[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
Andreas Schneider
asn at samba.org
Wed Nov 8 08:28:41 UTC 2017
On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote:
> Hi Johannes,
>
> Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
> > a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
> > as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
> > logs show a kerberos error "Request is a replay". Logs attached here:
> > https://bugzilla.samba.org/show_bug.cgi?id=13066.
> >
> > Since I have not received any feedback on the bug report, I am trying
> > this channel if someone has any idea how to fix this. Thanks a lot in
> > advance.
>
> A while ago I tested a git branch from Andreas' about moving some
> BIND-related files from the private to a separate directory. During
> testing I discovered some DNS update problems if the system used MIT
> Kerberos. He fixed everything in his branch, and updates worked.
>
>
> @Andreas: Do you remember if these fixes are all in master/4.7? I can
> confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
> and latest master (both with MIT).
>
>
> # smbd -b | grep HAVE_LIBKADM5SRV_MIT
> HAVE_LIBKADM5SRV_MIT
>
> # samba_dnsupdate --verbose --all-names
This command does not work correctly because MIT Kerberos has a replay cache
to circumvent attacks.
This command does replay attacks :-)
http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
It is not the right command to verify that dynamic dns updates are working!
> ...
> update failed: REFUSED
> Failed nsupdate: 2
> update(nsupdate): SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
> DC3.samdom.example.com 389
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
> DC3.samdom.example.com 389 (add)
> Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com.
> 900 IN SRV 0 100 389 DC3.samdom.example.com.
>
> update failed: REFUSED
> Failed nsupdate: 2
> Failed update of 29 entries
>
>
>
> Regards,
> Marc
More information about the samba
mailing list