[Samba] samab-4.10 nsupdate

James B. Byrne byrnejb at harte-lyne.ca
Thu Jul 2 19:48:11 UTC 2020

On Thu, July 2, 2020 14:47:42 UTC, Rowland penny wrote:
> Looks like you need to recompile nsupdate, you need GSSAPI.
> Failing that, try adding:
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> To your DC's smb.conf

Further investigation has uncovered (for me) the cause of this error:

/usr/local/bin/samba-nsupdate: cannot specify -g or -o, program not linked with
GSSAPI Library

The problem with the program is not the absence of the GSSAPI library.  The
problem is that FreeBSD ships with a GSSAPI library as part of the BASE system
corresponding to the OpenSSL that also is part of the BASE system (OpenSSL
1.1.1d-freebsd  10 Sep 2019 as of this writing).  However, FreeBSD also
provides packaged alternatives to OpenSSL including a couple of OpenSSLs.

On the system I was testing with I installed a package called sslscan.  This
package brings with it as a prerequisite the package openssl-unsafe.  This is
the source of the trouble.  The build options for the samba-nsupdate package

Options        :
	GSSAPI_BASE    : on
	GSSAPI_MIT     : off
	IPV6           : on

With an alternative OpenSSL package installed the BASE OpenSSL is overridden in
effect.  And that causes samba-nsupdate to report that there is no GSSAPI
library linked to it.  The bind-tools package is built with no GSSAPI support
so nsupdate is useless:

Comment        : Command line tools from BIND: delv, dig, host, nslookup...
Options        :
	FIXED_RRSET    : off
	GSSAPI_BASE    : off
	GSSAPI_MIT     : off
	GSSAPI_NONE    : on
. . .

Which, no doubt, is the reason that the package samba-nsupdate exists on FreeBSD.

Removing the offending ssl packages (sslscn and openssl-unsafe) and altering
/usr/local/etc/smb4.conf (smb.conf) to hold these settings:

  dns update command = /usr/local/bin/samba-nsupdate
  nsupdate command = /usr/local/bin/samba-nsupdate -g

Thereafter changes the error messages in samba-dnsupdate to this:

update(nsupdate): SRV
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2

So, where are the dynamic update keys kept and why is the key signature wrong,
or missing)?

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the samba mailing list