nsupdate and internal DNS
Rowland Penny
repenny at f2s.com
Thu Jan 3 04:10:43 MST 2013
On 03/01/13 07:42, Daniele Dario wrote:
> Hi Rowland, list
>
> On Mon, 2012-12-31 at 12:51 +0000, Rowland Penny wrote:
>> On 31/12/12 12:07, Andrew Bartlett wrote:
>>>> OK, for me, The internal DNS server will not update via a script that
>>>> DHCP runs, this script is based on the one at:
>>>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/.
>>>> OK, it works again.
>>>>
>>>> The original dhcp update script was written to update a windows server,
>>>> so as it will not update the internal DNS server, I think that we can
>>>> infer that the internal DNS server is not working the same as a windows
>>>> server. Not a problem for me, as now I know the limitations of The
>>>> internal dns server, I will stop using it and only use bind9.
>>>>
>>> Rowland,
>>>
>>> From here, what we need is for someone to look not at DHCP and that
>>> script, but simply why nsupdate -g fails against the internal server.
>>>
>>> This will hit more than DHCP anyway, as samba_dnsupdate is essentially
>>> doing the same thing.
>>>
>>> That BIND's nsupdate -g works against BIND itself is not supprising, but
>>> there may be some small details we are getting wrong in the internal
>>> server.
>>>
>>> So, what I'm suggesting is that someone needs to manaully kinit, and
>>> then manually run nsupdate -g commands and show what bits fail, how they
>>> fail and perhaps work out why they fail.
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>>
>> OK, restart Samba 4 using internal DNS server, su to dhcpd user, kinit
>> as dhcpd and then manually run nsupdate with debug turned on
>>
>> service samba4 stop
>> service bind9 stop
>> mv /usr/local/samba /usr/local/samba-bind
>> mv /usr/local/samba-internal /usr/local/samba
>> service samba4 start
>> * Starting Samba 4 daemons samba
>> smbd [ OK ]
>> su - -s /bin/bash dhcpd
>> kinit -F -k -t /etc/dhcp/dhcpduser.keytab dhcpduser at HOME.LAN
>>
>> klist
>> Ticket cache: FILE:/tmp/krb5cc_107
>> Default principal: dhcpduser at HOME.LAN
>>
>> Valid starting Expires Service principal
>> 31/12/12 12:24:27 31/12/12 22:24:27 krbtgt/HOME.LAN at HOME.LAN
>> renew until 01/01/13 12:24:27
>>
>> dhcpd at adserver:~$ nsupdate -g -d
>> > server 192.168.0.10
>> > realm HOME.LAN
>> > update delete LinPad.home.lan 3600 A
>> > update add LinPad.home.lan 3600 A 192.168.0.173
>> > send
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58559
>> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;LinPad.home.lan. IN SOA
>>
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9390
>> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;home.lan. IN SOA
>>
>> ;; ANSWER SECTION:
>> home.lan. 3600 IN SOA adserver.home.lan.
>> hostmaster.home.lan. 1 900 600 86400 0
>>
>> Found zone name: home.lan
>> The master is: adserver.home.lan
>> start_gssrequest
>> send_gssrequest
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21882
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;2488446920.sig-adserver.home.lan. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>> 2488446920.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957453
>> 1356957453 3 NOERROR 1276
>> YIIE+AYGKwYBBQUCoIIE7DCCBOigDTALBgkqhkiG9xIBAgKiggTVBIIE
>> 0WCCBM0GCSqGSIb3EgECAgEAboIEvDCCBLigAwIBBaEDAgEOogcDBQAg
>> AAAAo4IDuGGCA7QwggOwoAMCAQWhChsISE9NRS5MQU6iIzAhoAMCAQGh
>> GjAYGwNETlMbEWFkc2VydmVyLmhvbWUubGFuo4IDdjCCA3KgAwIBF6ED
>> AgEBooIDZASCA2CUZJwxo6TGmT56jA96kbK5NjwOKBF73KppRa12f5Ub
>> md1zpthXjiCHOqwD4/PcE9at9rAzWajUOquYxw0KGguYYcGExAWiU/oO
>> Z3iA4tohc3C0QEghivbAQx4Ktq9ygKMCzmLvzsQaJiaWReXrkN/RgAiR
>> 3WlLnawHtyVL0sBiOThZkJ0Yq3dkx6k65H9Jv/3faPLYYOX9137bRA1f
>> yPDMwGS9Ex4vDSOUSvxoF1e8yd08A628gIPaMV84eZFmAHpoHVyXqeVr
>> GPIaW1ddRSId1bzL7e53+roYBZYDlJ2GOYppMNdn6WWMp3D+ELCoC5Y8
>> dndaTUymHg08fcz8uOykfaltXGyHfsJIiOcpwqwYzYQLfAQROAVcVm2f
>> PWE6tllyWDBfgB+XdHAzqW50vOofwrCaaqxx39kG8UmPBAOHYSob/odW
>> 04ltgDuPEP8M4w0SSkWYz7t1LjNA4P+NaSrXzUClZrDUXwct2o/0gBu1
>> nJs4tG07GZgAIzWVPk9cFZZssNOy4oiS/owJfTm5wOaqzF8P8EMyTkiE
>> nWQwANSQtlhRF64pkwaf2OM+ERG1AQy/xtnesh47xIw6/lSOQ378FO/T
>> IiWH5bbUFVpsvl+1sG1VzWRwVThOq7AwEhgAeVUgHDlrrNdF9P2SHvZw
>> PUSigmg5LBfqDHUGB1x1bjUvXhPHT3+Tc+7fBTnaErDdkDnncMfLkvTF
>> AWeSnDKdDmwNE9FV+KOZMz7aRAWN+NSraoH+BqMXmJjhsb7LlsCtu8FC
>> UodvgPUd10zI4YpM1rE4hqCwCEb7QPBL8orRXKbIfZpxMlzYASYPsJ/6
>> jnabNcwAPDqikZUIuQvxqvAWllRGWBAZeuL+oGDYRwIHNkb7+PaoxObO
>> +hXjlxccWBxadvPEgGMvf+/AgIvADo2nBG3X4WQOskNkb6wfvj/PtvPM
>> WM3IlPk67NdDBhwj3LfEsvlWKFg0b96Q5eAxL9JGZGZPHaVGL22TVtXt
>> W7NNkDmO3zT6WgAeGziPquDIddPPadoQzYesFUQJtWtO2pPvlrC12mnu
>> 2GxSPWchiByrzrVXqnA19eYFeuZ+eVugl7IP2C9BxnPvxhQ2EdBK04tE
>> HO7C8DliYRk5W9+ABPRfmQLDjZMN6iAEmd1suKJe4lTJDImkgeYwgeOg
>> AwIBF6KB2wSB2Bp/RtoPJxksNxijETXrX4+N+LgvgiyPRW7FfkOu0BW2
>> yZh3JARZsVMakpXF0YngJp11zDcMIKz+DfOE9T8dRHaIDH5AQEK7z3+j
>> BJW/mpG+cQOTdgkCzeQA63T6oW3hpja4xByQz8lgzbWJrsK/GGVZm8Xz
>> XeCAr4IKG+CKdNrPJOgF24F8F1s2wUbu9qStwdcaQFSHkRjK/LlN9Ldd
>> dyeoQug2ZvfOMH0jaTDOxAnQb+JnmwNH+0TCJ4HGFQ5a9ykPT9qgIEyR
>> 0zKud4lsg9hA7ZTzU3AArg== 0
>>
>> recvmsg reply from GSS-TSIG query
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21882
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;2488446920.sig-adserver.home.lan. ANY TKEY
>>
>> ;; ANSWER SECTION:
>> 2488446920.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957453
>> 1356957453 3 NOERROR 182
>> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
>> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXizTNaaPuOnP
>> rxDuEAq3dvHHBX3sXcA1g/u1UkL14r2aRNj+APOhumDgBjYTasrY/38k
>> nDb06HVOfdtEUNpve3DaC/wjnvb7892uqUtGlTLuknHGm0XMhQGKRcys
>> Ey77eL4UxwIUfyIPmtM= 0
>>
>> ;; TSIG PSEUDOSECTION:
>> 2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
>> 300 28 BAQF//////8AAAAABZ8VZeui8ZjCdztkDnkWiA== 21882 NOERROR 0
>>
>> Sending update to 192.168.0.10#53
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49222
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
>> ;; UPDATE SECTION:
>> LinPad.home.lan. 0 ANY A
>> LinPad.home.lan. 3600 IN A 192.168.0.173
>>
>> ;; TSIG PSEUDOSECTION:
>> 2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
>> 300 28 BAQE//////8AAAAACaFb5Ursxrqu/FMMpvKsJg== 49222 NOERROR 0
>>
>> ; TSIG error with server: tsig verify failure
>>
>> Reply from update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 49222
>> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;home.lan. IN SOA
>>
>> ;; UPDATE SECTION:
>> LinPad.home.lan. 0 ANY A
>> LinPad.home.lan. 3600 IN A 192.168.0.173
>>
>> ;; TSIG PSEUDOSECTION:
>> 2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
>> 300 28 BAQE//////8AAAAACaFb5Ursxrqu/FMMpvKsJg== 49222 NOERROR 0
>>
>> nsupdate -g -d
>> > server 192.168.0.10
>> > realm HOME.LAN
>> > update delete 173.0.168.192.in-addr.arpa 3600 PTR
>> > update add 173.0.168.192.in-addr.arpa 3600 PTR LinPad.home.lan
>> > send
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24941
>> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;173.0.168.192.in-addr.arpa. IN SOA
>>
>> Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5879
>> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;0.168.192.in-addr.arpa. IN SOA
>>
>> ;; ANSWER SECTION:
>> 0.168.192.in-addr.arpa. 3600 IN SOA adserver.home.lan.
>> hostmaster.home.lan. 2 900 600 86400 3600
>>
>> Found zone name: 0.168.192.in-addr.arpa
>> The master is: adserver.home.lan
>> start_gssrequest
>> send_gssrequest
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9536
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;3079738857.sig-adserver.home.lan. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>> 3079738857.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957727
>> 1356957727 3 NOERROR 1276
>> YIIE+AYGKwYBBQUCoIIE7DCCBOigDTALBgkqhkiG9xIBAgKiggTVBIIE
>> 0WCCBM0GCSqGSIb3EgECAgEAboIEvDCCBLigAwIBBaEDAgEOogcDBQAg
>> AAAAo4IDuGGCA7QwggOwoAMCAQWhChsISE9NRS5MQU6iIzAhoAMCAQGh
>> GjAYGwNETlMbEWFkc2VydmVyLmhvbWUubGFuo4IDdjCCA3KgAwIBF6ED
>> AgEBooIDZASCA2CUZJwxo6TGmT56jA96kbK5NjwOKBF73KppRa12f5Ub
>> md1zpthXjiCHOqwD4/PcE9at9rAzWajUOquYxw0KGguYYcGExAWiU/oO
>> Z3iA4tohc3C0QEghivbAQx4Ktq9ygKMCzmLvzsQaJiaWReXrkN/RgAiR
>> 3WlLnawHtyVL0sBiOThZkJ0Yq3dkx6k65H9Jv/3faPLYYOX9137bRA1f
>> yPDMwGS9Ex4vDSOUSvxoF1e8yd08A628gIPaMV84eZFmAHpoHVyXqeVr
>> GPIaW1ddRSId1bzL7e53+roYBZYDlJ2GOYppMNdn6WWMp3D+ELCoC5Y8
>> dndaTUymHg08fcz8uOykfaltXGyHfsJIiOcpwqwYzYQLfAQROAVcVm2f
>> PWE6tllyWDBfgB+XdHAzqW50vOofwrCaaqxx39kG8UmPBAOHYSob/odW
>> 04ltgDuPEP8M4w0SSkWYz7t1LjNA4P+NaSrXzUClZrDUXwct2o/0gBu1
>> nJs4tG07GZgAIzWVPk9cFZZssNOy4oiS/owJfTm5wOaqzF8P8EMyTkiE
>> nWQwANSQtlhRF64pkwaf2OM+ERG1AQy/xtnesh47xIw6/lSOQ378FO/T
>> IiWH5bbUFVpsvl+1sG1VzWRwVThOq7AwEhgAeVUgHDlrrNdF9P2SHvZw
>> PUSigmg5LBfqDHUGB1x1bjUvXhPHT3+Tc+7fBTnaErDdkDnncMfLkvTF
>> AWeSnDKdDmwNE9FV+KOZMz7aRAWN+NSraoH+BqMXmJjhsb7LlsCtu8FC
>> UodvgPUd10zI4YpM1rE4hqCwCEb7QPBL8orRXKbIfZpxMlzYASYPsJ/6
>> jnabNcwAPDqikZUIuQvxqvAWllRGWBAZeuL+oGDYRwIHNkb7+PaoxObO
>> +hXjlxccWBxadvPEgGMvf+/AgIvADo2nBG3X4WQOskNkb6wfvj/PtvPM
>> WM3IlPk67NdDBhwj3LfEsvlWKFg0b96Q5eAxL9JGZGZPHaVGL22TVtXt
>> W7NNkDmO3zT6WgAeGziPquDIddPPadoQzYesFUQJtWtO2pPvlrC12mnu
>> 2GxSPWchiByrzrVXqnA19eYFeuZ+eVugl7IP2C9BxnPvxhQ2EdBK04tE
>> HO7C8DliYRk5W9+ABPRfmQLDjZMN6iAEmd1suKJe4lTJDImkgeYwgeOg
>> AwIBF6KB2wSB2J3nDwMLjElosBgzokR900fIHsOs+cungQDAh5JL36pA
>> KufY/v0flNaZlAJ2vWkACrczHxtiuOjMXzDmdy3xI7TNitZ5Fg7GZCQ1
>> TJ0jW4dBmqU6KNYV/7XuGmpZVshBUSy1ZXtUiWOjdfCPIDSyDNahBin8
>> qnhFVahvwM+QRQhU60Ll2xVhapq/cDieLTtF3T0nfjNIp4WgGX4beE3V
>> i1Tn6AabVxQG1Cp30d4KrgAFIVucF1SRGY5KIcCG5iz+D5DokcZh8MuQ
>> uzZPC9gfMp0Rl+D7ibG20w== 0
>>
>> recvmsg reply from GSS-TSIG query
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9536
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;3079738857.sig-adserver.home.lan. ANY TKEY
>>
>> ;; ANSWER SECTION:
>> 3079738857.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957727
>> 1356957727 3 NOERROR 182
>> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
>> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrNwVU+PQGV2Ee
>> aTuPGHZUQyV3zymYbuwosEl1gD/kUNG2KxFkygog/33RBrApPFEECych
>> JEHXiWTrrQdFk1tjKmrBnoccZ2FPNinDOgPWUzM2YPpVl9wrGCCJGgNW
>> IfBe8AROEW0rBo7Z0MI= 0
>>
>> ;; TSIG PSEUDOSECTION:
>> 3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
>> 300 28 BAQF//////8AAAAAHHTCBQzwY3WVCUNfBGd8Kw== 9536 NOERROR 0
>>
>> Sending update to 192.168.0.10#53
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48728
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
>> ;; UPDATE SECTION:
>> 173.0.168.192.in-addr.arpa. 0 ANY PTR
>> 173.0.168.192.in-addr.arpa. 3600 IN PTR LinPad.home.lan.
>>
>> ;; TSIG PSEUDOSECTION:
>> 3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
>> 300 28 BAQE//////8AAAAAPKw4E8zmJIeeotZxLYfxHA== 48728 NOERROR 0
>>
>> ; TSIG error with server: tsig verify failure
>>
>> Reply from update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 48728
>> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;0.168.192.in-addr.arpa. IN SOA
>>
>> ;; UPDATE SECTION:
>> 173.0.168.192.in-addr.arpa. 0 ANY PTR
>> 173.0.168.192.in-addr.arpa. 3600 IN PTR LinPad.home.lan.
>>
>> ;; TSIG PSEUDOSECTION:
>> 3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
>> 300 28 BAQE//////8AAAAAPKw4E8zmJIeeotZxLYfxHA== 48728 NOERROR 0
>>
>> Hope this helps
>>
>> Rowland
>>
>>
> I have the same issue. You can find my logs in the thread "dhcp server
> with samba4 internal dns configuration".
>
> My setup is 2 samba AD DCs (kdc01 and kdc02) configured with internal
> dns on ubuntu 11.04 server. DHCP is running on kdc01.
>
> The dns update script is based on the one posted by Sergey Urushkin to
> Michael Kuron blog.
>
> The domain has been provisioned on kdc02 with one of the latest alpha
> releases than kdc01 has been joined (same release) and since than I
> upgraded to rc(s) and finally to 4.0.0.
>
> I can add that running the script (which invokes the nsupdate -g
> commands) manually with debug option enabled I see the same messages but
> the records are added (if they are not present) even if the TSIG
> failures are notified. The problem is that it seems that if I run the
> script as root I can get the ticket from kinit while when the script is
> called by dhcpd it fails (even if the ticket is cached). Does it happen
> also for you?
>
> Daniele.
>
>
>
Hi Daniele, I have tried all the scripts that can be found via the
Michael Kuron blog, I am using his script at the moment, but have
slightly modified it and it works against Samba4.0.0 & Bind9.9.2. If I
stop Samba 4.0.0 & Bind9 and move /usr/local/samba out of the way and
move into place another /usr/local/samba that has been provisioned to
use the internal dns server, it stops working with the error:
; TSIG error with server: tsig verify failure
When I try join a linux computer to the domain, it joins, but the dns
update fails with the following line in /var/log/syslog:
named[8213]: client 192.168.0.5#33093: updating zone 'home.lan/NONE':
update failed: rejected by secure update (REFUSED)
My thoughts are that for some reason, samba 4.0.0 is not getting a
kerberos ticket etc and is not being allowed to update the dns database.
If I become an ordinary user and kinit using the keytab that the dhcp
update script uses, I can, via nsupdate, manually add the computer that
the domain join couldn't.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list