Bug 43850 – UCS 4.2: nsupdate: update failed: REFUSED

Bug 43850 - UCS 4.2: nsupdate: update failed: REFUSED


Summary:	UCS 4.2: nsupdate: update failed: REFUSED

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-3

Depends on:
Blocks:	43758
	Show dependency tree / graph

Reported:	2017-03-14 19:17 CET by Arvid Requate
Modified:	2017-04-04 18:29 CEST (History)
CC List:	2 users (show)

See Also:	43884 23999
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
daemon.log -- ohne SPNEGO Fehler (18.20 KB, text/x-log) 2017-03-14 19:17 CET, Arvid Requate	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-03-14 19:17:56 CET

Created attachment 8531 [details]
daemon.log -- ohne SPNEGO Fehler

While looking into Bug 43758 Lukas discovered that nsupdate fails. The strange thing is that the log messages in daemon.log appear in different variations. This error was shown with dns/dlz/debug/level=3:

===========================================================================
Mar 14 17:21:45 master60 named[7884]: samba_dlz: starting transaction on zone c0qxhpzos3.cnrxgshlb9
Mar 14 17:21:45 master60 named[7884]: samba_dlz: GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Checksum type 1 not keyed
Mar 14 17:21:45 master60 named[7884]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Mar 14 17:21:45 master60 named[7884]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Mar 14 17:21:45 master60 named[7884]: samba_dlz: spnego update failed
Mar 14 17:21:45 master60 named[7884]: client 10.200.46.60#50129/key Administrator\@LOYEN.INTRANET: updating zone 'c0qxhpzos3.cnrxgshlb9/NONE': update failed: rejected by secure update (REFUSED)
Mar 14 17:21:45 master60 named[7884]: samba_dlz: cancelling transaction on zone c0qxhpzos3.cnrxgshlb9
===========================================================================

And when you run it again it looks like everything is ok, see attachment with dns/dlz/debug/level=10. this is basically what we did manually:

===========================================================================
root@master60# kinit Administrator
root@master60# nsupdate -v -g <<%EOF
server master60.loyen.intranet
zone c0qxhpzos3.cnrxgshlb9.
update add c0qxhpzos3.cnrxgshlb9. 1200 IN A 1.149.249.211
send
%EOF
===========================================================================

+++ This bug was initially created as a clone of Bug #43758 +++

Comment 1 Arvid Requate

2017-03-14 19:19:57 CET

The error message

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): 

comes from samba-4.6.0/source4/auth/gensec/gensec_gssapi.c and the detail

Checksum type 1 not keyed

comes from samba-4.6.0/source4/heimdal/lib/krb5/pac.c

Comment 2 Arvid Requate

2017-03-14 19:28:08 CET

But samba_dnsupdate works:

root@master60:~# samba-tool dns query localhost loyen.intranet \
  _gc._tcp SRV \
  -UAdministrator%univention 
  Name=, Records=1, Children=0
    SRV: master60.loyen.intranet. (3268, 0, 100) (flags=f0, serial=1, ttl=900)

root@master60:~# samba-tool dns delete localhost loyen.intranet \
  _gc._tcp SRV "master60.loyen.intranet. 3268 0 100" \
  -UAdministrator%univention
Record deleted successfully

root@master60:~# samba_dnsupdate 
root@master60:~# samba-tool dns query localhost loyen.intranet \
  _gc._tcp SRV \
  -UAdministrator%univention
  Name=, Records=1, Children=0
    SRV: master60.loyen.intranet. (3268, 0, 100) (flags=f0, serial=29, ttl=900)

Comment 3 Arvid Requate

2017-03-15 20:36:48 CET

I've adjusted the encryption types lists in the /etc/krb5.conf template in univention-heimal. 

We adjusted the default_tkt_enctypes some time ago (Bug 23999) and put des-cbc-md5 before des3-hmac-sha1. In this case it the nsupdate started to work again when I put arcfour-hmac-md5 before des3-hmac-sha1 in default_tgs_enctypes.
Since this grows a bit wild and arbitrary, I've now ordered all three enctypes lists in the same way, starting in the same order as samba does internally (function: get_enctypes) and appending the des-cbc-md4 and 3des types that samba doesn't specify:


[libdefaults]
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1

Comment 4 Arvid Requate

2017-03-15 20:41:21 CET

Changelog adjusted.

Comment 5 Stefan Gohmann

2017-03-16 19:44:07 CET

Changelog: OK

ucs-test: OK

Manual tests: OK

Code review: OK

Comment 6 Stefan Gohmann

2017-04-04 18:29:59 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".