Secure Active Directory Updates Failing on AlmaLinux 9 with ISC BIND 9.18.28
Nagesh Thati
tcpnagesh at gmail.com
Thu Sep 5 14:01:30 UTC 2024
Thank you all for your assistance.
The issue has finally been resolved. It turns out I was running BIND in a
chroot jail, and the /var/tmp folder was missing within the chroot
environment. This was the cause of the AD update denials.
On Tue, Aug 20, 2024 at 3:27 PM Petr Špaček <pspacek at isc.org> wrote:
> Hi Nagesh,
>
> it's unclear what exactly is the log about. Is that first start of the
> server? (I guess so.) Or the client's attempt?
>
> You have mentioned that you have two systems, one working and other one
> failing. I suggest you gather logs from both and compare them line by
> line to find the difference.
>
> Petr Špaček
> Internet Systems Consortium
>
>
> On 20. 08. 24 11:18, Nagesh Thati wrote:
> > Hi,
> > We have checked all the files related to krb and keytab, all files and
> > their permissions are good. But still updates are getting denied. I am
> > attaching the Krb5 Trace output also, please check and let me know.
> > tkey-gssapi-credential option also specified in the named.conf, but
> > still updated are denied.
> >
> > *_KRB5_TRACE Output:_*
> > /[597869] 1724136604.999060: Getting initial credentials for
> > DNS/example-master.example.com at EXAMPLE.COM
> > <mailto:example-master.example.com at EXAMPLE.COM>
> > [597869] 1724136605.002377: Sending unauthenticated request
> > [597869] 1724136605.002378: Sending request (194 bytes) to EXAMPLE.COM
> > <http://EXAMPLE.COM>
> > [597869] 1724136605.002379: Resolving hostname example.com
> > <http://example.com>
> > [597869] 1724136605.002380: Sending initial UDP request to dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136605.002381: Received answer (205 bytes) from dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136605.002382: Sending DNS URI query for
> > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> > [597869] 1724136605.002383: No URI records found
> > [597869] 1724136605.002384: Sending DNS SRV query for
> > _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>.
> > [597869] 1724136605.002385: Sending DNS SRV query for
> > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> > [597869] 1724136605.002386: No SRV records found
> > [597869] 1724136605.002387: Response was not from primary KDC
> > [597869] 1724136605.002388: Received error from KDC:
> > -1765328359/Additional pre-authentication required
> > [597869] 1724136605.002391: Preauthenticating using KDC method data
> > [597869] 1724136605.002392: Processing preauth types: PA-PK-AS-REQ (16),
> > PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
> > [597869] 1724136605.002393: Selected etype info: etype aes256-cts, salt
> > "EXAMPLE.COMDNSexample-master.example.com
> > <http://EXAMPLE.COMDNSexample-master.example.com>", params ""
> > [597869] 1724136605.002394: PKINIT client has no configured identity;
> > giving up
> > [597869] 1724136605.002395: Preauth module pkinit (16) (real) returned:
> > -1765328174/No pkinit_anchors supplied
> > [597869] 1724136610.500899: AS key obtained for encrypted timestamp:
> > aes256-cts/7523
> > [597869] 1724136610.500901: Encrypted timestamp (for 1724136611.194769):
> > plain 301AA011180F32303234303832303036353031315AA105020302F8D1,
> > encrypted
> >
> 8D719F980037E7626CE2B7B1C8B82E56AD5866596D5041C925C85D032BDA06F6102F5E50952B725E4DA945243897C9F92C13213B136CBBAA
> > [597869] 1724136610.500902: Preauth module encrypted_timestamp (2)
> > (real) returned: 0/Success
> > [597869] 1724136610.500903: Produced preauth for next request:
> > PA-ENC-TIMESTAMP (2)
> > [597869] 1724136610.500904: Sending request (274 bytes) to EXAMPLE.COM
> > <http://EXAMPLE.COM>
> > [597869] 1724136610.500905: Resolving hostname example.com
> > <http://example.com>
> > [597869] 1724136610.500906: Sending initial UDP request to dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500907: Received answer (94 bytes) from dgram
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500908: Sending DNS URI query for
> > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> > [597869] 1724136610.500909: No URI records found
> > [597869] 1724136610.500910: Sending DNS SRV query for
> > _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>.
> > [597869] 1724136610.500911: Sending DNS SRV query for
> > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> > [597869] 1724136610.500912: No SRV records found
> > [597869] 1724136610.500913: Response was not from primary KDC
> > [597869] 1724136610.500914: Received error from KDC:
> > -1765328332/Response too big for UDP, retry with TCP
> > [597869] 1724136610.500915: Request or response is too big for UDP;
> > retrying with TCP
> > [597869] 1724136610.500916: Sending request (274 bytes) to EXAMPLE.COM
> > <http://EXAMPLE.COM> (tcp only)
> > [597869] 1724136610.500917: Resolving hostname example.com
> > <http://example.com>
> > [597869] 1724136610.500918: Initiating TCP connection to stream
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500919: Sending TCP request to stream 10.1.8.171:88
> > <http://10.1.8.171:88>
> > [597869] 1724136610.500920: Received answer (1737 bytes) from stream
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500921: Terminating TCP connection to stream
> > 10.1.8.171:88 <http://10.1.8.171:88>
> > [597869] 1724136610.500922: Sending DNS URI query for
> > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>.
> > [597869] 1724136610.500923: No URI records found
> > [597869] 1724136610.500924: Sending DNS SRV query for
> > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>.
> > [597869] 1724136610.500925: No SRV records found
> > [597869] 1724136610.500926: Response was not from primary KDC
> > [597869] 1724136610.500927: Processing preauth types: PA-ETYPE-INFO2 (19)
> > [597869] 1724136610.500928: Selected etype info: etype aes256-cts, salt
> > "EXAMPLE.COMDNSexample-master.example.com
> > <http://EXAMPLE.COMDNSexample-master.example.com>", params ""
> > [597869] 1724136610.500929: Produced preauth for next request: (empty)
> > [597869] 1724136610.500930: AS key determined by preauth: aes256-cts/7523
> > [597869] 1724136610.500931: Decrypted AS reply; session key is:
> > aes256-cts/9EA3
> > [597869] 1724136610.500932: FAST negotiation: unavailable
> > [597869] 1724136610.500933: Resolving unique ccache of type MEMORY
> > [597869] 1724136610.500934: Initializing MEMORY:ii4Cyzt with default
> > princ DNS/example-master.example.com at EXAMPLE.COM
> > <mailto:example-master.example.com at EXAMPLE.COM>
> > [597869] 1724136610.500935: Storing config in MEMORY:ii4Cyzt for
> > krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>:
> pa_type: 2
> > [597869] 1724136610.500936: Storing
> > DNS/example-master.example.com at EXAMPLE.COM
> > <mailto:example-master.example.com at EXAMPLE.COM> ->
> > krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM
> > <http://EXAMPLE.COM>\@EXAMPLE.COM at X-CACHECONF: in MEMORY:ii4Cyzt
> > [597869] 1724136610.500937: Storing
> > DNS/example-master.example.com at EXAMPLE.COM
> > <mailto:example-master.example.com at EXAMPLE.COM> ->
> > krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM> in
> > MEMORY:ii4Cy/
> > /
> > /
> > /
> > /
> > /Thanks,/
> > /Nagesh/
> >
> > On Thu, Aug 8, 2024 at 6:20 PM Petr Špaček <pspacek at isc.org
> > <mailto:pspacek at isc.org>> wrote:
> >
> > Hello,
> >
> > my first bet is missing tkey-gssapi-credential configuration
> statement
> > [1], followed by:
> > - or incorrect content of keytab,
> > - some file permission problem related to /etc/krb5.keytab, or
> > /var/tmp,
> > or /tmp,
> > - It's Red Hat so a SELinux denial might be a problem as well.
> >
> > KRB5_TRACE environment variable might help with debugging, see "man
> > kerberos" and also check other environment variables and config files
> > listed there.
> >
> > Given that you have a working system I suggest you compare all of the
> > above to find out what's the difference.
> >
> > [1]
> >
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab
> <
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab
> >
> >
> > Petr Špaček
> > Internet Systems Consortium
> >
> >
> > On 08. 08. 24 14:23, Nagesh Thati wrote:
> > > Hello Guys,
> > > Any help is much appreciated.
> > > Thanks
> > > Nagesh
> > >
> > > On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati <tcpnagesh at gmail.com
> > <mailto:tcpnagesh at gmail.com>
> > > <mailto:tcpnagesh at gmail.com <mailto:tcpnagesh at gmail.com>>> wrote:
> > >
> > > Hello BIND Users,
> > >
> > > *Issue Description:*
> > > I'm experiencing an issue with secure Active Directory (AD)
> > updates
> > > on an AlmaLinux 9 system using ISC BIND. Despite following the
> > > necessary configurations, I'm receiving error messages
> indicating
> > > that the requests from the AD server are not signed and
> > encountering
> > > GSSAPI-related errors. Notably, the exact build and
> > configurations
> > > are working without any issues on CentOS 7.
> > >
> > > *Environment:*
> > > - OS: AlmaLinux 9 (using DEFAULT policy for system-wide
> > crypto policies)
> > > - BIND version: 9.18.28
> > > - Active Directory: Windows Server [2016]
> > >
> > > *Problem:*
> > > AD updates are being denied. The BIND logs indicate that the
> > > requests are not signed and show GSSAPI errors related to
> > > unavailable credentials and missing files.
> > >
> > > *Troubleshooting Steps Taken:*
> > > We tried legacy crypto policy, but it did not work.
> > >
> > > *Questions:*
> > > 1. What could be causing BIND to reject the AD updates as
> > unsigned,
> > > given that the same configuration works on CentOS 7?
> > > 2. How can I resolve the GSSAPI errors regarding unavailable
> > > credentials and missing files?
> > > 3. Are there any AlmaLinux 9-specific configurations or steps
> > > required to ensure secure AD updates with BIND?
> > > 4. Are there any known issues or incompatibilities between
> > ISC BIND
> > > and AlmaLinux 9 that could be causing this problem?
> > >
> > > *Additional Information:*
> > > - The same configuration is working correctly on CentOS 7
> without
> > > any issues.
> > > - AlmaLinux 9 is using the DEFAULT policy for system-wide
> crypto
> > > policies.
> > >
> > > *_Current Setup:_*
> > >
> > > *# named -V*
> > > BIND 9.18.28 (Extended Support Version) <id:>
> > > running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP
> > > PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024
> > > built by make with '--prefix=/opt/mydir/'
> > > '--enable-dependency-tracking' '--enable-dnstap'
> > > '--enable-singletrace' '--enable-querytrace'
> > > '--disable-auto-validation' '--enable-dnsrps-dl'
> > '--enable-dnsrps'
> > > '--enable-full-report' '--with-tuning=large'
> > '--enable-fixed-rrset'
> > > '--with-libidn2' '--with-lmdb' '--with-json-c'
> > > '--with-jemalloc=detect' '--with-maxminddb=yes'
> > '--enable-largefile'
> > > compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)
> > > compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> > > linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
> > > compiled with libuv version: 1.42.0
> > > linked to libuv version: 1.42.0
> > > compiled with libnghttp2 version: 1.43.0
> > > linked to libnghttp2 version: 1.43.0
> > > compiled with json-c version: 0.14
> > > linked to json-c version: 0.14
> > > compiled with zlib version: 1.2.11
> > > linked to zlib version: 1.2.11
> > > linked to maxminddb version: 1.5.2
> > > compiled with protobuf-c version: 1.3.3
> > > linked to protobuf-c version: 1.3.3
> > > threads support is enabled
> > > DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512
> > > ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
> > > DS algorithms: SHA-1 SHA-256 SHA-384
> > > HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256
> > > HMAC-SHA384 HMAC-SHA512
> > > TKEY mode 2 support (Diffie-Hellman): yes
> > > TKEY mode 3 support (GSS-API): yes
> > >
> > > default paths:
> > > named configuration: /opt/mydir/etc/named.conf
> > > rndc configuration: /opt/mydir/etc/rndc.conf
> > > DNSSEC root key: /opt/mydir/etc/bind.keys
> > > nsupdate session key: /opt/mydir/var/run/named/session.key
> > > named PID file: /opt/mydir/var/run/named/named.pid
> > > named lock file: /opt/mydir/var/run/named/named.lock
> > > geoip-directory: /usr/share/GeoIP
> > > *named.conf Snippet:*
> > > options {
> > > directory "/";
> > > allow-query {any;};
> > > allow-transfer {none;};
> > > blackhole {none;};
> > > dnssec-validation yes;
> > > listen-on-v6 {none;};
> > > rrset-order {
> > > order cyclic;
> > > };
> > > dump-file "/var/named/log/named_dump.db";
> > > lame-ttl 0;
> > > max-ncache-ttl 10800;
> > > minimal-responses yes;
> > > pid-file "/var/run/named/named.pid";
> > > recursion no;
> > > session-keyfile "/var/run/named/session.key";
> > > statistics-file "/var/named/log/named.stats";
> > > tcp-clients 150;
> > > *tkey-gssapi-keytab "/etc/krb5.keytab";*
> > > };
> > >
> > > *Zone Section in named.conf:*
> > > zone "_msdcs.example.com <http://msdcs.example.com>
> > <http://msdcs.example.com <http://msdcs.example.com>>" IN {
> > > type master;
> > > file "/var/named/zones/masters/db._msdcs.example.com
> > <http://msdcs.example.com>
> > > <http://msdcs.example.com <http://msdcs.example.com>>";
> > > *update-policy { grant * subdomain _msdcs.example.com
> > <http://msdcs.example.com>
> > > <http://msdcs.example.com <http://msdcs.example.com>>. ANY;
> };*
> > > };
> > > zone "_sites.example.com <http://sites.example.com>
> > <http://sites.example.com <http://sites.example.com>>" IN {
> > > type master;
> > > file "/var/named/zones/masters/db._sites.example.com
> > <http://sites.example.com>
> > > <http://sites.example.com <http://sites.example.com>>";
> > > update-policy { grant * subdomain _sites.example.com
> > <http://sites.example.com>
> > > <http://sites.example.com <http://sites.example.com>>. ANY;
> };
> > > };
> > > zone "_tcp.example.com <http://tcp.example.com>
> > <http://tcp.example.com <http://tcp.example.com>>" IN {
> > > type master;
> > > file "/var/named/zones/masters/db._tcp.example.com
> > <http://tcp.example.com>
> > > <http://tcp.example.com <http://tcp.example.com>>";
> > > update-policy { grant * subdomain _tcp.example.com
> > <http://tcp.example.com>
> > > <http://tcp.example.com <http://tcp.example.com>>. ANY; };
> > > };
> > >
> > > *krb5.conf:*
> > > # cat krb5.conf
> > >
> > > [libdefaults]
> > >
> > > default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
> > <http://EXAMPLE.COM <http://EXAMPLE.COM>>
> > > default_tkt_enctypes = aes256-cts
> > > default_tgs_enctypes = aes256-cts
> > > dns_lookup_realm = true
> > > dns_lookup_kdc = true
> > > ticket_lifetime = 30d
> > > default_keytab_name = FILE:/etc/krb5.keytab
> > >
> > > [realms]
> > > EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM
> > <http://EXAMPLE.COM>> = {
> > > kdc = example.com:88 <http://example.com:88>
> > <http://example.com:88 <http://example.com:88>>
> > > default_domain = example.com <http://example.com>
> > <http://example.com <http://example.com>>
> > > }
> > >
> > >
> > > [domain_realm]
> > > .example.com <http://example.com> <http://example.com
> > <http://example.com>> = EXAMPLE.COM <http://EXAMPLE.COM>
> > <http://EXAMPLE.COM <http://EXAMPLE.COM>>
> > > example.com <http://example.com> <http://example.com
> > <http://example.com>> = EXAMPLE.COM <http://EXAMPLE.COM>
> > <http://EXAMPLE.COM <http://EXAMPLE.COM>>
> > >
> > > *_Specific Error Messages:_*
> > > *named.log (with debug level 0):*
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#53822:
> > > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#54527:
> > > update '_sites.example.com/IN <http://sites.example.com/IN>
> > <http://sites.example.com/IN <http://sites.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#54470:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#53206:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#49853:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#59529:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#51093:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#58128:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#59368:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#63380:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#57248:
> > > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#52530:
> > > update '_sites.example.com/IN <http://sites.example.com/IN>
> > <http://sites.example.com/IN <http://sites.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#54245:
> > > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#53890:
> > > update '_sites.example.com/IN <http://sites.example.com/IN>
> > <http://sites.example.com/IN <http://sites.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#49508:
> > > update '_tcp.example.com/IN <http://tcp.example.com/IN>
> > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#56611:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#62785:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#59729:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > >
> > > *named.log (with debug level 10):*
> > > client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP
> > request
> > > client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242:
> > using view
> > > '_default'
> > > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> > request
> > > is not signed
> > > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> > > recursion not available (recursion not enabled for view)
> > > update-security: error: client @0x7f01ac0150a8
> 10.1.10.20#64242:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242:
> > reset client
> > > client: debug 3: clientmgr @0x7f01c4043e40 attach: 6
> > > client: debug 3: query client=0x7f01c41936c8
> > > thread=0x7f01c8c22640(<unknown-query>): query_reset
> > > security: debug 3: client @0x7f01c41936c8 (no-peer): allocate
> > new client
> > > client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP
> > request
> > > client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518:
> > using view
> > > '_default'
> > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> > request
> > > is not signed
> > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> > > recursion not available (recursion not enabled for view)
> > > client: debug 3: query client=0x7f01c41936c8
> > > thread=0x7f01c8c22640(<unknown-query>): ns_query_start
> > > general: debug 3: failed gss_inquire_cred: GSSAPI error:
> > Major = No
> > > credentials were supplied, or the credentials were
> unavailable or
> > > inaccessible, Minor = No Kerberos credentials available
> (default
> > > cache: FILE:/tmp/krb5cc_1001).
> > > general: debug 3: failed gss_accept_sec_context: GSSAPI
> > error: Major
> > > = Unspecified GSS failure. Minor code may provide more
> > information,
> > > Minor = No such file or directory (filename:
> > > /var/tmp/krb5_1001.rcache2).
> > > general: debug 4: process_gsstkey(): dns_tsigerror_badkey
> > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518
> > >
> (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e):
> > > reset client
> > > client: debug 3: query client=0x7f01c41936c8
> > >
> >
> thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY):
> query_reset
> > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518:
> > freeing
> > > client
> > > client: debug 3: query client=0x7f01c41936c8
> > > thread=0x7f01c8c22640(<unknown-query>): query_reset
> > > client: debug 3: clientmgr @0x7f01c4043e40 detach: 5
> > >
> > > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP
> > request
> > > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577:
> > using view
> > > '_default'
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:
> > request
> > > is not signed
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577:
> > > recursion not available (recursion not enabled for view)
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(<unknown-query>): ns_query_start
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): qctx_init
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): client attr:0x20000, query
> > > attr:0xF00, restarts:0, origqname:nameserver.example.com
> > <http://nameserver.example.com>
> > > <http://nameserver.example.com
> > <http://nameserver.example.com>>, timer:0, authdb:0, referral:0
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): ns__query_start
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577
> > > (nameserver.example.com <http://nameserver.example.com>
> > <http://nameserver.example.com <http://nameserver.example.com>>):
> query
> > > 'nameserver.example.com/A/IN
> > <http://nameserver.example.com/A/IN>
> > <http://nameserver.example.com/A/IN
> > <http://nameserver.example.com/A/IN>>'
> > > approved
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_lookup
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_gotanswer
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_checkrpz
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): rpz_rewrite
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_prepresponse
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_zerottl_refetch
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_respond
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_getexpire
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_addanswer
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_addrrset
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_setorder
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_additional
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_addrrset: done
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_addnoqnameproof
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_addauth
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): ns_query_done
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577
> > > (nameserver.example.com <http://nameserver.example.com>
> > <http://nameserver.example.com <http://nameserver.example.com>>):
> > reset client
> > > client: debug 3: query client=0x7f01c420f7a8
> > > thread=0x7f01c8c22640(nameserver.example.com/A
> > <http://nameserver.example.com/A>
> > > <http://nameserver.example.com/A
> > <http://nameserver.example.com/A>>): query_reset
> > > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP
> > request
> > > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785:
> > using view
> > > '_default'
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> > request
> > > is not signed
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> > > recursion not available (recursion not enabled for view)
> > > update-security: error: client @0x7f01c420f7a8
> 10.1.10.20#62785:
> > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN>
> > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied
> > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785:
> > reset client
> > > client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6
> > > client: debug 3: query client=0x7f01ac0eca18
> > > thread=0x7f01c3fff640(<unknown-query>): query_reset
> > > security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate
> > new client
> > > client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP
> > request
> > > client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172:
> > using view
> > > '_default'
> > > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:
> > request
> > > is not signed
> > > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172:
> > > recursion not available (recursion not enabled for view)
> > > client: debug 3: query client=0x7f01ac0eca18
> > > thread=0x7f01c3fff640(<unknown-query>): ns_query_start
> > > general: debug 3: failed gss_inquire_cred: GSSAPI error:
> > Major = No
> > > credentials were supplied, or the credentials were
> unavailable or
> > > inaccessible, Minor = No Kerberos credentials available
> (default
> > > cache: FILE:/tmp/krb5cc_1001).
> > > general: debug 3: failed gss_accept_sec_context: GSSAPI
> > error: Major
> > > = Unspecified GSS failure. Minor code may provide more
> > information,
> > > Minor = No such file or directory (filename:
> > > /var/tmp/krb5_1001.rcache2).
> > > general: debug 4: process_gsstkey(): dns_tsigerror_badkey
> > > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172
> > >
> (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e):
> > > reset client
> > > client: debug 3: query client=0x7f01ac0eca18
> > >
> >
> thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY):
> query_reset
> > >
> > > Any insights, suggestions, or further troubleshooting steps to
> > > resolve this issue would be greatly appreciated. Thank you in
> > > advance for your assistance.
> > >
> > > Thanks
> > >
> > > Nagesh
> > >
> > >
> >
> > --
> > Petr Špaček
> >
>
> --
> Petr Špaček
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240905/0e76d220/attachment-0001.htm>
More information about the bind-users
mailing list