Univention Bugzilla – Bug 43850
UCS 4.2: nsupdate: update failed: REFUSED
Last modified: 2017-04-04 18:29:59 CEST
Created attachment 8531 [details] daemon.log -- ohne SPNEGO Fehler While looking into Bug 43758 Lukas discovered that nsupdate fails. The strange thing is that the log messages in daemon.log appear in different variations. This error was shown with dns/dlz/debug/level=3: =========================================================================== Mar 14 17:21:45 master60 named[7884]: samba_dlz: starting transaction on zone c0qxhpzos3.cnrxgshlb9 Mar 14 17:21:45 master60 named[7884]: samba_dlz: GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Checksum type 1 not keyed Mar 14 17:21:45 master60 named[7884]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Mar 14 17:21:45 master60 named[7884]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE Mar 14 17:21:45 master60 named[7884]: samba_dlz: spnego update failed Mar 14 17:21:45 master60 named[7884]: client 10.200.46.60#50129/key Administrator\@LOYEN.INTRANET: updating zone 'c0qxhpzos3.cnrxgshlb9/NONE': update failed: rejected by secure update (REFUSED) Mar 14 17:21:45 master60 named[7884]: samba_dlz: cancelling transaction on zone c0qxhpzos3.cnrxgshlb9 =========================================================================== And when you run it again it looks like everything is ok, see attachment with dns/dlz/debug/level=10. this is basically what we did manually: =========================================================================== root@master60# kinit Administrator root@master60# nsupdate -v -g <<%EOF server master60.loyen.intranet zone c0qxhpzos3.cnrxgshlb9. update add c0qxhpzos3.cnrxgshlb9. 1200 IN A 1.149.249.211 send %EOF =========================================================================== +++ This bug was initially created as a clone of Bug #43758 +++
The error message GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): comes from samba-4.6.0/source4/auth/gensec/gensec_gssapi.c and the detail Checksum type 1 not keyed comes from samba-4.6.0/source4/heimdal/lib/krb5/pac.c
But samba_dnsupdate works: root@master60:~# samba-tool dns query localhost loyen.intranet \ _gc._tcp SRV \ -UAdministrator%univention Name=, Records=1, Children=0 SRV: master60.loyen.intranet. (3268, 0, 100) (flags=f0, serial=1, ttl=900) root@master60:~# samba-tool dns delete localhost loyen.intranet \ _gc._tcp SRV "master60.loyen.intranet. 3268 0 100" \ -UAdministrator%univention Record deleted successfully root@master60:~# samba_dnsupdate root@master60:~# samba-tool dns query localhost loyen.intranet \ _gc._tcp SRV \ -UAdministrator%univention Name=, Records=1, Children=0 SRV: master60.loyen.intranet. (3268, 0, 100) (flags=f0, serial=29, ttl=900)
I've adjusted the encryption types lists in the /etc/krb5.conf template in univention-heimal. We adjusted the default_tkt_enctypes some time ago (Bug 23999) and put des-cbc-md5 before des3-hmac-sha1. In this case it the nsupdate started to work again when I put arcfour-hmac-md5 before des3-hmac-sha1 in default_tgs_enctypes. Since this grows a bit wild and arbitrary, I've now ordered all three enctypes lists in the same way, starting in the same order as samba does internally (function: get_enctypes) and appending the des-cbc-md4 and 3des types that samba doesn't specify: [libdefaults] default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
Changelog adjusted.
Changelog: OK ucs-test: OK Manual tests: OK Code review: OK
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".