Bug 13019 - Dynamic DNS updates with the internal DNS are not working
Summary: Dynamic DNS updates with the internal DNS are not working
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.7.0rc3
Hardware: All All
: P5 major (vote)
Target Milestone: 4.7
Assignee: Kai Blin
QA Contact: Samba QA Contact
Depends on:
Blocks: 13605
  Show dependency treegraph
Reported: 2017-09-06 09:15 UTC by Andreas Schneider
Modified: 2018-09-05 15:07 UTC (History)
9 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2017-09-06 09:15:27 UTC
Dynamic DNS updates with the internal DNS are not working in master and 4.7.

[2017/09/06 11:03:50.958794,  1, pid=17121, effective(0, 0), real(0, 0)] ../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet)
  GSS VerifyMic failed: A token had an invalid Message Integrity Check (MIC): Success
[2017/09/06 11:03:50.958805,  0, pid=17121, effective(0, 0), real(0, 0)] ../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=124,pdu=124) failed: NT_STATUS_ACCESS_DENIED

Provision an AD DC with internal DNS
samba_dnsupdate --verbose --all-names
Comment 1 Andrew Bartlett 2017-09-06 09:49:43 UTC
How was this not picked up by the dns_tkey tests, or the samba_dnsupdate tests?

What do we need to extend those tests to do?
Comment 2 Andrew Bartlett 2017-09-06 09:50:24 UTC
Marking as blocking 4.7 until triaged.
Comment 3 Andreas Schneider 2017-09-06 11:44:35 UTC
I dunno. Do we run:

samba_dnsupdate --verbose --all-names

I don't think so because it looks for the current interfaces and ip addresses of it ...
Comment 4 Björn Baumbach 2017-09-06 14:00:58 UTC
I've just tried this on a Debian Stretch with a 4.7.0rc5 build, which uses Samba's Heimdal.

All records were created successfully (besides the tsig verify failures).
Comment 5 Andreas Schneider 2017-09-06 19:18:57 UTC
I also get this with:

HEAD is now at 07bb954d929... VERSION: Bump version up to 4.5.0pre1

Seems like the MIC verification is broken since quite some time or the issue is with nssupdate which we really should get rid of.
Comment 6 Andrew Bartlett 2017-09-06 19:53:09 UTC
BTW, Bug 11520 tracks the previous failure up to 4.5.
Comment 7 Andreas Schneider 2017-09-07 08:23:07 UTC
I've tested the fixes from bug #11520. I guess it is a change in nsupdate or nsupdate is broken?
Comment 8 Andrew Bartlett 2017-09-09 19:05:26 UTC
Removing the regression flag, as this clearly isn't a regression.
Comment 9 (mail address dead) 2017-11-08 15:27:02 UTC
It's also not working in 
- 4.5.14-SerNet-Ubuntu-17.trusty
- 4.6.9-SerNet-Ubuntu-12.trusty