[Bug 1094236] New: TSIG error on dynamic DNS updates with GSS-TSIG
http://bugzilla.suse.com/show_bug.cgi?id=1094236 Bug ID: 1094236 Summary: TSIG error on dynamic DNS updates with GSS-TSIG Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: scabrero@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Dynamic DNS updates with GSS-TSIG against Microsoft or samba DNS servers are not working and fails with the following error: ; TSIG error with server: tsig verify failure update failed: REFUSED Steps to reproduce: * Samba domain controller with internal DNS server or Windows domain controller * Get Kerberos ticket $> kinit Administrator@SAMBA1.AD Password for Administrator@SAMBA1.AD: $> klist Ticket cache: DIR::/run/user/1000/krb5cc/tkt Default principal: Administrator@SAMBA1.AD Valid starting Expires Service principal 22/05/18 18:17:22 23/05/18 04:17:22 krbtgt/SAMBA1.AD@SAMBA1.AD renew until 23/05/18 18:17:20 * Try to update the zone $ > nsupdate -g
server win2k12r2-1.samba1.ad zone samba1.ad update add foo.samba1.ad. 86400 A 10.10.10.1 send ; TSIG error with server: tsig verify failure update failed: REFUSED
When running nsupdate against the samba's internal DNS server, the following error is logged on samba: [2018/05/22 13:50:20.458433, 1] ../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet) GSS VerifyMic failed: A token had an invalid Message Integrity Check (MIC): Success [2018/05/22 13:50:20.458499, 0] ../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet) gssapi_check_packet(hdr_signing=0,sig_size=28,data=112,pdu=112) failed: NT_STATUS_ACCESS_DENIED Checking newer bind9 releases, it is fixed in bind 9.11.3: 4697. [bug] Restore workaround for Microsoft Windows TSIG hash computation bug. [RT #45854] After backporting the patch for 9.11.2: $> ./bin/nsupdate/nsupdate -g
server win2k12r2-1.samba1.ad zone samba1.ad update add foo.samba1.ad. 86400 A 10.10.10.1 send quit
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1094236
http://bugzilla.suse.com/show_bug.cgi?id=1094236#c1
Samuel Cabrero
http://bugzilla.suse.com/show_bug.cgi?id=1094236
Samuel Cabrero
http://bugzilla.suse.com/show_bug.cgi?id=1094236
Chenzi Cao
http://bugzilla.suse.com/show_bug.cgi?id=1094236
Navin Kukreja
http://bugzilla.suse.com/show_bug.cgi?id=1094236
http://bugzilla.suse.com/show_bug.cgi?id=1094236#c2
--- Comment #2 from Samuel Cabrero
http://bugzilla.suse.com/show_bug.cgi?id=1094236
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=1094236
http://bugzilla.suse.com/show_bug.cgi?id=1094236#c6
Roberto Yokota
participants (1)
-
bugzilla_noreply@novell.com