[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
Johannes Engel
jcnengel+samba at gmail.com
Wed Nov 8 08:40:30 UTC 2017
Hi Andreas,
thanks a lot for the explanation, sounds reasonable to me. ;)
But what would be the right way to test DNS updates in this scenario?
Best regards
Johannes
Am 08.11.2017 um 09:28 schrieb Andreas Schneider:
> On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote:
>> Hi Johannes,
>>
>> Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
>>> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
>>> as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
>>> logs show a kerberos error "Request is a replay". Logs attached here:
>>> https://bugzilla.samba.org/show_bug.cgi?id=13066.
>>>
>>> Since I have not received any feedback on the bug report, I am trying
>>> this channel if someone has any idea how to fix this. Thanks a lot in
>>> advance.
>> A while ago I tested a git branch from Andreas' about moving some
>> BIND-related files from the private to a separate directory. During
>> testing I discovered some DNS update problems if the system used MIT
>> Kerberos. He fixed everything in his branch, and updates worked.
>>
>>
>> @Andreas: Do you remember if these fixes are all in master/4.7? I can
>> confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
>> and latest master (both with MIT).
>>
>>
>> # smbd -b | grep HAVE_LIBKADM5SRV_MIT
>> HAVE_LIBKADM5SRV_MIT
>>
>> # samba_dnsupdate --verbose --all-names
> This command does not work correctly because MIT Kerberos has a replay cache
> to circumvent attacks.
>
> This command does replay attacks :-)
>
>
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> It is not the right command to verify that dynamic dns updates are working!
>
>> ...
>> update failed: REFUSED
>> Failed nsupdate: 2
>> update(nsupdate): SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
>> DC3.samdom.example.com 389
>> Calling nsupdate for SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
>> DC3.samdom.example.com 389 (add)
>> Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com.
>> 900 IN SRV 0 100 389 DC3.samdom.example.com.
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 29 entries
>>
>>
>>
>> Regards,
>> Marc
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20171108/f1d1c438/signature.sig>
More information about the samba
mailing list