Bug 13995 - Dynamic DNS with BIND9_DLZ error : TLEY is unacceptable
Summary: Dynamic DNS with BIND9_DLZ error : TLEY is unacceptable
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.10.4
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-15 21:07 UTC by FabioSilvero
Modified: 2019-06-15 21:07 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description FabioSilvero 2019-06-15 21:07:37 UTC
OS : Raspbian Stretch
Samba version : 4.10.4
BIND9 version :9.11.5-P4-5~bpo9+1-Debian (Extended Support Version)

Hi team,

I am unable to perform DNS Updates with the dhcp-dyndns.sh script.

I have the DNS AD account and its keytab with the right content (I recreated them just in case, still happening)

I read that nsupdate only supports HMAC-MD5 encyption, so I modified my krb5.conf file and regenerate a dns.keytab by using samba_upgradedns with specifying BIND_DLZ. Still no luck..

I verified permissions, but all seems alright to me.

Any ideas ? 

Thanks !

#### File Outputs

# tail /var/log/syslog

Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[1] = add
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[2] = 10.10.10.10
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[3] = aa:bb:cc:dd:ee:ff
Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[4] = hostname
Jun 15 22:44:20 garuda root: DHCP-DNS Update failed: 11
Jun 15 22:44:20 garuda dhcpd[2133]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816
Jun 15 22:44:20 garuda dhcpd[2133]: reuse_lease: lease age 412 (secs) under 25% threshold, reply with unaltered, existing lease for 10.10.10.10
Jun 15 22:44:20 garuda dhcpd[2133]: DHCPREQUEST for 10.10.10.10 from aa:bb:cc:dd:ee:ff (hostname) via eth0
Jun 15 22:44:20 garuda dhcpd[2133]: DHCPACK on 10.10.10.10 to aa:bb:cc:dd:ee:ff (hostname) via eth0

# samba_dnsupdate --verbose --all-names

IPs: ['10.10.10.1']
force update: A dc1.example.com 10.10.10.1
force update: NS example.com dc1.example.com
force update: NS _msdcs.example.com dc1.example.com
force update: A example.com 10.10.10.1
force update: SRV _ldap._tcp.example.com dc1.example.com 389
force update: SRV _ldap._tcp.dc._msdcs.example.com dc1.example.com 389
force update: SRV _ldap._tcp.d4e80749-ea98-46e6-9f89-8a14439c2960.domains._msdcs.example.com dc1.example.com 389
force update: SRV _kerberos._tcp.example.com dc1.example.com 88
force update: SRV _kerberos._udp.example.com dc1.example.com 88
force update: SRV _kerberos._tcp.dc._msdcs.example.com dc1.example.com 88
force update: SRV _kpasswd._tcp.example.com dc1.example.com 464
force update: SRV _kpasswd._udp.example.com dc1.example.com 464
force update: CNAME cc6e40c6-3abb-4aa2-976c-f5ac1beee921._msdcs.example.com dc1.example.com
force update: SRV _ldap._tcp.HomeSweetHome._sites.example.com dc1.example.com 389
force update: SRV _ldap._tcp.HomeSweetHome._sites.dc._msdcs.example.com dc1.example.com 389
force update: SRV _kerberos._tcp.HomeSweetHome._sites.example.com dc1.example.com 88
force update: SRV _kerberos._tcp.HomeSweetHome._sites.dc._msdcs.example.com dc1.example.com 88
force update: SRV _ldap._tcp.pdc._msdcs.example.com dc1.example.com 389
force update: A gc._msdcs.example.com 10.10.10.1
force update: SRV _gc._tcp.example.com dc1.example.com 3268
force update: SRV _ldap._tcp.gc._msdcs.example.com dc1.example.com 3268
force update: SRV _gc._tcp.HomeSweetHome._sites.example.com dc1.example.com 3268
force update: SRV _ldap._tcp.HomeSweetHome._sites.gc._msdcs.example.com dc1.example.com 3268
force update: A DomainDnsZones.example.com 10.10.10.1
force update: SRV _ldap._tcp.DomainDnsZones.example.com dc1.example.com 389
force update: SRV _ldap._tcp.HomeSweetHome._sites.DomainDnsZones.example.com dc1.example.com 389
force update: A ForestDnsZones.example.com 10.10.10.1
force update: SRV _ldap._tcp.ForestDnsZones.example.com dc1.example.com 389
force update: SRV _ldap._tcp.HomeSweetHome._sites.ForestDnsZones.example.com dc1.example.com 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc1.example.com as dc1$
update(nsupdate): A dc1.example.com 10.10.10.1
Calling nsupdate for A dc1.example.com 10.10.10.1 (add)
Successfully obtained Kerberos ticket to DNS/dc1.example.com as dc1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc1.example.com.      900     IN      A       10.10.10.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 29 entries

# klist -kte /usr/local/samba/private/dns.keytab

Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (des-cbc-crc)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (des-cbc-crc)
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (des-cbc-md5)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (des-cbc-md5)
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (arcfour-hmac)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (arcfour-hmac)
   1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 15/06/2019 22:25:25 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   1 15/06/2019 22:25:25 dns-dc1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)

The LDAP request for the account dns-dc1 : 

# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-dc1' dn  
# record 1                                                                                                    
dn: CN=dns-dc1,CN=Users,DC=example,DC=com                                                                   
                                                                                                              
# Referral                                                                                                    
ref: ldap://example.com/CN=Configuration,DC=example,DC=com                                                      
                                                                                                              
# Referral                                                                                                    
ref: ldap://example.com/DC=DomainDnsZones,DC=example,DC=com                                                     
                                                                                                              
# Referral                                                                                                    
ref: ldap://example.com/DC=ForestDnsZones,DC=example,DC=com                                                     
                                                                                                              
# returned 4 records                                                                                          
# 1 entries                                                                                                   
# 3 referrals    


#### Permissions

Permissions for samba root folder and its subfolders :

# ls -lat /usr/local/samba/
total 48
drwxr-x---   3 bind bind  4096 juin  15 22:51 bind-dns
drwxr-xr-x+  8 root bind  4096 juin  15 22:29 private
drwxrwsr-x  12 root staff 4096 juin  15 22:28 ..
drwxr-sr-x   3 root staff 4096 juin  15 21:04 etc
drwxr-sr-x   2 root staff 4096 juin  15 20:54 bin
drwxr-sr-x   2 root staff 4096 juin  15 20:54 sbin
drwxr-sr-x  18 root staff 4096 juin  15 20:54 lib
drwxr-sr-x   7 root staff 4096 juin  15 20:39 include
drwxr-sr-x   8 root staff 4096 juil. 21  2018 var
drwxr-sr-x   5 root staff 4096 juil. 21  2018 share
drwxr-xr-x+ 12 root staff 4096 juil. 21  2018 .
drwxr-sr-x   3 root staff 4096 juil. 21  2018 libexec

And private folder perms :
# ls -lat /usr/local/samba/private/
total 11244
drwx--S---   2 root root     4096 juin  15 22:52 msg.sock
-rw-------   1 root root    12288 juin  15 22:34 schannel_store.tdb
drwxr-xr-x+  8 root bind     4096 juin  15 22:29 .
srwxrwxrwx   1 root root        0 juin  15 22:29 ldapi
drwxr-s---   2 root root     4096 juin  15 22:29 ldap_priv
-rw-------   1 root root     4792 juin  15 22:29 netlogon_creds_cli.tdb
drwxr-x---+  2 root bind     4096 juin  15 22:25 sam.ldb.d
-rw-------   1 root root  1286144 juin  15 22:25 secrets.ldb
-rw-r-----   2 root bind      732 juin  15 22:25 dns.keytab
drwxr-x---+  2 root bind     4096 juin  15 19:36 dns
-rw-------   1 root root  1609728 juin  15 16:24 idmap.ldb
drwxr-sr-x   2 root root     4096 juil. 21  2018 tls
-rw-------   1 root root     1717 juil. 21  2018 dns_update_cache
drwxr-sr-x   2 root root     4096 juil. 21  2018 smbd.tmp
-rw-------   1 root root   430080 juil. 21  2018 secrets.tdb
-rw-------   1 root root     1067 juil. 21  2018 secrets.keytab
-rw-r--r--   1 root root     3663 juil. 21  2018 dns_update_list
-rw-r--r--   1 root root      955 juil. 21  2018 spn_update_list
-rw-r--r--   1 root root       91 juil. 21  2018 krb5.conf
-rw-rw----   1 root bind  4247552 juil. 21  2018 sam.ldb
-rw-------   1 root root  1286144 juil. 21  2018 privilege.ldb
-rw-------   1 root root  1286144 juil. 21  2018 hklm.ldb
-rw-------   1 root root  1286144 juil. 21  2018 share.ldb
-rw-------   1 root root       16 juil. 21  2018 encrypted_secrets.key
drwxr-xr-x+ 12 root staff    4096 juil. 21  2018 ..

bind-dns folder permissions : 

# ls -lat /usr/local/samba/bind-dns/
total 28
drwxr-x---   3 bind bind  4096 juin  15 23:00 .
-rw-r--r--   1 root root   830 juin  15 22:25 named.conf
-rw-r--r--   1 root root  2096 juin  15 22:25 named.txt
drwxrwx---   3 root bind  4096 juin  15 22:25 dns
-rw-r-----   2 root bind   732 juin  15 22:25 dns.keytab
-r--r--r--   1 root root   219 juin  15 21:05 named.conf.update
-rw-------   1 root root     0 juin  15 21:02 dns.keytabox1mq7g3XXXXXX
-rw-------   1 root root     0 juin  15 21:02 dns.keytabq9z2m444XXXXXX
drwxr-xr-x+ 12 root staff 4096 juil. 21  2018 .

krb5.conf permissions : 

# ls -l /etc/krb5.conf
-rw-r--r-- 1 root bind 132 juin  15 22:22 /etc/krb5.conf

##### CONFIGURATION FILES

# cat /etc/krb5.conf

[libdefaults]
        default_realm = HYRULE.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true
        default_tgs_enctypes = arcfour-hmac-md5

# cat /etc/bind/named.conf.options
options {
    tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
}