Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

Samba - General mailing list
Dear all,

a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
logs show a kerberos error "Request is a replay". Logs attached here:
https://bugzilla.samba.org/show_bug.cgi?id=13066.

Since I have not received any feedback on the bug report, I am trying
this channel if someone has any idea how to fix this.  Thanks a lot in
advance.

Best regards
Johannes



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

Samba - General mailing list
Hi Johannes,

Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
> as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
> logs show a kerberos error "Request is a replay". Logs attached here:
> https://bugzilla.samba.org/show_bug.cgi?id=13066.
>
> Since I have not received any feedback on the bug report, I am trying
> this channel if someone has any idea how to fix this.  Thanks a lot in
> advance.


A while ago I tested a git branch from Andreas' about moving some
BIND-related files from the private to a separate directory. During
testing I discovered some DNS update problems if the system used MIT
Kerberos. He fixed everything in his branch, and updates worked.


@Andreas: Do you remember if these fixes are all in master/4.7? I can
confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
and latest master (both with MIT).


# smbd -b | grep HAVE_LIBKADM5SRV_MIT
   HAVE_LIBKADM5SRV_MIT

# samba_dnsupdate --verbose --all-names
...
update failed: REFUSED
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
DC3.samdom.example.com 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
DC3.samdom.example.com 389 (add)
Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com.
900 IN SRV 0 100 389 DC3.samdom.example.com.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 29 entries



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

Samba - General mailing list
On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote:

> Hi Johannes,
>
> Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
> > a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
> > as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
> > logs show a kerberos error "Request is a replay". Logs attached here:
> > https://bugzilla.samba.org/show_bug.cgi?id=13066.
> >
> > Since I have not received any feedback on the bug report, I am trying
> > this channel if someone has any idea how to fix this.  Thanks a lot in
> > advance.
>
> A while ago I tested a git branch from Andreas' about moving some
> BIND-related files from the private to a separate directory. During
> testing I discovered some DNS update problems if the system used MIT
> Kerberos. He fixed everything in his branch, and updates worked.
>
>
> @Andreas: Do you remember if these fixes are all in master/4.7? I can
> confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
> and latest master (both with MIT).
>
>
> # smbd -b | grep HAVE_LIBKADM5SRV_MIT
>    HAVE_LIBKADM5SRV_MIT
>
> # samba_dnsupdate --verbose --all-names

This command does not work correctly because MIT Kerberos has a replay cache
to circumvent attacks.

This command does replay attacks :-)


http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html

It is not the right command to verify that dynamic dns updates are working!

> ...
> update failed: REFUSED
> Failed nsupdate: 2
> update(nsupdate): SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
> DC3.samdom.example.com 389
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
> DC3.samdom.example.com 389 (add)
> Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com.
> 900 IN SRV 0 100 389 DC3.samdom.example.com.
>
> update failed: REFUSED
> Failed nsupdate: 2
> Failed update of 29 entries
>
>
>
> Regards,
> Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

Samba - General mailing list
Hi Andreas,

thanks a lot for the explanation, sounds reasonable to me. ;)

But what would be the right way to test DNS updates in this scenario?

Best regards
Johannes


Am 08.11.2017 um 09:28 schrieb Andreas Schneider:

> On Tuesday, 7 November 2017 21:04:09 CET Marc Muehlfeld wrote:
>> Hi Johannes,
>>
>> Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
>>> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
>>> as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
>>> logs show a kerberos error "Request is a replay". Logs attached here:
>>> https://bugzilla.samba.org/show_bug.cgi?id=13066.
>>>
>>> Since I have not received any feedback on the bug report, I am trying
>>> this channel if someone has any idea how to fix this.  Thanks a lot in
>>> advance.
>> A while ago I tested a git branch from Andreas' about moving some
>> BIND-related files from the private to a separate directory. During
>> testing I discovered some DNS update problems if the system used MIT
>> Kerberos. He fixed everything in his branch, and updates worked.
>>
>>
>> @Andreas: Do you remember if these fixes are all in master/4.7? I can
>> confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
>> and latest master (both with MIT).
>>
>>
>> # smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>    HAVE_LIBKADM5SRV_MIT
>>
>> # samba_dnsupdate --verbose --all-names
> This command does not work correctly because MIT Kerberos has a replay cache
> to circumvent attacks.
>
> This command does replay attacks :-)
>
>
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> It is not the right command to verify that dynamic dns updates are working!
>
>> ...
>> update failed: REFUSED
>> Failed nsupdate: 2
>> update(nsupdate): SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
>> DC3.samdom.example.com 389
>> Calling nsupdate for SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
>> DC3.samdom.example.com 389 (add)
>> Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com.
>> 900 IN SRV 0 100 389 DC3.samdom.example.com.
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 29 entries
>>
>>
>>
>> Regards,
>> Marc
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

Samba - General mailing list
On Wednesday, 8 November 2017 09:40:30 CET Johannes Engel via samba wrote:
> Hi Andreas,
>
> thanks a lot for the explanation, sounds reasonable to me. ;)
>
> But what would be the right way to test DNS updates in this scenario?

Use a joined workstation and run 'net ads dns register'? Or you disable the
replay cache on the server side ...

The tool should be fixed, it is enough to only authenticate once. However I
don't have time for that, but feel free to open a bug.


        Andreas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba