Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28
Petr Špaček
pspacek at isc.org
Tue Aug 20 09:57:54 UTC 2024
Hi Nagesh,
it's unclear what exactly is the log about. Is that first start of the
server? (I guess so.) Or the client's attempt?
You have mentioned that you have two systems, one working and other one
failing. I suggest you gather logs from both and compare them line by
line to find the difference.
Petr Špaček
Internet Systems Consortium
On 20. 08. 24 11:18, Nagesh Thati wrote:
> Hi,
> We have checked all the files related to krb and keytab, all files and
> their permissions are good. But still updates are getting denied. I am
> attaching the Krb5 Trace output also, please check and let me know.
> tkey-gssapi-credential option also specified in the named.conf, but
> still updated are denied.
>
> *_KRB5_TRACE Output:_*
> /[597869] 1724136604.999060: Getting initial credentials for
> DNS/example-master.example.com at EXAMPLE.COM
> <mailto:example-master.example.com at EXAMPLE.COM>
> [597869] 1724136605.002377: Sending unauthenticated request
> [597869] 1724136605.002378: Sending request (194 bytes) to EXAMPLE.COM
> <http://EXAMPLE.COM>
> [597869] 1724136605.002379: Resolving hostname example.com
> <http://example.com>
> [597869] 1724136605.002380: Sending initial UDP request to dgram
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136605.002381: Received answer (205 bytes) from dgram
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136605.002382: Sending DNS URI query for
> _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> [597869] 1724136605.002383: No URI records found
> [597869] 1724136605.002384: Sending DNS SRV query for
> _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>.
> [597869] 1724136605.002385: Sending DNS SRV query for
> _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> [597869] 1724136605.002386: No SRV records found
> [597869] 1724136605.002387: Response was not from primary KDC
> [597869] 1724136605.002388: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [597869] 1724136605.002391: Preauthenticating using KDC method data
> [597869] 1724136605.002392: Processing preauth types: PA-PK-AS-REQ (16),
> PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
> [597869] 1724136605.002393: Selected etype info: etype aes256-cts, salt
> "EXAMPLE.COMDNSexample-master.example.com
> <http://EXAMPLE.COMDNSexample-master.example.com>", params ""
> [597869] 1724136605.002394: PKINIT client has no configured identity;
> giving up
> [597869] 1724136605.002395: Preauth module pkinit (16) (real) returned:
> -1765328174/No pkinit_anchors supplied
> [597869] 1724136610.500899: AS key obtained for encrypted timestamp:
> aes256-cts/7523
> [597869] 1724136610.500901: Encrypted timestamp (for 1724136611.194769):
> plain 301AA011180F32303234303832303036353031315AA105020302F8D1,
> encrypted
> 8D719F980037E7626CE2B7B1C8B82E56AD5866596D5041C925C85D032BDA06F6102F5E50952B725E4DA945243897C9F92C13213B136CBBAA
> [597869] 1724136610.500902: Preauth module encrypted_timestamp (2)
> (real) returned: 0/Success
> [597869] 1724136610.500903: Produced preauth for next request:
> PA-ENC-TIMESTAMP (2)
> [597869] 1724136610.500904: Sending request (274 bytes) to EXAMPLE.COM
> <http://EXAMPLE.COM>
> [597869] 1724136610.500905: Resolving hostname example.com
> <http://example.com>
> [597869] 1724136610.500906: Sending initial UDP request to dgram
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136610.500907: Received answer (94 bytes) from dgram
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136610.500908: Sending DNS URI query for
> _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> [597869] 1724136610.500909: No URI records found
> [597869] 1724136610.500910: Sending DNS SRV query for
> _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>.
> [597869] 1724136610.500911: Sending DNS SRV query for
> _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> [597869] 1724136610.500912: No SRV records found
> [597869] 1724136610.500913: Response was not from primary KDC
> [597869] 1724136610.500914: Received error from KDC:
> -1765328332/Response too big for UDP, retry with TCP
> [597869] 1724136610.500915: Request or response is too big for UDP;
> retrying with TCP
> [597869] 1724136610.500916: Sending request (274 bytes) to EXAMPLE.COM
> <http://EXAMPLE.COM> (tcp only)
> [597869] 1724136610.500917: Resolving hostname example.com
> <http://example.com>
> [597869] 1724136610.500918: Initiating TCP connection to stream
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136610.500919: Sending TCP request to stream 10.1.8.171:88
> <http://10.1.8.171:88>
> [597869] 1724136610.500920: Received answer (1737 bytes) from stream
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136610.500921: Terminating TCP connection to stream
> 10.1.8.171:88 <http://10.1.8.171:88>
> [597869] 1724136610.500922: Sending DNS URI query for
> _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> [597869] 1724136610.500923: No URI records found
> [597869] 1724136610.500924: Sending DNS SRV query for
> _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> [597869] 1724136610.500925: No SRV records found
> [597869] 1724136610.500926: Response was not from primary KDC
> [597869] 1724136610.500927: Processing preauth types: PA-ETYPE-INFO2 (19)
> [597869] 1724136610.500928: Selected etype info: etype aes256-cts, salt
> "EXAMPLE.COMDNSexample-master.example.com
> <http://EXAMPLE.COMDNSexample-master.example.com>", params ""
> [597869] 1724136610.500929: Produced preauth for next request: (empty)
> [597869] 1724136610.500930: AS key determined by preauth: aes256-cts/7523
> [597869] 1724136610.500931: Decrypted AS reply; session key is:
> aes256-cts/9EA3
> [597869] 1724136610.500932: FAST negotiation: unavailable
> [597869] 1724136610.500933: Resolving unique ccache of type MEMORY
> [597869] 1724136610.500934: Initializing MEMORY:ii4Cyzt with default
> princ DNS/example-master.example.com at EXAMPLE.COM
> <mailto:example-master.example.com at EXAMPLE.COM>
> [597869] 1724136610.500935: Storing config in MEMORY:ii4Cyzt for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>: pa_type: 2
> [597869] 1724136610.500936: Storing
> DNS/example-master.example.com at EXAMPLE.COM
> <mailto:example-master.example.com at EXAMPLE.COM> ->
> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM
> <http://EXAMPLE.COM>\@EXAMPLE.COM at X-CACHECONF: in MEMORY:ii4Cyzt
> [597869] 1724136610.500937: Storing
> DNS/example-master.example.com at EXAMPLE.COM
> <mailto:example-master.example.com at EXAMPLE.COM> ->
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM> in
> MEMORY:ii4Cy/
> /
> /
> /
> /
> /Thanks,/
> /Nagesh/
>
> On Thu, Aug 8, 2024 at 6:20 PM Petr Špaček <pspacek at isc.org
> <mailto:pspacek at isc.org>> wrote:
>
> Hello,
>
> my first bet is missing tkey-gssapi-credential configuration statement
> [1], followed by:
> - or incorrect content of keytab,
> - some file permission problem related to /etc/krb5.keytab, or
> /var/tmp,
> or /tmp,
> - It's Red Hat so a SELinux denial might be a problem as well.
>
> KRB5_TRACE environment variable might help with debugging, see "man
> kerberos" and also check other environment variables and config files
> listed there.
>
> Given that you have a working system I suggest you compare all of the
> above to find out what's the difference.
>
> [1]
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab>
>
> Petr Špaček
> Internet Systems Consortium
>
>
> On 08. 08. 24 14:23, Nagesh Thati wrote:
> > Hello Guys,
> > Any help is much appreciated.
> > Thanks
> > Nagesh
> >
> > On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati <tcpnagesh at gmail.com
> <mailto:tcpnagesh at gmail.com>
> > <mailto:tcpnagesh at gmail.com <mailto:tcpnagesh at gmail.com>>> wrote:
> >
> > Hello BIND Users,
> >
> > *Issue Description:*
> > I'm experiencing an issue with secure Active Directory (AD)
> updates
> > on an AlmaLinux 9 system using ISC BIND. Despite following the
> > necessary configurations, I'm receiving error messages indicating
> > that the requests from the AD server are not signed and
> encountering
> > GSSAPI-related errors. Notably, the exact build and
> configurations
> > are working without any issues on CentOS 7.
> >
> > *Environment:*
> > - OS: AlmaLinux 9 (using DEFAULT policy for system-wide
> crypto policies)
> > - BIND version: 9.18.28
> > - Active Directory: Windows Server [2016]
> >
> > *Problem:*
> > AD updates are being denied. The BIND logs indicate that the
> > requests are not signed and show GSSAPI errors related to
> > unavailable credentials and missing files.
> >
> > *Troubleshooting Steps Taken:*
> > We tried legacy crypto policy, but it did not work.
> >
> > *Questions:*
> > 1. What could be causing BIND to reject the AD updates as
> unsigned,
> > given that the same configuration works on CentOS 7?
> > 2. How can I resolve the GSSAPI errors regarding unavailable
> > credentials and missing files?
> > 3. Are there any AlmaLinux 9-specific configurations or steps
> > required to ensure secure AD updates with BIND?
> > 4. Are there any known issues or incompatibilities between
> ISC BIND
> > and AlmaLinux 9 that could be causing this problem?
> >
> > *Additional Information:*
> > - The same configuration is working correctly on CentOS 7 without
> > any issues.
> > - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto
> > policies.
> >
> > *_Current Setup:_*
> >
> > *# named -V*
> > BIND 9.18.28 (Extended Support Version) <id:>
> > running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP
> > PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024
> > built by make with '--prefix=/opt/mydir/'
> > '--enable-dependency-tracking' '--enable-dnstap'
> > '--enable-singletrace' '--enable-querytrace'
> > '--disable-auto-validation' '--enable-dnsrps-dl'
> '--enable-dnsrps'
> > '--enable-full-report' '--with-tuning=large'
> '--enable-fixed-rrset'
> > '--with-libidn2' '--with-lmdb' '--with-json-c'
> > '--with-jemalloc=detect' '--with-maxminddb=yes'
> '--enable-largefile'
> > compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)
> > compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> > linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> > compiled with libuv version: 1.42.0
> > linked to libuv version: 1.42.0
> > compiled with libnghttp2 version: 1.43.0
> > linked to libnghttp2 version: 1.43.0
> > compiled with json-c version: 0.14
> > linked to json-c version: 0.14
> > compiled with zlib version: 1.2.11
> > linked to zlib version: 1.2.11
> > linked to maxminddb version: 1.5.2
> > compiled with protobuf-c version: 1.3.3
> > linked to protobuf-c version: 1.3.3
> > threads support is enabled
> > DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512
> > ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
> > DS algorithms: SHA-1 SHA-256 SHA-384
> > HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256
> > HMAC-SHA384 HMAC-SHA512
> > TKEY mode 2 support (Diffie-Hellman): yes
> > TKEY mode 3 support (GSS-API): yes
> >
> > default paths:
> > named configuration: /opt/mydir/etc/named.conf
> > rndc configuration: /opt/mydir/etc/rndc.conf
> > DNSSEC root key: /opt/mydir/etc/bind.keys
> > nsupdate session key: /opt/mydir/var/run/named/session.key
> > named PID file: /opt/mydir/var/run/named/named.pid
> > named lock file: /opt/mydir/var/run/named/named.lock
> > geoip-directory: /usr/share/GeoIP
> > *named.conf Snippet:*
> > options {
> > directory "/";
> > allow-query {any;};
> > allow-transfer {none;};
> > blackhole {none;};
> > dnssec-validation yes;
> > listen-on-v6 {none;};
> > rrset-order {
> > order cyclic;
> > };
> > dump-file "/var/named/log/named_dump.db";
> > lame-ttl 0;
> > max-ncache-ttl 10800;
> > minimal-responses yes;
> > pid-file "/var/run/named/named.pid";
> > recursion no;
> > session-keyfile "/var/run/named/session.key";
> > statistics-file "/var/named/log/named.stats";
> > tcp-clients 150;
> > *tkey-gssapi-keytab "/etc/krb5.keytab";*
> > };
> >
> > *Zone Section in named.conf:*
> > zone "_msdcs.example.com <http://msdcs.example.com>
> <http://msdcs.example.com <http://msdcs.example.com>>" IN {
> > type master;
> > file "/var/named/zones/masters/db._msdcs.example.com
> <http://msdcs.example.com>
> > <http://msdcs.example.com <http://msdcs.example.com>>";
> > *update-policy { grant * subdomain _msdcs.example.com
> <http://msdcs.example.com>
> > <http://msdcs.example.com <http://msdcs.example.com>>. ANY; };*
> > };
> > zone "_sites.example.com <http://sites.example.com>
> <http://sites.example.com <http://sites.example.com>>" IN {
> > type master;
> > file "/var/named/zones/masters/db._sites.example.com
> <http://sites.example.com>
> > <http://sites.example.com <http://sites.example.com>>";
> > update-policy { grant * subdomain _sites.example.com
> <http://sites.example.com>
> > <http://sites.example.com <http://sites.example.com>>. ANY; };
> > };
> > zone "_tcp.example.com <http://tcp.example.com>
> <http://tcp.example.com <http://tcp.example.com>>" IN {
> > type master;
> > file "/var/named/zones/masters/db._tcp.example.com
> <http://tcp.example.com>
> > <http://tcp.example.com <http://tcp.example.com>>";
> > update-policy { grant * subdomain _tcp.example.com
> <http://tcp.example.com>
> > <http://tcp.example.com <http://tcp.example.com>>. ANY; };
> > };
> >
> > *krb5.conf:*
> > # cat krb5.conf
> >
> > [libdefaults]
> >
> > default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM <http://EXAMPLE.COM>>
> > default_tkt_enctypes = aes256-cts
> > default_tgs_enctypes = aes256-cts
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 30d
> > default_keytab_name = FILE:/etc/krb5.keytab
> >
> > [realms]
> > EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM
> <http://EXAMPLE.COM>> = {
> > kdc = example.com:88 <http://example.com:88>
> <http://example.com:88 <http://example.com:88>>
> > default_domain = example.com <http://example.com>
> <http://example.com <http://example.com>>
> > }
> >
> >
> > [domain_realm]
> > .example.com <http://example.com> <http://example.com
> <http://example.com>> = EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM <http://EXAMPLE.COM>>
> > example.com <http://example.com> <http://example.com
> <http://example.com>> = EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM <http://EXAMPLE.COM>>
> >
> > *_Specific Error Messages:_*
> > *named.log (with debug level 0):*
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#53822:
> > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#54527:
> > update '_sites.example.com/IN <http://sites.example.com/IN>
> <http://sites.example.com/IN <http://sites.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#54470:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#53206:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#49853:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#59529:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#51093:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#58128:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#59368:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#63380:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#57248:
> > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#52530:
> > update '_sites.example.com/IN <http://sites.example.com/IN>
> <http://sites.example.com/IN <http://sites.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#54245:
> > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#53890:
> > update '_sites.example.com/IN <http://sites.example.com/IN>
> <http://sites.example.com/IN <http://sites.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#49508:
> > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#56611:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#59729:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> >
> > *named.log (with debug level 10):*
> > client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP
> request
> > client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242:
> using view
> > '_default'
> > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> request
> > is not signed
> > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> > recursion not available (recursion not enabled for view)
> > update-security: error: client @0x7f01ac0150a8 10.1.10.20#64242:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> reset client
> > client: debug 3: clientmgr @0x7f01c4043e40 attach: 6
> > client: debug 3: query client=0x7f01c41936c8
> > thread=0x7f01c8c22640(<unknown-query>): query_reset
> > security: debug 3: client @0x7f01c41936c8 (no-peer): allocate
> new client
> > client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP
> request
> > client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518:
> using view
> > '_default'
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> request
> > is not signed
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> > recursion not available (recursion not enabled for view)
> > client: debug 3: query client=0x7f01c41936c8
> > thread=0x7f01c8c22640(<unknown-query>): ns_query_start
> > general: debug 3: failed gss_inquire_cred: GSSAPI error:
> Major = No
> > credentials were supplied, or the credentials were unavailable or
> > inaccessible, Minor = No Kerberos credentials available (default
> > cache: FILE:/tmp/krb5cc_1001).
> > general: debug 3: failed gss_accept_sec_context: GSSAPI
> error: Major
> > = Unspecified GSS failure. Minor code may provide more
> information,
> > Minor = No such file or directory (filename:
> > /var/tmp/krb5_1001.rcache2).
> > general: debug 4: process_gsstkey(): dns_tsigerror_badkey
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518
> > (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e):
> > reset client
> > client: debug 3: query client=0x7f01c41936c8
> >
> thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset
> > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> freeing
> > client
> > client: debug 3: query client=0x7f01c41936c8
> > thread=0x7f01c8c22640(<unknown-query>): query_reset
> > client: debug 3: clientmgr @0x7f01c4043e40 detach: 5
> >
> > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP
> request
> > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577:
> using view
> > '_default'
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:
> request
> > is not signed
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:
> > recursion not available (recursion not enabled for view)
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(<unknown-query>): ns_query_start
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): qctx_init
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): client attr:0x20000, query
> > attr:0xF00, restarts:0, origqname:nameserver.example.com
> <http://nameserver.example.com>
> > <http://nameserver.example.com
> <http://nameserver.example.com>>, timer:0, authdb:0, referral:0
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): ns__query_start
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577
> > (nameserver.example.com <http://nameserver.example.com>
> <http://nameserver.example.com <http://nameserver.example.com>>): query
> > 'nameserver.example.com/A/IN
> <http://nameserver.example.com/A/IN>
> <http://nameserver.example.com/A/IN
> <http://nameserver.example.com/A/IN>>'
> > approved
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_lookup
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_gotanswer
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_checkrpz
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): rpz_rewrite
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_prepresponse
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_zerottl_refetch
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_respond
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_getexpire
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_addanswer
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_addrrset
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_setorder
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_additional
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_addrrset: done
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_addnoqnameproof
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_addauth
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): ns_query_done
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577
> > (nameserver.example.com <http://nameserver.example.com>
> <http://nameserver.example.com <http://nameserver.example.com>>):
> reset client
> > client: debug 3: query client=0x7f01c420f7a8
> > thread=0x7f01c8c22640(nameserver.example.com/A
> <http://nameserver.example.com/A>
> > <http://nameserver.example.com/A
> <http://nameserver.example.com/A>>): query_reset
> > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP
> request
> > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785:
> using view
> > '_default'
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> request
> > is not signed
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> > recursion not available (recursion not enabled for view)
> > update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785:
> > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> reset client
> > client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6
> > client: debug 3: query client=0x7f01ac0eca18
> > thread=0x7f01c3fff640(<unknown-query>): query_reset
> > security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate
> new client
> > client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP
> request
> > client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172:
> using view
> > '_default'
> > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:
> request
> > is not signed
> > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:
> > recursion not available (recursion not enabled for view)
> > client: debug 3: query client=0x7f01ac0eca18
> > thread=0x7f01c3fff640(<unknown-query>): ns_query_start
> > general: debug 3: failed gss_inquire_cred: GSSAPI error:
> Major = No
> > credentials were supplied, or the credentials were unavailable or
> > inaccessible, Minor = No Kerberos credentials available (default
> > cache: FILE:/tmp/krb5cc_1001).
> > general: debug 3: failed gss_accept_sec_context: GSSAPI
> error: Major
> > = Unspecified GSS failure. Minor code may provide more
> information,
> > Minor = No such file or directory (filename:
> > /var/tmp/krb5_1001.rcache2).
> > general: debug 4: process_gsstkey(): dns_tsigerror_badkey
> > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172
> > (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e):
> > reset client
> > client: debug 3: query client=0x7f01ac0eca18
> >
> thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset
> >
> > Any insights, suggestions, or further troubleshooting steps to
> > resolve this issue would be greatly appreciated. Thank you in
> > advance for your assistance.
> >
> > Thanks
> >
> > Nagesh
> >
> >
>
> --
> Petr Špaček
>
--
Petr Špaček
More information about the bind-users
mailing list