Bug 13019 - Dynamic DNS updates with the internal DNS are not working
Summary: Dynamic DNS updates with the internal DNS are not working
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.7.0rc3
Hardware: All All
: P5 major (vote)
Target Milestone: 4.7
Assignee: Kai Blin
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 13605
  Show dependency treegraph
 
Reported: 2017-09-06 09:15 UTC by Andreas Schneider
Modified: 2024-06-06 20:45 UTC (History)
9 users (show)

See Also:


Attachments
Patches for v4-20-test (79.78 KB, text/plain)
2024-06-06 10:02 UTC, Stefan Metzmacher
abartlet: review+
metze: review? (slow)
Details
Patches for v4-19-test (79.80 KB, text/plain)
2024-06-06 10:03 UTC, Stefan Metzmacher
abartlet: review+
metze: review? (slow)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2017-09-06 09:15:27 UTC
Dynamic DNS updates with the internal DNS are not working in master and 4.7.

[2017/09/06 11:03:50.958794,  1, pid=17121, effective(0, 0), real(0, 0)] ../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet)
  GSS VerifyMic failed: A token had an invalid Message Integrity Check (MIC): Success
[2017/09/06 11:03:50.958805,  0, pid=17121, effective(0, 0), real(0, 0)] ../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=124,pdu=124) failed: NT_STATUS_ACCESS_DENIED

Reproducer:
Provision an AD DC with internal DNS
samba_dnsupdate --verbose --all-names
Comment 1 Andrew Bartlett 2017-09-06 09:49:43 UTC
How was this not picked up by the dns_tkey tests, or the samba_dnsupdate tests?

What do we need to extend those tests to do?
Comment 2 Andrew Bartlett 2017-09-06 09:50:24 UTC
Marking as blocking 4.7 until triaged.
Comment 3 Andreas Schneider 2017-09-06 11:44:35 UTC
I dunno. Do we run:

samba_dnsupdate --verbose --all-names

I don't think so because it looks for the current interfaces and ip addresses of it ...
Comment 4 Björn Baumbach 2017-09-06 14:00:58 UTC
I've just tried this on a Debian Stretch with a 4.7.0rc5 build, which uses Samba's Heimdal.

All records were created successfully (besides the tsig verify failures).
Comment 5 Andreas Schneider 2017-09-06 19:18:57 UTC
I also get this with:


HEAD is now at 07bb954d929... VERSION: Bump version up to 4.5.0pre1


Seems like the MIC verification is broken since quite some time or the issue is with nssupdate which we really should get rid of.
Comment 6 Andrew Bartlett 2017-09-06 19:53:09 UTC
BTW, Bug 11520 tracks the previous failure up to 4.5.
Comment 7 Andreas Schneider 2017-09-07 08:23:07 UTC
I've tested the fixes from bug #11520. I guess it is a change in nsupdate or nsupdate is broken?
Comment 8 Andrew Bartlett 2017-09-09 19:05:26 UTC
Removing the regression flag, as this clearly isn't a regression.
Comment 9 (mail address dead) 2017-11-08 15:27:02 UTC
It's also not working in 
- 4.5.14-SerNet-Ubuntu-17.trusty
- 4.6.9-SerNet-Ubuntu-12.trusty
Comment 10 Samba QA Contact 2024-06-06 03:19:06 UTC
This bug was referenced in samba master:

ae23d512a724650ae2de1178ac43deff8266aa56
c594cbad4af97031bb7b5b0eb2fb228b00acf646
c741d0f3969abe821e8ee2a10f848159eb2749fe
ce591464cb12ab00a5d5752a7cea5f909c3c3f1b
6e997f93d53ac45af79aec030bad73f51bdc5629
f8dfa9b33bdedffbe2e3b6e229ffae4beb3c712e
cd747307d845f3cff723a7916aeeb31458f19202
27d92fa808c6617353c36fdb230504e880f4925b
1b1e7e06cf6ebd283de73c351267d53b42663d2f
b0af60e7850e656ef98edeac657c66b853080dab
740bda87a80b97816d892e8f7aae28759f6916ec
3c7cb85eaf8371be55a371601cc354440dab7a94
b9b03ca503c43c7ee06df6c331839bd47f9eac8c
de4ed363d378f2065a4634f94af80ea0e3965c96
8324d0739dfdd0a081c403e298a9038ee7df681f
848318338b2972f331e067bf1c8d6c7dac0748c8
88457da00d4110b419f7a7ccabcd542fa77e463f
753428a3b6c488c4aacea04d2ddb9ea73244695a
708a6fae6978e1462e1a53f4ee08f11b51a5637a
a56627b0d125ef7b456bebe307087f324f1f0422
fa0f23e69eaf4f475bc9dc9aa0e23c7bd5208250
3467d1491490830d61d16cb6278051daf48466fc
bd0235cd515d5602ed9501bfc810a2487364ea10
ae7538af04435658d2ba6dcab109beecb6c5f13e
5906ed94f2c5c68e83c63e7c201534eeb323cfe7
db350bc573b378fb0615bdd8592cc9c62f6db146
76fec2668e73b9d15447abee551d5c04148aaf27
ed61c57e02309b738e73fb12877a0a565b627724
Comment 11 Stefan Metzmacher 2024-06-06 10:02:52 UTC
Created attachment 18329 [details]
Patches for v4-20-test
Comment 12 Stefan Metzmacher 2024-06-06 10:03:17 UTC
Created attachment 18330 [details]
Patches for v4-19-test