GSS-TSIG updates from Windows clients

Nicholas F Miller nicholas.miller at Colorado.EDU
Tue May 6 14:15:08 UTC 2014


You might try changing your update-policy from:

grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
grant * zonesub ANY;

to

grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
grant LAB.BRANDEIS.EDU zonesub ANY;

I’m not positive this is the proper syntax since we don’t use the zonesub option. We use the ms-subdomain and krb5-subdomain options:

grant LAB.BRANDEIS.EDU ms-subdomain LAB.BRANDEIS.EDU;
grant LAB.BRANDEIS.EDU krb5-subdomain LAB.BRANDEIS.EDU;

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder




On May 2, 2014, at 5:16 PM, John Miller <johnmill at brandeis.edu> wrote:

> Hi folks,
> 
> I'm trying to get our AD domain controllers to update our BIND 9.8.2 servers--specifically for the zone
> 
> _msdcs.lab.brandeis.edu.
> 
> I've got updates working in general: I can run kinit <username>@REALM (johnmill-dns-test at lab.brandeis.edu in this case), then successfully run nsupdate -g from my desktop:
> 
> server dns-ext-dev1.lab.brandeis.edu
> zone _msdcs.lab.brandeis.edu.
> update add yourmom._msdcs.lab.brandeis.edu. 300 IN A 127.0.0.1
> send
> 
> This works fine--I grab the necessary tickets from our domain controllers, and BIND accepts my update.
> 
> My update-policy {} directive for the zone looks like:
> 
> update-policy {
>   grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
>   grant * zonesub ANY;
> }
> 
> This is uber-lenient--I don't plan to leave things this way. but the wildcard should allow anything with a pulse to update.
> 
> When I try to use Windows (the domain controller itself) to send updates, the update first gets sent insecurely (which fails), then Windows attempts secure authentication (and succeeds), but doesn't actually send a secured update:
> 
> named[13861]: client 129.64.102.112#64501: UDP request
> named[13861]: client 129.64.102.112#64501: using view '_default'
> named[13861]: client 129.64.102.112#64501: request is not signed
> named[13861]: client 129.64.102.112#64501: recursion not available
> named[13861]: client 129.64.102.112#64501: update
> named[13861]: client 129.64.102.112#64501: update '_msdcs.lab.brandeis.edu/IN' denied
> named[13861]: client 129.64.102.112#64501: send
> named[13861]: client 129.64.102.112#64501: sendto
> named[13861]: client 129.64.102.112#64501: senddone
> named[13861]: client 129.64.102.112#64501: next
> named[13861]: client 129.64.102.112#64501: endrequest
> named[13861]: client @0x7f75640f6980: udprecv
> named[13861]: client 129.64.102.112#52448: new TCP connection
> named[13861]: client 129.64.102.112#52448: replace
> named[13861]: clientmgr @0x7f7564003f98: createclients
> named[13861]: clientmgr @0x7f7564003f98: recycle
> named[13861]: client 129.64.102.112#52448: read
> named[13861]: client 129.64.102.112#52448: TCP request
> named[13861]: client 129.64.102.112#52448: using view '_default'
> named[13861]: client 129.64.102.112#52448: request is not signed
> named[13861]: client 129.64.102.112#52448: recursion not available
> named[13861]: client 129.64.102.112#52448: query
> named[13861]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Success.
> named[13861]: gss-api source name (accept) is AD-2K8-DEV1$@LAB.BRANDEIS.EDU
> named[13861]: process_gsstkey(): dns_tsigerror_noerror
> named[13861]: client 129.64.102.112#52448: send
> named[13861]: client 129.64.102.112#52448: sendto
> named[13861]: client 129.64.102.112#52448: senddone
> named[13861]: client 129.64.102.112#52448: next
> named[13861]: client 129.64.102.112#52448: endrequest
> named[13861]: client 129.64.102.112#52448: read
> named[13861]: client @0x7f7564104b70: accept
> named[13861]: client 129.64.102.112#52448: next
> named[13861]: client 129.64.102.112#52448: request failed: end of file
> named[13861]: client 129.64.102.112#52448: endrequest
> named[13861]: client 129.64.102.112#52448: closetcp
> named[13861]: client 129.64.102.112#64230: UDP request
> named[13861]: client 129.64.102.112#64230: using view '_default'
> named[13861]: client 129.64.102.112#64230: request is not signed
> named[13861]: client 129.64.102.112#64230: recursion not available
> named[13861]: client 129.64.102.112#64230: query
> named[13861]: client 129.64.102.112#64230: query '_msdcs.lab.brandeis.edu/SOA/IN' approved
> named[13861]: client 129.64.102.112#64230: send
> named[13861]: client 129.64.102.112#64230: sendto
> named[13861]: client 129.64.102.112#64230: senddone
> named[13861]: client 129.64.102.112#64230: next
> named[13861]: client 129.64.102.112#64230: endrequest
> named[13861]: client @0x7f75640f6980: udprecv
> named[13861]: client 129.64.102.112#63381: UDP request
> named[13861]: client 129.64.102.112#63381: using view '_default'
> named[13861]: client 129.64.102.112#63381: request is not signed
> named[13861]: client 129.64.102.112#63381: recursion not available
> named[13861]: client 129.64.102.112#63381: query
> named[13861]: client 129.64.102.112#63381: query (cache) 'dns-ext-dev1.lab.brandeis.edu/A/IN' denied
> named[13861]: client 129.64.102.112#63381: error
> named[13861]: client 129.64.102.112#63381: send
> named[13861]: client 129.64.102.112#63381: sendto
> named[13861]: client 129.64.102.112#63381: senddone
> named[13861]: client 129.64.102.112#63381: next
> named[13861]: client 129.64.102.112#63381: endrequest
> named[13861]: client @0x7f75640f6980: udprecv
> named[13861]: client 129.64.99.24#21999: UDP request
> named[13861]: client 129.64.99.24#21999: using view '_default'
> named[13861]: client 129.64.99.24#21999: request is not signed
> named[13861]: client 129.64.99.24#21999: recursion not available
> named[13861]: client 129.64.99.24#21999: query
> named[13861]: client 129.64.99.24#21999: query '_kerberos._tcp.dc._msdcs.lab.brandeis.edu/SOA/IN' approved
> named[13861]: client 129.64.99.24#21999: send
> named[13861]: client 129.64.99.24#21999: sendto
> named[13861]: client 129.64.99.24#21999: senddone
> named[13861]: client 129.64.99.24#21999: next
> named[13861]: client 129.64.99.24#21999: endrequest
> named[13861]: client @0x7f75640f6980: udprecv
> named[13861]: client 129.64.102.112#63504: UDP request
> named[13861]: client 129.64.102.112#63504: using view '_default'
> named[13861]: client 129.64.102.112#63504: request is not signed
> named[13861]: client 129.64.102.112#63504: recursion not available
> named[13861]: client 129.64.102.112#63504: update
> named[13861]: client 129.64.102.112#63504: update '_msdcs.lab.brandeis.edu/IN' denied
> named[13861]: client 129.64.102.112#63504: send
> named[13861]: client 129.64.102.112#63504: sendto
> named[13861]: client 129.64.102.112#63504: senddone
> named[13861]: client 129.64.102.112#63504: next
> named[13861]: client 129.64.102.112#63504: endrequest
> 
> Contrast this with logs from a successful update (from my desktop):
> 
> named[12766]: client 129.64.8.232#56297: UDP request
> named[12766]: client 129.64.8.232#56297: using view '_default'
> named[12766]: client 129.64.8.232#56297: request is not signed
> named[12766]: client 129.64.8.232#56297: recursion not available
> named[12766]: client 129.64.8.232#56297: query
> named[12766]: client 129.64.8.232#56297: query '_msdcs.lab.brandeis.edu/SOA/IN' approved
> named[12766]: client 129.64.8.232#56297: send
> named[12766]: client 129.64.8.232#56297: sendto
> named[12766]: client 129.64.8.232#56297: senddone
> named[12766]: client 129.64.8.232#56297: next
> named[12766]: client 129.64.8.232#56297: endrequest
> named[12766]: client @0x7f51a80f6980: udprecv
> named[12766]: client 129.64.8.232#34226: new TCP connection
> named[12766]: client 129.64.8.232#34226: replace
> named[12766]: clientmgr @0x7f51a8004f98: createclients
> named[12766]: clientmgr @0x7f51a8004f98: recycle
> named[12766]: client 129.64.8.232#34226: read
> named[12766]: client 129.64.8.232#34226: TCP request
> named[12766]: client 129.64.8.232#34226: using view '_default'
> named[12766]: client 129.64.8.232#34226: request is not signed
> named[12766]: client 129.64.8.232#34226: recursion not available
> named[12766]: client 129.64.8.232#34226: query
> named[12766]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, 
> Minor = Success.
> named[12766]: gss-api source name (accept) is johnmill-dnstest at LAB.BRANDEIS.EDU
> named[12766]: process_gsstkey(): dns_tsigerror_noerror
> named[12766]: client 129.64.8.232#34226: send
> named[12766]: client 129.64.8.232#34226: sendto
> named[12766]: client 129.64.8.232#34226: senddone
> named[12766]: client 129.64.8.232#34226: next
> named[12766]: client 129.64.8.232#34226: endrequest
> named[12766]: client 129.64.8.232#34226: read
> named[12766]: client @0x7f51a847c120: accept
> named[12766]: client 129.64.8.232#34226: next
> named[12766]: client 129.64.8.232#34226: request failed: end of file
> named[12766]: client 129.64.8.232#34226: endrequest
> named[12766]: client 129.64.8.232#34226: closetcp
> named[12766]: client 129.64.8.232#49802: new TCP connection
> named[12766]: client 129.64.8.232#49802: replace
> named[12766]: clientmgr @0x7f51a8004f98: createclients
> named[12766]: clientmgr @0x7f51a8004f98: recycle
> named[12766]: client 129.64.8.232#49802: read
> named[12766]: client 129.64.8.232#49802: TCP request
> named[12766]: client 129.64.8.232#49802: using view '_default'
> named[12766]: client 129.64.8.232#49802: request has valid signature: johnmill-dnstest\@LAB.BRANDEIS.EDU
> named[12766]: client 129.64.8.232#49802: recursion not available
> named[12766]: client 129.64.8.232#49802: update
> named[12766]: client @0x7f51a8104b70: accept
> named[12766]: client 129.64.8.232#49802: updating zone '_msdcs.lab.brandeis.edu/IN': adding an RR at 'yourmom._msdcs.lab.brandeis.edu' A
> named[12766]: client 129.64.8.232#49802: send
> named[12766]: client 129.64.8.232#49802: sendto
> named[12766]: client 129.64.8.232#49802: senddone
> named[12766]: client 129.64.8.232#49802: next
> 
> Even though it sends valid TKEY credentials, why doesn't Windows actually sign its updates or use a TCP connection for them?  Any way to actually get the Windows side of things to send signed updates?
> 
> John
> 
> -- 
> John Miller
> Systems Engineer
> Brandeis University
> johnmill at brandeis.edu
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list