Univention Bugzilla – Bug 29677
IPv4 DynDNS Updates vom Windows Client REFUSED
Last modified: 2014-05-19 19:09:02 CEST
+++ This bug was initially created as a clone of Bug #24880 +++ Analog zu Bug #23161 kann sich bei mir ein IPv4-only Windows7 Client auch nicht erfolgreich im DNS registrieren. dhcpd: DHCPREQUEST for 192.168.123.12 from 52:54:00:1e:da:89 via eth0 dhcpd: DHCPACK on 192.168.123.12 to 52:54:00:1e:da:89 via eth0 dhcpd: DHCPDISCOVER from 00:15:99:8f:5d:60 via eth1: network 10.200.17.0/24: no free leases dhcpd: DHCPDISCOVER from 00:15:99:8f:5d:60 via eth1: network 10.200.17.0/24: no free leases named[4115]: samba_dlz: starting transaction on zone phahn.pt named[4115]: client 192.168.123.12#50508: update 'phahn.pt/IN' denied named[4115]: samba_dlz: cancelling transaction on zone phahn.pt named[4115]: samba_dlz: starting transaction on zone phahn.pt named[4115]: samba_dlz: disallowing update of signer=win7\$\@PHAHN.PT name=WIN7.phahn.pt type=AAAA error=insufficient access rights named[4115]: client 192.168.123.12#65367: updating zone 'phahn.pt/NONE': update failed: rejected by secure update (REFUSED) named[4115]: samba_dlz: cancelling transaction on zone phahn.pt TCP-Dump ist angehängt. Laut /var/lib/samba/private/named.conf.update und <http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies> sollte der erste Eintrag "ms-self" eigentlich zutreffen, aber das scheint er nicht zu tun. update-policy { grant PHAHN.PT ms-self * A AAAA; grant Administrator@PHAHN.PT wildcard * A AAAA SRV CNAME; grant BACKUP$@phahn.pt wildcard * A AAAA SRV CNAME; grant MASTER$@phahn.pt wildcard * A AAAA SRV CNAME; }; Folgendes funktioniert: # kinit Administrator Administrator@PHAHN.PT's Password: # nsupdate -g > server 192.168.123.1 > update add member.phahn.pt. 120 TXT "Hello from Kerberos" > send > quit Folgendes funktioniert NICHT: # kinit --password-file=/etc/machine.secret member$ > server 192.168.123.1 > update add member.phahn.pt. 120 TXT "Hello from Kerberos" > send update failed: REFUSED > quit
Created attachment 4887 [details] Windows7 DDNS Update PCAP
Ein höherer bind9 Debug hat dies gezeigt: Dec 10 13:56:14 master named[30014]: samba_dlz: disallowing update of signer=win7\$\@PHAHN.PT name=WIN7.phahn.pt type=AAAA error=insufficient access rights Nach dem Umbenennen nach win7a funktionierte das Update: root@master:~# host win7a win7a.phahn.pt has address 192.168.123.12 root@master:~# Die Prüfung sollte cass-insensitive sein.
Kann ich mit RC6 so nicht nachvollziehen, nach Join+Reboot mit synchronisierter Zeit: root@master20:~# host WIN7 WIN7.arucs31i20.qa has address 10.200.8.231 Relevanter Teil aus /var/log/syslog: ============================================================================== Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone arucs31i20.qa Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63732: update 'arucs31i20.qa/IN' denied Dec 10 14:03:30 master20 named[5344]: samba_dlz: cancelling transaction on zone arucs31i20.qa Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone arucs31i20.qa Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=WIN7. arucs31i20.qa tcpaddr= type=AAAA key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0 Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=WIN7. arucs31i20.qa tcpaddr= type=A key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0 Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=WIN7. arucs31i20.qa tcpaddr= type=A key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0 Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63143: updating zone 'arucs31i20.qa/NONE': deleti ng rrset at 'WIN7.arucs31i20.qa' AAAA Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63143: updating zone 'arucs31i20.qa/NONE': deleti ng rrset at 'WIN7.arucs31i20.qa' A Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#63143: updating zone 'arucs31i20.qa/NONE': adding an RR at 'WIN7.arucs31i20.qa' A Dec 10 14:03:30 master20 named[5344]: samba_dlz: added WIN7.arucs31i20.qa WIN7.arucs31i20.qa.#0111200#011IN#011A#01110.200.8.231 Dec 10 14:03:30 master20 named[5344]: samba_dlz: subtracted rdataset arucs31i20.qa 'arucs31i20.qa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 70 28800 7200 604800 0' Dec 10 14:03:30 master20 named[5344]: samba_dlz: added rdataset arucs31i20.qa 'arucs31i20.qa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 71 28800 7200 604800 0' Dec 10 14:03:30 master20 named[5344]: samba_dlz: committed transaction on zone arucs31i20.qa Dec 10 14:03:30 master20 dhcpd: DHCPDISCOVER from 52:54:00:6a:89:f6 via eth0: network 10.200.8.0/24: no free leases Dec 10 14:03:30 master20 dhcpd: DHCPREQUEST for 10.200.14.51 (10.200.14.50) from 52:54:00:6a:89:f6 via eth0: ignored (not authoritative). Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone 8.200.10.in-addr.arpa Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#57447: update '8.200.10.in-addr.arpa/IN' denied Dec 10 14:03:30 master20 named[5344]: samba_dlz: cancelling transaction on zone 8.200.10.in-addr.arpa Dec 10 14:03:30 master20 named[5344]: samba_dlz: starting transaction on zone 8.200.10.in-addr.arpa Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=231.8.200.10.in-addr.arpa tcpaddr= type=PTR key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0 Dec 10 14:03:30 master20 named[5344]: samba_dlz: allowing update of signer=win7\$\@ARUCS31I20.QA name=231.8.200.10.in-addr.arpa tcpaddr= type=PTR key=100-ms-7.1-75ca.469fad60-42d1-11e2-009c-52540006e299/160/0 Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#64976: updating zone '8.200.10.in-addr.arpa/NONE': deleting rrset at '231.8.200.10.in-addr.arpa' PTR Dec 10 14:03:30 master20 named[5344]: client 10.200.8.231#64976: updating zone '8.200.10.in-addr.arpa/NONE': adding an RR at '231.8.200.10.in-addr.arpa' PTR Dec 10 14:03:30 master20 named[5344]: samba_dlz: added 231.8.200.10.in-addr.arpa 231.8.200.10.in-addr.arpa.#0111200#011IN#011PTR#011WIN7.arucs31i20.qa. Dec 10 14:03:30 master20 named[5344]: samba_dlz: subtracted rdataset 8.200.10.in-addr.arpa '8.200.10.in-addr.arpa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 9 28800 7200 604800 0' Dec 10 14:03:30 master20 named[5344]: samba_dlz: added rdataset 8.200.10.in-addr.arpa '8.200.10.in-addr.arpa.#01110800#011IN#011SOA#011master20.arucs31i20.qa. root.arucs31i20.qa. 10 28800 7200 604800 0' Dec 10 14:03:30 master20 named[5344]: samba_dlz: committed transaction on zone 8.200.10.in-addr.arpa ============================================================================== > Folgendes funktioniert NICHT: > # kinit --password-file=/etc/machine.secret member$ > > server 192.168.123.1 > > update add member.phahn.pt. 120 TXT "Hello from Kerberos" > > send > update failed: REFUSED > > quit Worksforme, solange der Record nicht von wem anders zuvor erstellt wurde (und somit ACLs hat, die den Schreibzugriff verbieten).
OK, ich kann das Problem mit der errata Version ebenfalls nicht mehr nachvollziehen.
Nichts zu veröffentlichen.
Just for future reference: Yes this is regular documented behaviour for what Microsoft refers to as "secure dynamic updates". See: * http://technet.microsoft.com/en-us/library/cc959308.aspx#EAAA * http://technet.microsoft.com/en-us/library/cc961412.aspx#EAAA