIG (Transaction Signature) (250)
>              Class: ANY (0x00ff)
>              Time to live: 0
>              Data length: 46
>              Algorithm Name: gss-tsig
>              [Expert Info (Warn/Malformed): Trying to fetch an absolute time value with length 6]
>                  [Trying to fetch an absolute time value with length 6]
>                  [Severity level: Warn]
>                  [Group: Malformed]
>              Time Signed: Jan  1, 1970 15:39:44.000000000 ACST
>              Fudge: 300
>              MAC Size: 28
>              MAC
>                  [Expert Info (Warn/Undecoded): No dissector for algorithm:gss-tsig]
>                      [No dissector for algorithm:gss-tsig]
>                      [Severity level: Warn]
>                      [Group: Undecoded]
>              Original Id: 38945
>              Error: No error (0)
>              Other Len: 0
> Could the apparently malformed "Time Signed" field be the problem. This is the only whiff of an error that I can detect.
> I'd be grateful for any hints
> Cheers
> Russell
> IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
See https://bugzilla.samba.org/show_bug.cgi?id=11520 for bug.


More information about the samba mailing list