GSS-TSIG updates from Windows clients

John Miller johnmill at brandeis.edu
Fri May 2 23:16:05 UTC 2014 

Hi folks,

I'm trying to get our AD domain controllers to update our BIND 9.8.2
servers--specifically for the zone

_msdcs.lab.brandeis.edu.

I've got updates working in general: I can run kinit <username>@REALM (
johnmill-dns-test at lab.brandeis.edu in this case), then successfully run
nsupdate -g from my desktop:

server dns-ext-dev1.lab.brandeis.edu
zone _msdcs.lab.brandeis.edu.
update add yourmom._msdcs.lab.brandeis.edu. 300 IN A 127.0.0.1
send

This works fine--I grab the necessary tickets from our domain controllers,
and BIND accepts my update.

My update-policy {} directive for the zone looks like:

update-policy {
  grant johnmill-dnstest at LAB.BRANDEIS.EDU zonesub ANY;
  grant * zonesub ANY;
}

This is uber-lenient--I don't plan to leave things this way. but the
wildcard should allow anything with a pulse to update.

When I try to use Windows (the domain controller itself) to send updates,
the update first gets sent insecurely (which fails), then Windows attempts
secure authentication (and succeeds), but doesn't actually send a secured
update:

named[13861]: client 129.64.102.112#64501: UDP request
named[13861]: client 129.64.102.112#64501: using view '_default'
named[13861]: client 129.64.102.112#64501: request is not signed
named[13861]: client 129.64.102.112#64501: recursion not available
named[13861]: client 129.64.102.112#64501: update
named[13861]: client 129.64.102.112#64501: update '_
msdcs.lab.brandeis.edu/IN' denied
named[13861]: client 129.64.102.112#64501: send
named[13861]: client 129.64.102.112#64501: sendto
named[13861]: client 129.64.102.112#64501: senddone
named[13861]: client 129.64.102.112#64501: next
named[13861]: client 129.64.102.112#64501: endrequest
named[13861]: client @0x7f75640f6980: udprecv
named[13861]: client 129.64.102.112#52448: new TCP connection
named[13861]: client 129.64.102.112#52448: replace
named[13861]: clientmgr @0x7f7564003f98: createclients
named[13861]: clientmgr @0x7f7564003f98: recycle
named[13861]: client 129.64.102.112#52448: read
named[13861]: client 129.64.102.112#52448: TCP request
named[13861]: client 129.64.102.112#52448: using view '_default'
named[13861]: client 129.64.102.112#52448: request is not signed
named[13861]: client 129.64.102.112#52448: recursion not available
named[13861]: client 129.64.102.112#52448: query
named[13861]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified
GSS failure.  Minor code may provide more information, Minor = Success.
named[13861]: gss-api source name (accept) is AD-2K8-DEV1$@LAB.BRANDEIS.EDU
named[13861]: process_gsstkey(): dns_tsigerror_noerror
named[13861]: client 129.64.102.112#52448: send
named[13861]: client 129.64.102.112#52448: sendto
named[13861]: client 129.64.102.112#52448: senddone
named[13861]: client 129.64.102.112#52448: next
named[13861]: client 129.64.102.112#52448: endrequest
named[13861]: client 129.64.102.112#52448: read
named[13861]: client @0x7f7564104b70: accept
named[13861]: client 129.64.102.112#52448: next
named[13861]: client 129.64.102.112#52448: request failed: end of file
named[13861]: client 129.64.102.112#52448: endrequest
named[13861]: client 129.64.102.112#52448: closetcp
named[13861]: client 129.64.102.112#64230: UDP request
named[13861]: client 129.64.102.112#64230: using view '_default'
named[13861]: client 129.64.102.112#64230: request is not signed
named[13861]: client 129.64.102.112#64230: recursion not available
named[13861]: client 129.64.102.112#64230: query
named[13861]: client 129.64.102.112#64230: query '_
msdcs.lab.brandeis.edu/SOA/IN' approved
named[13861]: client 129.64.102.112#64230: send
named[13861]: client 129.64.102.112#64230: sendto
named[13861]: client 129.64.102.112#64230: senddone
named[13861]: client 129.64.102.112#64230: next
named[13861]: client 129.64.102.112#64230: endrequest
named[13861]: client @0x7f75640f6980: udprecv
named[13861]: client 129.64.102.112#63381: UDP request
named[13861]: client 129.64.102.112#63381: using view '_default'
named[13861]: client 129.64.102.112#63381: request is not signed
named[13861]: client 129.64.102.112#63381: recursion not available
named[13861]: client 129.64.102.112#63381: query
named[13861]: client 129.64.102.112#63381: query (cache) '
dns-ext-dev1.lab.brandeis.edu/A/IN' denied
named[13861]: client 129.64.102.112#63381: error
named[13861]: client 129.64.102.112#63381: send
named[13861]: client 129.64.102.112#63381: sendto
named[13861]: client 129.64.102.112#63381: senddone
named[13861]: client 129.64.102.112#63381: next
named[13861]: client 129.64.102.112#63381: endrequest
named[13861]: client @0x7f75640f6980: udprecv
named[13861]: client 129.64.99.24#21999: UDP request
named[13861]: client 129.64.99.24#21999: using view '_default'
named[13861]: client 129.64.99.24#21999: request is not signed
named[13861]: client 129.64.99.24#21999: recursion not available
named[13861]: client 129.64.99.24#21999: query
named[13861]: client 129.64.99.24#21999: query '_kerberos._tcp.dc._
msdcs.lab.brandeis.edu/SOA/IN' approved
named[13861]: client 129.64.99.24#21999: send
named[13861]: client 129.64.99.24#21999: sendto
named[13861]: client 129.64.99.24#21999: senddone
named[13861]: client 129.64.99.24#21999: next
named[13861]: client 129.64.99.24#21999: endrequest
named[13861]: client @0x7f75640f6980: udprecv
named[13861]: client 129.64.102.112#63504: UDP request
named[13861]: client 129.64.102.112#63504: using view '_default'
named[13861]: client 129.64.102.112#63504: request is not signed
named[13861]: client 129.64.102.112#63504: recursion not available
named[13861]: client 129.64.102.112#63504: update
named[13861]: client 129.64.102.112#63504: update '_
msdcs.lab.brandeis.edu/IN' denied
named[13861]: client 129.64.102.112#63504: send
named[13861]: client 129.64.102.112#63504: sendto
named[13861]: client 129.64.102.112#63504: senddone
named[13861]: client 129.64.102.112#63504: next
named[13861]: client 129.64.102.112#63504: endrequest

Contrast this with logs from a successful update (from my desktop):

named[12766]: client 129.64.8.232#56297: UDP request
named[12766]: client 129.64.8.232#56297: using view '_default'
named[12766]: client 129.64.8.232#56297: request is not signed
named[12766]: client 129.64.8.232#56297: recursion not available
named[12766]: client 129.64.8.232#56297: query
named[12766]: client 129.64.8.232#56297: query '_
msdcs.lab.brandeis.edu/SOA/IN' approved
named[12766]: client 129.64.8.232#56297: send
named[12766]: client 129.64.8.232#56297: sendto
named[12766]: client 129.64.8.232#56297: senddone
named[12766]: client 129.64.8.232#56297: next
named[12766]: client 129.64.8.232#56297: endrequest
named[12766]: client @0x7f51a80f6980: udprecv
named[12766]: client 129.64.8.232#34226: new TCP connection
named[12766]: client 129.64.8.232#34226: replace
named[12766]: clientmgr @0x7f51a8004f98: createclients
named[12766]: clientmgr @0x7f51a8004f98: recycle
named[12766]: client 129.64.8.232#34226: read
named[12766]: client 129.64.8.232#34226: TCP request
named[12766]: client 129.64.8.232#34226: using view '_default'
named[12766]: client 129.64.8.232#34226: request is not signed
named[12766]: client 129.64.8.232#34226: recursion not available
named[12766]: client 129.64.8.232#34226: query
named[12766]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified
GSS failure.  Minor code may provide more information,
Minor = Success.
named[12766]: gss-api source name (accept) is
johnmill-dnstest at LAB.BRANDEIS.EDU
named[12766]: process_gsstkey(): dns_tsigerror_noerror
named[12766]: client 129.64.8.232#34226: send
named[12766]: client 129.64.8.232#34226: sendto
named[12766]: client 129.64.8.232#34226: senddone
named[12766]: client 129.64.8.232#34226: next
named[12766]: client 129.64.8.232#34226: endrequest
named[12766]: client 129.64.8.232#34226: read
named[12766]: client @0x7f51a847c120: accept
named[12766]: client 129.64.8.232#34226: next
named[12766]: client 129.64.8.232#34226: request failed: end of file
named[12766]: client 129.64.8.232#34226: endrequest
named[12766]: client 129.64.8.232#34226: closetcp
named[12766]: client 129.64.8.232#49802: new TCP connection
named[12766]: client 129.64.8.232#49802: replace
named[12766]: clientmgr @0x7f51a8004f98: createclients
named[12766]: clientmgr @0x7f51a8004f98: recycle
named[12766]: client 129.64.8.232#49802: read
named[12766]: client 129.64.8.232#49802: TCP request
named[12766]: client 129.64.8.232#49802: using view '_default'
named[12766]: client 129.64.8.232#49802: request has valid signature:
johnmill-dnstest\@LAB.BRANDEIS.EDU
named[12766]: client 129.64.8.232#49802: recursion not available
named[12766]: client 129.64.8.232#49802: update
named[12766]: client @0x7f51a8104b70: accept
named[12766]: client 129.64.8.232#49802: updating zone '_
msdcs.lab.brandeis.edu/IN': adding an RR at 'yourmom._msdcs.lab.brandeis.edu'
A
named[12766]: client 129.64.8.232#49802: send
named[12766]: client 129.64.8.232#49802: sendto
named[12766]: client 129.64.8.232#49802: senddone
named[12766]: client 129.64.8.232#49802: next

Even though it sends valid TKEY credentials, why doesn't Windows actually
sign its updates or use a TCP connection for them?  Any way to actually get
the Windows side of things to send signed updates?

John

-- 
John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140502/06f306f1/attachment-0001.html>

More information about the bind-users mailing list