Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28
Petr Špaček
pspacek at isc.org
Thu Aug 8 12:50:16 UTC 2024
Hello,
my first bet is missing tkey-gssapi-credential configuration statement
[1], followed by:
- or incorrect content of keytab,
- some file permission problem related to /etc/krb5.keytab, or /var/tmp,
or /tmp,
- It's Red Hat so a SELinux denial might be a problem as well.
KRB5_TRACE environment variable might help with debugging, see "man
kerberos" and also check other environment variables and config files
listed there.
Given that you have a working system I suggest you compare all of the
above to find out what's the difference.
[1]
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab
Petr Špaček
Internet Systems Consortium
On 08. 08. 24 14:23, Nagesh Thati wrote:
> Hello Guys,
> Any help is much appreciated.
> Thanks
> Nagesh
>
> On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati <tcpnagesh at gmail.com
> <mailto:tcpnagesh at gmail.com>> wrote:
>
> Hello BIND Users,
>
> *Issue Description:*
> I'm experiencing an issue with secure Active Directory (AD) updates
> on an AlmaLinux 9 system using ISC BIND. Despite following the
> necessary configurations, I'm receiving error messages indicating
> that the requests from the AD server are not signed and encountering
> GSSAPI-related errors. Notably, the exact build and configurations
> are working without any issues on CentOS 7.
>
> *Environment:*
> - OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto policies)
> - BIND version: 9.18.28
> - Active Directory: Windows Server [2016]
>
> *Problem:*
> AD updates are being denied. The BIND logs indicate that the
> requests are not signed and show GSSAPI errors related to
> unavailable credentials and missing files.
>
> *Troubleshooting Steps Taken:*
> We tried legacy crypto policy, but it did not work.
>
> *Questions:*
> 1. What could be causing BIND to reject the AD updates as unsigned,
> given that the same configuration works on CentOS 7?
> 2. How can I resolve the GSSAPI errors regarding unavailable
> credentials and missing files?
> 3. Are there any AlmaLinux 9-specific configurations or steps
> required to ensure secure AD updates with BIND?
> 4. Are there any known issues or incompatibilities between ISC BIND
> and AlmaLinux 9 that could be causing this problem?
>
> *Additional Information:*
> - The same configuration is working correctly on CentOS 7 without
> any issues.
> - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto
> policies.
>
> *_Current Setup:_*
>
> *# named -V*
> BIND 9.18.28 (Extended Support Version) <id:>
> running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP
> PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024
> built by make with '--prefix=/opt/mydir/'
> '--enable-dependency-tracking' '--enable-dnstap'
> '--enable-singletrace' '--enable-querytrace'
> '--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps'
> '--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset'
> '--with-libidn2' '--with-lmdb' '--with-json-c'
> '--with-jemalloc=detect' '--with-maxminddb=yes' '--enable-largefile'
> compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)
> compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> compiled with libuv version: 1.42.0
> linked to libuv version: 1.42.0
> compiled with libnghttp2 version: 1.43.0
> linked to libnghttp2 version: 1.43.0
> compiled with json-c version: 0.14
> linked to json-c version: 0.14
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> linked to maxminddb version: 1.5.2
> compiled with protobuf-c version: 1.3.3
> linked to protobuf-c version: 1.3.3
> threads support is enabled
> DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512
> ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
> DS algorithms: SHA-1 SHA-256 SHA-384
> HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256
> HMAC-SHA384 HMAC-SHA512
> TKEY mode 2 support (Diffie-Hellman): yes
> TKEY mode 3 support (GSS-API): yes
>
> default paths:
> named configuration: /opt/mydir/etc/named.conf
> rndc configuration: /opt/mydir/etc/rndc.conf
> DNSSEC root key: /opt/mydir/etc/bind.keys
> nsupdate session key: /opt/mydir/var/run/named/session.key
> named PID file: /opt/mydir/var/run/named/named.pid
> named lock file: /opt/mydir/var/run/named/named.lock
> geoip-directory: /usr/share/GeoIP
> *named.conf Snippet:*
> options {
> directory "/";
> allow-query {any;};
> allow-transfer {none;};
> blackhole {none;};
> dnssec-validation yes;
> listen-on-v6 {none;};
> rrset-order {
> order cyclic;
> };
> dump-file "/var/named/log/named_dump.db";
> lame-ttl 0;
> max-ncache-ttl 10800;
> minimal-responses yes;
> pid-file "/var/run/named/named.pid";
> recursion no;
> session-keyfile "/var/run/named/session.key";
> statistics-file "/var/named/log/named.stats";
> tcp-clients 150;
> *tkey-gssapi-keytab "/etc/krb5.keytab";*
> };
>
> *Zone Section in named.conf:*
> zone "_msdcs.example.com <http://msdcs.example.com>" IN {
> type master;
> file "/var/named/zones/masters/db._msdcs.example.com
> <http://msdcs.example.com>";
> *update-policy { grant * subdomain _msdcs.example.com
> <http://msdcs.example.com>. ANY; };*
> };
> zone "_sites.example.com <http://sites.example.com>" IN {
> type master;
> file "/var/named/zones/masters/db._sites.example.com
> <http://sites.example.com>";
> update-policy { grant * subdomain _sites.example.com
> <http://sites.example.com>. ANY; };
> };
> zone "_tcp.example.com <http://tcp.example.com>" IN {
> type master;
> file "/var/named/zones/masters/db._tcp.example.com
> <http://tcp.example.com>";
> update-policy { grant * subdomain _tcp.example.com
> <http://tcp.example.com>. ANY; };
> };
>
> *krb5.conf:*
> # cat krb5.conf
>
> [libdefaults]
>
> default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
> default_tkt_enctypes = aes256-cts
> default_tgs_enctypes = aes256-cts
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 30d
> default_keytab_name = FILE:/etc/krb5.keytab
>
> [realms]
> EXAMPLE.COM <http://EXAMPLE.COM> = {
> kdc = example.com:88 <http://example.com:88>
> default_domain = example.com <http://example.com>
> }
>
>
> [domain_realm]
> .example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
> example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
>
> *_Specific Error Messages:_*
> *named.log (with debug level 0):*
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#53822:
> update '_tcp.example.com/IN <http://tcp.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#54527:
> update '_sites.example.com/IN <http://sites.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#54470:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#53206:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#49853:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#59529:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#51093:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#58128:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#59368:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#63380:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#57248:
> update '_tcp.example.com/IN <http://tcp.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#52530:
> update '_sites.example.com/IN <http://sites.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#54245:
> update '_tcp.example.com/IN <http://tcp.example.com/IN>' denied
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#53890:
> update '_sites.example.com/IN <http://sites.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#49508:
> update '_tcp.example.com/IN <http://tcp.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#56611:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#59729:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
>
> *named.log (with debug level 10):*
> client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP request
> client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242: using view
> '_default'
> security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: request
> is not signed
> security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> recursion not available (recursion not enabled for view)
> update-security: error: client @0x7f01ac0150a8 10.1.10.20#64242:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: reset client
> client: debug 3: clientmgr @0x7f01c4043e40 attach: 6
> client: debug 3: query client=0x7f01c41936c8
> thread=0x7f01c8c22640(<unknown-query>): query_reset
> security: debug 3: client @0x7f01c41936c8 (no-peer): allocate new client
> client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP request
> client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518: using view
> '_default'
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: request
> is not signed
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> recursion not available (recursion not enabled for view)
> client: debug 3: query client=0x7f01c41936c8
> thread=0x7f01c8c22640(<unknown-query>): ns_query_start
> general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No
> credentials were supplied, or the credentials were unavailable or
> inaccessible, Minor = No Kerberos credentials available (default
> cache: FILE:/tmp/krb5cc_1001).
> general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major
> = Unspecified GSS failure. Minor code may provide more information,
> Minor = No such file or directory (filename:
> /var/tmp/krb5_1001.rcache2).
> general: debug 4: process_gsstkey(): dns_tsigerror_badkey
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518
> (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e):
> reset client
> client: debug 3: query client=0x7f01c41936c8
> thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset
> security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: freeing
> client
> client: debug 3: query client=0x7f01c41936c8
> thread=0x7f01c8c22640(<unknown-query>): query_reset
> client: debug 3: clientmgr @0x7f01c4043e40 detach: 5
>
> client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP request
> client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577: using view
> '_default'
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: request
> is not signed
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:
> recursion not available (recursion not enabled for view)
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(<unknown-query>): ns_query_start
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): qctx_init
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): client attr:0x20000, query
> attr:0xF00, restarts:0, origqname:nameserver.example.com
> <http://nameserver.example.com>, timer:0, authdb:0, referral:0
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): ns__query_start
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577
> (nameserver.example.com <http://nameserver.example.com>): query
> 'nameserver.example.com/A/IN <http://nameserver.example.com/A/IN>'
> approved
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_lookup
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_gotanswer
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_checkrpz
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): rpz_rewrite
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_prepresponse
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_zerottl_refetch
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_respond
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_getexpire
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_addanswer
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_addrrset
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_setorder
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_additional
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_addrrset: done
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_addnoqnameproof
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_addauth
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): ns_query_done
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577
> (nameserver.example.com <http://nameserver.example.com>): reset client
> client: debug 3: query client=0x7f01c420f7a8
> thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>): query_reset
> client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP request
> client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785: using view
> '_default'
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: request
> is not signed
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> recursion not available (recursion not enabled for view)
> update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:
> update '_msdcs.example.com/IN <http://msdcs.example.com/IN>' denied
> security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: reset client
> client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6
> client: debug 3: query client=0x7f01ac0eca18
> thread=0x7f01c3fff640(<unknown-query>): query_reset
> security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate new client
> client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP request
> client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172: using view
> '_default'
> security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: request
> is not signed
> security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:
> recursion not available (recursion not enabled for view)
> client: debug 3: query client=0x7f01ac0eca18
> thread=0x7f01c3fff640(<unknown-query>): ns_query_start
> general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No
> credentials were supplied, or the credentials were unavailable or
> inaccessible, Minor = No Kerberos credentials available (default
> cache: FILE:/tmp/krb5cc_1001).
> general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major
> = Unspecified GSS failure. Minor code may provide more information,
> Minor = No such file or directory (filename:
> /var/tmp/krb5_1001.rcache2).
> general: debug 4: process_gsstkey(): dns_tsigerror_badkey
> security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172
> (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e):
> reset client
> client: debug 3: query client=0x7f01ac0eca18
> thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset
>
> Any insights, suggestions, or further troubleshooting steps to
> resolve this issue would be greatly appreciated. Thank you in
> advance for your assistance.
>
> Thanks
>
> Nagesh
>
>
--
Petr Špaček
More information about the bind-users
mailing list