13019 – Dynamic DNS updates with the internal DNS are not working

Bug 13019 - Dynamic DNS updates with the internal DNS are not working

Summary: Dynamic DNS updates with the internal DNS are not working

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS server (internal) (show other bugs)
Version:	4.7.0rc3
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	4.7
Assignee:	Kai Blin
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	13605
	Show dependency tree / graph

Reported:	2017-09-06 09:15 UTC by Andreas Schneider
Modified:	2018-09-05 15:07 UTC (History)
CC List:	9 users (show)

See Also:	11520

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Schneider 2017-09-06 09:15:27 UTC

Dynamic DNS updates with the internal DNS are not working in master and 4.7.

[2017/09/06 11:03:50.958794,  1, pid=17121, effective(0, 0), real(0, 0)] ../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet)
  GSS VerifyMic failed: A token had an invalid Message Integrity Check (MIC): Success
[2017/09/06 11:03:50.958805,  0, pid=17121, effective(0, 0), real(0, 0)] ../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=124,pdu=124) failed: NT_STATUS_ACCESS_DENIED

Reproducer:
Provision an AD DC with internal DNS
samba_dnsupdate --verbose --all-names

Comment 1 Andrew Bartlett 2017-09-06 09:49:43 UTC

How was this not picked up by the dns_tkey tests, or the samba_dnsupdate tests?

What do we need to extend those tests to do?

Comment 2 Andrew Bartlett 2017-09-06 09:50:24 UTC

Marking as blocking 4.7 until triaged.

Comment 3 Andreas Schneider 2017-09-06 11:44:35 UTC

I dunno. Do we run:

samba_dnsupdate --verbose --all-names

I don't think so because it looks for the current interfaces and ip addresses of it ...

Comment 4 Björn Baumbach 2017-09-06 14:00:58 UTC

I've just tried this on a Debian Stretch with a 4.7.0rc5 build, which uses Samba's Heimdal.

All records were created successfully (besides the tsig verify failures).

Comment 5 Andreas Schneider 2017-09-06 19:18:57 UTC

I also get this with:


HEAD is now at 07bb954d929... VERSION: Bump version up to 4.5.0pre1


Seems like the MIC verification is broken since quite some time or the issue is with nssupdate which we really should get rid of.

Comment 6 Andrew Bartlett 2017-09-06 19:53:09 UTC

BTW, Bug 11520 tracks the previous failure up to 4.5.

Comment 7 Andreas Schneider 2017-09-07 08:23:07 UTC

I've tested the fixes from bug #11520. I guess it is a change in nsupdate or nsupdate is broken?

Comment 8 Andrew Bartlett 2017-09-09 19:05:26 UTC

Removing the regression flag, as this clearly isn't a regression.

Comment 9 (mail address dead) 2017-11-08 15:27:02 UTC

It's also not working in 
- 4.5.14-SerNet-Ubuntu-17.trusty
- 4.6.9-SerNet-Ubuntu-12.trusty