Bug 247110

Summary: net/samba410 When starting AD DC with internal DNS the nsupdate program is not found
Product: Ports & Packages Reporter: James B. Byrne <byrnejb>
Component: Individual Port(s)Assignee: Timur I. Bakeyev <timur>
Status: Closed Overcome By Events    
Severity: Affects Only Me CC: vvd
Priority: --- Flags: bugzilla: maintainer-feedback? (timur)
Version: Latest   
Hardware: Any   
OS: Any   

Description James B. Byrne 2020-06-09 13:14:20 UTC 
Samba_server logs this in /var/log/samba4/smbd.log.

>> Failed nsupdate: A SMB4-1.brockley.harte-lyne.ca 192.168.216.166 : [Errno 2]
>> No such file or directory: '/usr/bin/nsupdate': '/usr/bin/nsupdate'
>> Failed update of 1 entries

1. The bind-tools package is not a dependency for samba_server and is not installed with samba410.

2. The bind package is not required when the Samab internal DNS service is selected when a domain is provisioned.

2. Installing the bind-tools package does not resolve the issue as the samba port is looking for /usr/bin/nsupdate and not /usr/local/bin/nsupdate.

A work-around is to manually create a symbolic link:

ln -s /usr/local/bin/nsupdate /usr/bin/nsupdate
Comment 1 Timur I. Bakeyev freebsd_committer freebsd_triage 2020-06-29 01:56:33 UTC 
Well, man smb4.conf tells us:

    Example: dns update command = /usr/local/sbin/dnsupdate

You have to set the location of nsupdate in the config file yourself.
Comment 2 James B. Byrne 2020-06-29 16:09:05 UTC 
I cannot find anything that provides /usr/local/sbin/dnsupdate.  Is this what you meant?


     dns update command = /usr/local/sbin/samba_dnsupdate
Comment 3 James B. Byrne 2020-06-29 16:18:21 UTC 
In man 5 smb.conf it states:

       dns update command (G)

           This option sets the command that is called when there are DNS
           updates. It should update the local machines DNS names using
           TSIG-GSS.

           Default: dns update command = ${prefix}/sbin/samba_dnsupdate

As this setting was not previously explicitly configured in smb4.conf why is samba looking for nsupdate and not samba_dnsupdate?
Comment 4 James B. Byrne 2020-06-30 16:14:16 UTC 
In any case, substituting nsupdate for dnsupdate proves not to resolve the issue:

[root@smb4-1 ~ (master)]# which nsupdate
/usr/local/bin/nsupdate

[root@smb4-1 ~ (master)]# grep '/usr/local/sbin/nsupdate' /usr/local/etc/smb4.conf
  dns update command = /usr/local/sbin/nsupdate

[root@smb4-1 ~ (master)]# service samba_server onerestart
Performing sanity check on Samba configuration: OK
Stopping samba.
Waiting for PIDS: 90071.
Performing sanity check on Samba configuration: OK
Starting samba.

[root@smb4-1 ~ (master)]# samba_dnsupdate --verbose -d4 --all-names
. . .
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Failed nsupdate: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 : [Errno 2] No such file or directory: '/usr/bin/nsupdate': '/usr/bin/nsupdate'
Failed update of 29 entries
Comment 5 James B. Byrne 2020-06-30 16:16:23 UTC 
And this still does not address why bind-tools are not listed as a dependency when samba410 is installed to serve as an AD DC.
Comment 6 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-02 21:05:12 UTC 
Samba AD is completely broken on FreeBSD:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239105#c57

nsupdate from bind + samba doesn't work with all kerberos implementations I can find in FreeBSD.
Comment 7 James B. Byrne 2020-07-03 13:15:47 UTC 
I have since discovered that bind-tools in FreeBSD is compiled without GSSAPI support of any type.  So, it cannot be used for secure dynamic DNS updates.  samba-nsupdate is evidently nsupdate recompiled with GSSAPI=BASE and renamed.  As long as no other SSL implementation other than the OpenSSL that ships with FreeBSD is installed then samba-nsupdate should support secure dynamic updates with a Samba AD DC.  If any other SSL implementation is installed from ports then either bind-tools or samba-nsupdate has to be rebuilt to match the GSSAPI libraries provided by that port.

However, I am unable to find any mention of this anywhere.  As I currently understand things the requirements for dynamic DNS updates of the samba internal DNS service on FreeBSD are:

1. The base OpenSSL must not be replaced/overridden by any port or pkg.

2. The samba-nsupdate package must be installed along with samba.

3. The smb4.conf file may need to be modified to point to the correct locations of samba_dnsupdate and samba-nsupdate as the complied default locations differ from where the programs are installed on FreeBSD:

[global]
. . .
  # Note diff: sbin vs. bin and _ vs. - and dns vs. ns
  dns update command = /usr/local/sbin/samba_dnsupdate
  nsupdate command = /usr/local/bin/samba-nsupdate -g
. . .

4. The -g switch has to be passed to samba-nsupdate to invoke GSSAPI.

Now GSSAPI, as far as I can discover, is necessary for 'secure' dynamic updates.   The difference between 'Secure Only' and 'Non-Secure and Secure', is that Secure uses Kerberos and with 'Secure Only' the notification source must authenticate before it can update. 

I still have not got this working without error as the signature of the update key is not passing the Samba update check, but at least I now know what is going on beneath the covers.

The error I am getting now is:

update(nsupdate): SRV _ldap._tcp.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.brockley.harte-lyne.ca. 900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
Comment 8 James B. Byrne 2020-07-03 14:42:24 UTC 
running samba-nsupdate with -d results in these errors reported by samba_dnsupdate when run from the command line:

[root@smb4-1 ~ (master)]# samba_dnsupdate --verbose -d8 --all-names
. . .
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   1151
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. IN SOA

;; AUTHORITY SECTION:
brockley.harte-lyne.ca.	3600	IN	SOA	SMB4-1.brockley.harte-lyne.ca. hostmaster.brockley.harte-lyne.ca. 1 900 600 86400 3600

Found zone name: brockley.harte-lyne.ca
The master is: SMB4-1.brockley.harte-lyne.ca
start_gssrequest
Found realm from ticket: BROCKLEY.HARTE-LYNE.CA
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  13304
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY

;; ADDITIONAL SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY	gss-tsig. 1593782418 1593782418 3 NOERROR 1515 YIIF5wYGKwYBBQUCoIIF2zCCBdegDTALBgkqhkiG9xIBAgKiggXEBIIF wGCCBbwGCSqGSIb3EgECAgEAboIFqzCCBaegAwIBBaEDAgEOogcDBQAg AAAAo4IEgmGCBH4wggR6oAMCAQWhGBsWQlJPQ0tMRVkuSEFSVEUtTFlO RS5DQaIvMC2gAwIBAaEmMCQbA0ROUxsdU01CNC0xLmJyb2NrbGV5Lmhh cnRlLWx5bmUuY2GjggQmMIIEIqADAgESoQMCAQGiggQUBIIEEPKZxwM3 nlYxG19pmsozHjqDZmkRoogbsckJAOKM3wPAupRfZJk8nsmqppFalVBV fpvjV2U2otzwV9FbIivz3U3vjjZ1k9jmda1iBQ4pPEwLy/QXmrUdmWAA A48xYE35w6TBdfd13XxKbKAKYD4w7gJ5D1u7PxSakmmelko5fs9UPZ0v bJG+tQcwn+qAWc9TQMOmIl/zWxp7sZdhQLaC66frd0liUFz15lmbbE5m IKF+i+cfHxsfe0TLzZ7lCOmaZjHacHq+pF94VYQ1y/9FmSL/qs7+Vz3B GcPF1I+KfRsQyE3C5cecVMVRJVUlyFYYDB9j+4wkiQOgSMPajxl7G1TB +7esXerD5u+JBYQHU0ArEZvTNIea00ArA16HWlgqpku8GK+y3Gfs5q5e WPyADUIqctMiO0T34pUUxmeNgt1UdVyH8ayQikN17xATkqHkek2jzemI VaPWOlZRJt0UKTPUCoufChdPwxD3b4NHpRpbxxof9MkcUU+ZZcV5nocB X75yOZmK6YdHFGITzIv8zpx1Vp9sqtzXsk7QH7rTfLnosiM9DbPXZPbx W92JRCUdc6IrVWq4/qVk1IC5uZ2fq4aCJgAMAlKMyTmXljqecXIxQ6J2 J0LK34otl3XAzxGJHBD/95P2uk2NeCPE+0Cpgm0CeDO0DDNAYcAYCFJb UVovHAAqetLrxYRcgNegici7CNV7jjSz0KGKq4S+hq+6onOe7lu10Qkg enkAsKy269M3kkexFiJqr6zKGRdoDHDUxzmGzFMsLgp8Ib16dJHQ3mTX PUrYQMnUwh98VxpUnRl83Tg7MQalZon7ZjcJ2+VnL/sUcM4KuUo1hW7O 8nydXR2F2Kjh7ACySsUBmpVVwn5t0LihMrQm6VwPih+eKw0iTGKY12Uz VnV2/fDWtmYzM26a3z5fKkavbkTlJNIwebRI4zz1taOIyCqNUDFcxnTx 7/2aGbnXLskQirvx47RSgNyVAcKPneudt3UePS/Vp/2ntAXIB/ZnmBPi rvkuz/uVqLqxW/ytC5hLUINP0su9pRXLlXWjYSwuu47sDEOQQCToZAuc BodLA9tkut/Wx3vpiLKmTNYPOU735BBy1OrpCXJEJzzahA73x0TNpQi9 8j7dH6dlQqzcds69EzQ6NfW2YwXDXTvM8hg+r/BvarvHGYDuLj/Zm96o vUr9vNoY4uCvFxym7jnbp0tW0A4Lh2jYMoi7BicJ9tQRHrVi10inhPkU z835kJjL5HfYXYFRsKcHBVu3RjVUW6KH+9jWmxqdIfbgEbMw/KhEH5z4 WdsTfSX1fXpasF+R3e/4fuLmqy/sY3u6r8vus1dqRMGsFQfxp3HGH15b BPID9ZlvCL6kFqOP9ZObYgi4HyBp5WRfVuRUpIIBCjCCAQagAwIBEqKB /gSB+yqrzpMkt6mBL8datfhCA8QkVoxhRkR9p8cEpb4wu9cbVrXkQAkq jq6endFOstiWEHM9Yv6da4M3HmVgoQr+yeECguvqL9TKBA87E5yUbAEO R090LciiZnRpU8g+vUDZ7cvF7Nx/doshmy82l/pxPUUyBXEJcDm+a6R5 fF5JYpSy/AI0GsoDh6brHBg8AcyNC8SDL/bOybQS/6KiskoZwrBsmumX UVudMMpbGyd2113i5jgccxE2UfUoJp5DU8LBekIux4KKXh8QE8ctewkX j1uT7BIv8CJ64BKsyR5qfk3AWdqM1+Ma0ejtOEGtuLhPKQXf8YnBW5zv 4EzB 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  13304
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY

;; ANSWER SECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY	gss-tsig. 1593782418 1593782418 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvuDJDPZTRZw4t rumU7CUM54QqUWXZEf6MQ5ZeOQhrzV8cOQAwx0mMTkLIQm+YAu4Bysim Qn+Dfqy1qLL8mPSCes86vUp4l/Sa8a6mKjQ91+FeGqsorgsAEYrLaGXl vSBcP+Qxi+FC1e07Iuv3LXF/ 0

;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG	gss-tsig. 1593782418 300 28 BAQF//////8AAAAAMRP+/dHMO1zAtXPIT0vu4A== 13304 NOERROR 0 

Sending update to 192.168.18.161#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  38762
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
489873631.sig-smb4-1.brockley.harte-lyne.ca. 0 ANY TSIG	gss-tsig. 1593782418 300 28 BAQE//////8AAAAAJXvohvDbm2q9Fel/zluw/w== 38762 NOERROR 0 

; TSIG error with server: tsig indicates error

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  38762
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;brockley.harte-lyne.ca.		IN	SOA

;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

;; TSIG PSEUDOSECTION:
489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG	gss-tsig. 1593782418 300 0 38762 BADSIG 0 

Failed nsupdate: 2


AND these errors in /var/log/samba4/smbd.log:

[2020/07/03 09:03:21.429554,  1] ../../auth/kerberos/gssapi_helper.c:391(gssapi_check_packet)
  GSS VerifyMic failed:  A token had an invalid MIC: unknown mech-code 2529638943 for mech 1 2 840 113554 1 2 2
[2020/07/03 09:03:21.429643,  0] ../../source4/auth/gensec/gensec_gssapi.c:1347(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=137,pdu=137) failed: NT_STATUS_ACCESS_DENIED
Comment 9 James B. Byrne 2020-07-03 14:47:19 UTC 
What this tells us is that the message integrity code is not matching what is expected. Whether this is a problem speciic to FreeBSd or a general problem with samba I cannot tell.  However, if it is with samba I would expect that others on different OSs have run into this and reported it. I cannot find any such reports.