First Last Prev Next    This bug is not in your last search results.
Bug 29677 - IPv4 DynDNS Updates vom Windows Client REFUSED
IPv4 DynDNS Updates vom Windows Client REFUSED
Status: CLOSED WORKSFORME
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.1
All Linux
: P5 normal (vote)
: UCS 3.1-0-errata
Assigned To: Arvid Requate
Stefan Gohmann
:
Depends on: 24880
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-10 12:47 CET by Philipp Hahn
Modified: 2014-05-19 19:09 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Troubleshooting
Max CVSS v3 score:

Attachments
Windows7 DDNS Update PCAP (3.43 KB, application/octet-stream)
2012-12-10 13:35 CET, Philipp Hahn 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2012-12-10 12:47:58 CET 
+++ This bug was initially created as a clone of Bug #24880 +++
Analog zu Bug #23161 kann sich bei mir ein IPv4-only Windows7 Client auch nicht erfolgreich im DNS registrieren.

 dhcpd: DHCPREQUEST for 192.168.123.12 from 52:54:00:1e:da:89 via eth0
 dhcpd: DHCPACK on 192.168.123.12 to 52:54:00:1e:da:89 via eth0
 dhcpd: DHCPDISCOVER from 00:15:99:8f:5d:60 via eth1: network 10.200.17.0/24: no free leases
 dhcpd: DHCPDISCOVER from 00:15:99:8f:5d:60 via eth1: network 10.200.17.0/24: no free leases
 named[4115]: samba_dlz: starting transaction on zone phahn.pt
 named[4115]: client 192.168.123.12#50508: update 'phahn.pt/IN' denied
 named[4115]: samba_dlz: cancelling transaction on zone phahn.pt
 named[4115]: samba_dlz: starting transaction on zone phahn.pt
 named[4115]: samba_dlz: disallowing update of signer=win7\$\@PHAHN.PT name=WIN7.phahn.pt type=AAAA error=insufficient access rights
 named[4115]: client 192.168.123.12#65367: updating zone 'phahn.pt/NONE': update failed: rejected by secure update (REFUSED)
 named[4115]: samba_dlz: cancelling transaction on zone phahn.pt

TCP-Dump ist angehängt.

Laut /var/lib/samba/private/named.conf.update und <http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies> sollte der erste Eintrag "ms-self" eigentlich zutreffen, aber das scheint er nicht zu tun.
 update-policy {
   grant PHAHN.PT ms-self * A AAAA;
   grant Administrator@PHAHN.PT wildcard * A AAAA SRV CNAME;
   grant BACKUP$@phahn.pt wildcard * A AAAA SRV CNAME;
   grant MASTER$@phahn.pt wildcard * A AAAA SRV CNAME;
 };

Folgendes funktioniert:
 # kinit Administrator
 Administrator@PHAHN.PT's Password:
 # nsupdate -g
 > server 192.168.123.1
 > update add member.phahn.pt. 120 TXT "Hello from Kerberos"
 > send
 > quit

Folgendes funktioniert NICHT:
 # kinit --password-file=/etc/machine.secret member$
 > server 192.168.123.1
 > update add member.phahn.pt. 120 TXT "Hello from Kerberos"
 > send
 update failed: REFUSED
 > quit
Comment 1 Philipp Hahn univentionstaff 2012-12-10 13:35:08 CET 
Created attachment 4887 [details]
Windows7 DDNS Update PCAP
Comment 2 Stefan Gohmann univentionstaff 2012-12-10 14:00:31 CET 
Ein höherer bind9 Debug hat dies gezeigt:

Dec 10 13:56:14 master named[30014]: samba_dlz: disallowing update of signer=win7\$\@PHAHN.PT name=WIN7.phahn.pt type=AAAA error=insufficient access rights

Nach dem Umbenennen nach win7a funktionierte das Update:

root@master:~# host win7a
win7a.phahn.pt has address 192.168.123.12
root@master:~# 

Die Prüfung sollte cass-insensitive sein.
Comment 3 Arvid Requate univentionstaff 2012-12-18 16:25:34 CET 
Kann ich mit RC6 so nicht nachvollziehen, nach Join+Reboot mit synchronisierter Zeit:

root@master20:~# host WIN7
WIN7.arucs31i20.qa has address 10.200.8.231

Relevanter Teil aus /var/log/syslog:
==============================================================================
Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone arucs31i20.qa
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63732: update 'arucs31i20.qa/IN' denied
Dec 10 14:03:30 master20 named[5344]: samba_dlz: cancelling transaction on zone arucs31i20.qa
Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone arucs31i20.qa
Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=WIN7.
arucs31i20.qa tcpaddr= type=AAAA key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0
Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=WIN7.
arucs31i20.qa tcpaddr= type=A key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0
Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=WIN7.
arucs31i20.qa tcpaddr= type=A key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63143: updating zone 'arucs31i20.qa/NONE': deleti
ng rrset at 'WIN7.arucs31i20.qa' AAAA
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63143: updating zone 'arucs31i20.qa/NONE': deleti
ng rrset at 'WIN7.arucs31i20.qa' A
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63143: updating zone 'arucs31i20.qa/NONE': adding an RR at 'WIN7.arucs31i20.qa' A
Dec 10 14:03:30 master20 named[5344]: samba_dlz: added WIN7.arucs31i20.qa WIN7.arucs31i20.qa.#0111200#011IN#011A#01110.200.8.231
Dec 10 14:03:30 master20 named[5344]: samba_dlz: subtracted rdataset arucs31i20.qa 'arucs31i20.qa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 70 28800 7200 604800 0'
Dec 10 14:03:30 master20 named[5344]: samba_dlz: added rdataset arucs31i20.qa 'arucs31i20.qa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 71 28800 7200 604800 0'
Dec 10 14:03:30 master20 named[5344]: samba_dlz: committed transaction on zone arucs31i20.qa
Dec 10 14:03:30 master20 dhcpd: DHCPDISCOVER from 52:54:00:6a:89:f6 via eth0: network 10.200.8.0/24: no free leases
Dec 10 14:03:30 master20 dhcpd: DHCPREQUEST for 10.200.14.51 (10.200.14.50) from 52:54:00:6a:89:f6 via eth0: ignored (not authoritative).
Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone 8.200.10.in-addr.arpa
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#57447: update '8.200.10.in-addr.arpa/IN' denied
Dec 10 14:03:30 master20 named[5344]: samba_dlz: cancelling transaction on zone 8.200.10.in-addr.arpa
Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone 8.200.10.in-addr.arpa
Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=231.8.200.10.in-addr.arpa tcpaddr= type=PTR key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0
Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=231.8.200.10.in-addr.arpa tcpaddr= type=PTR key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#64976: updating zone '8.200.10.in-addr.arpa/NONE': deleting rrset at '231.8.200.10.in-addr.arpa' PTR
Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#64976: updating zone '8.200.10.in-addr.arpa/NONE': adding an RR at '231.8.200.10.in-addr.arpa' PTR
Dec 10 14:03:30 master20 named[5344]: samba_dlz: added 231.8.200.10.in-addr.arpa 231.8.200.10.in-addr.arpa.#0111200#011IN#011PTR#011WIN7.arucs31i20.qa.
Dec 10 14:03:30 master20 named[5344]: samba_dlz: subtracted rdataset 8.200.10.in-addr.arpa '8.200.10.in-addr.arpa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 9 28800 7200 604800 0'
Dec 10 14:03:30 master20 named[5344]: samba_dlz: added rdataset 8.200.10.in-addr.arpa '8.200.10.in-addr.arpa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 10 28800 7200 604800 0'
Dec 10 14:03:30 master20 named[5344]: samba_dlz: committed transaction on zone 8.200.10.in-addr.arpa
==============================================================================


> Folgendes funktioniert NICHT:
>  # kinit --password-file=/etc/machine.secret member$
>  > server 192.168.123.1
>  > update add member.phahn.pt. 120 TXT "Hello from Kerberos"
>  > send
>  update failed: REFUSED
>  > quit

Worksforme, solange der Record nicht von wem anders zuvor erstellt wurde (und somit ACLs hat, die den Schreibzugriff verbieten).
Comment 4 Stefan Gohmann univentionstaff 2013-01-29 09:10:05 CET 
OK, ich kann das Problem mit der errata Version ebenfalls nicht mehr nachvollziehen.
Comment 5 Stefan Gohmann univentionstaff 2013-01-29 20:24:56 CET 
Nichts zu veröffentlichen.
Comment 6 Arvid Requate univentionstaff 2014-05-19 19:09:02 CEST 
Just for future reference:

Yes this is regular documented behaviour for what Microsoft refers to as "secure dynamic updates". See:

* http://technet.microsoft.com/en-us/library/cc959308.aspx#EAAA
* http://technet.microsoft.com/en-us/library/cc961412.aspx#EAAA
First Last Prev Next    This bug is not in your last search results.