Summary: | net/samba410 When starting AD DC with internal DNS the nsupdate program is not found | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | James B. Byrne <byrnejb> |
Component: | Individual Port(s) | Assignee: | Timur I. Bakeyev <timur> |
Status: | Closed Overcome By Events | ||
Severity: | Affects Only Me | CC: | vvd |
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(timur) |
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Well, man smb4.conf tells us: Example: dns update command = /usr/local/sbin/dnsupdate You have to set the location of nsupdate in the config file yourself. I cannot find anything that provides /usr/local/sbin/dnsupdate. Is this what you meant? dns update command = /usr/local/sbin/samba_dnsupdate In man 5 smb.conf it states: dns update command (G) This option sets the command that is called when there are DNS updates. It should update the local machines DNS names using TSIG-GSS. Default: dns update command = ${prefix}/sbin/samba_dnsupdate As this setting was not previously explicitly configured in smb4.conf why is samba looking for nsupdate and not samba_dnsupdate? In any case, substituting nsupdate for dnsupdate proves not to resolve the issue: [root@smb4-1 ~ (master)]# which nsupdate /usr/local/bin/nsupdate [root@smb4-1 ~ (master)]# grep '/usr/local/sbin/nsupdate' /usr/local/etc/smb4.conf dns update command = /usr/local/sbin/nsupdate [root@smb4-1 ~ (master)]# service samba_server onerestart Performing sanity check on Samba configuration: OK Stopping samba. Waiting for PIDS: 90071. Performing sanity check on Samba configuration: OK Starting samba. [root@smb4-1 ~ (master)]# samba_dnsupdate --verbose -d4 --all-names . . . update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add) Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$ Failed nsupdate: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 : [Errno 2] No such file or directory: '/usr/bin/nsupdate': '/usr/bin/nsupdate' Failed update of 29 entries And this still does not address why bind-tools are not listed as a dependency when samba410 is installed to serve as an AD DC. Samba AD is completely broken on FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239105#c57 nsupdate from bind + samba doesn't work with all kerberos implementations I can find in FreeBSD. I have since discovered that bind-tools in FreeBSD is compiled without GSSAPI support of any type. So, it cannot be used for secure dynamic DNS updates. samba-nsupdate is evidently nsupdate recompiled with GSSAPI=BASE and renamed. As long as no other SSL implementation other than the OpenSSL that ships with FreeBSD is installed then samba-nsupdate should support secure dynamic updates with a Samba AD DC. If any other SSL implementation is installed from ports then either bind-tools or samba-nsupdate has to be rebuilt to match the GSSAPI libraries provided by that port. However, I am unable to find any mention of this anywhere. As I currently understand things the requirements for dynamic DNS updates of the samba internal DNS service on FreeBSD are: 1. The base OpenSSL must not be replaced/overridden by any port or pkg. 2. The samba-nsupdate package must be installed along with samba. 3. The smb4.conf file may need to be modified to point to the correct locations of samba_dnsupdate and samba-nsupdate as the complied default locations differ from where the programs are installed on FreeBSD: [global] . . . # Note diff: sbin vs. bin and _ vs. - and dns vs. ns dns update command = /usr/local/sbin/samba_dnsupdate nsupdate command = /usr/local/bin/samba-nsupdate -g . . . 4. The -g switch has to be passed to samba-nsupdate to invoke GSSAPI. Now GSSAPI, as far as I can discover, is necessary for 'secure' dynamic updates. The difference between 'Secure Only' and 'Non-Secure and Secure', is that Secure uses Kerberos and with 'Secure Only' the notification source must authenticate before it can update. I still have not got this working without error as the signature of the update key is not passing the Samba update check, but at least I now know what is going on beneath the covers. The error I am getting now is: update(nsupdate): SRV _ldap._tcp.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add) Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.brockley.harte-lyne.ca. 900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca. ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADSIG) Failed nsupdate: 2 running samba-nsupdate with -d results in these errors reported by samba_dnsupdate when run from the command line: [root@smb4-1 ~ (master)]# samba_dnsupdate --verbose -d8 --all-names . . . update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add) Starting GENSEC mechanism gssapi_krb5_sasl GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca. Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1151 ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. IN SOA ;; AUTHORITY SECTION: brockley.harte-lyne.ca. 3600 IN SOA SMB4-1.brockley.harte-lyne.ca. hostmaster.brockley.harte-lyne.ca. 1 900 600 86400 3600 Found zone name: brockley.harte-lyne.ca The master is: SMB4-1.brockley.harte-lyne.ca start_gssrequest Found realm from ticket: BROCKLEY.HARTE-LYNE.CA send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13304 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY ;; ADDITIONAL SECTION: 489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY gss-tsig. 1593782418 1593782418 3 NOERROR 1515 YIIF5wYGKwYBBQUCoIIF2zCCBdegDTALBgkqhkiG9xIBAgKiggXEBIIF wGCCBbwGCSqGSIb3EgECAgEAboIFqzCCBaegAwIBBaEDAgEOogcDBQAg AAAAo4IEgmGCBH4wggR6oAMCAQWhGBsWQlJPQ0tMRVkuSEFSVEUtTFlO RS5DQaIvMC2gAwIBAaEmMCQbA0ROUxsdU01CNC0xLmJyb2NrbGV5Lmhh cnRlLWx5bmUuY2GjggQmMIIEIqADAgESoQMCAQGiggQUBIIEEPKZxwM3 nlYxG19pmsozHjqDZmkRoogbsckJAOKM3wPAupRfZJk8nsmqppFalVBV fpvjV2U2otzwV9FbIivz3U3vjjZ1k9jmda1iBQ4pPEwLy/QXmrUdmWAA A48xYE35w6TBdfd13XxKbKAKYD4w7gJ5D1u7PxSakmmelko5fs9UPZ0v bJG+tQcwn+qAWc9TQMOmIl/zWxp7sZdhQLaC66frd0liUFz15lmbbE5m IKF+i+cfHxsfe0TLzZ7lCOmaZjHacHq+pF94VYQ1y/9FmSL/qs7+Vz3B GcPF1I+KfRsQyE3C5cecVMVRJVUlyFYYDB9j+4wkiQOgSMPajxl7G1TB +7esXerD5u+JBYQHU0ArEZvTNIea00ArA16HWlgqpku8GK+y3Gfs5q5e WPyADUIqctMiO0T34pUUxmeNgt1UdVyH8ayQikN17xATkqHkek2jzemI VaPWOlZRJt0UKTPUCoufChdPwxD3b4NHpRpbxxof9MkcUU+ZZcV5nocB X75yOZmK6YdHFGITzIv8zpx1Vp9sqtzXsk7QH7rTfLnosiM9DbPXZPbx W92JRCUdc6IrVWq4/qVk1IC5uZ2fq4aCJgAMAlKMyTmXljqecXIxQ6J2 J0LK34otl3XAzxGJHBD/95P2uk2NeCPE+0Cpgm0CeDO0DDNAYcAYCFJb UVovHAAqetLrxYRcgNegici7CNV7jjSz0KGKq4S+hq+6onOe7lu10Qkg enkAsKy269M3kkexFiJqr6zKGRdoDHDUxzmGzFMsLgp8Ib16dJHQ3mTX PUrYQMnUwh98VxpUnRl83Tg7MQalZon7ZjcJ2+VnL/sUcM4KuUo1hW7O 8nydXR2F2Kjh7ACySsUBmpVVwn5t0LihMrQm6VwPih+eKw0iTGKY12Uz VnV2/fDWtmYzM26a3z5fKkavbkTlJNIwebRI4zz1taOIyCqNUDFcxnTx 7/2aGbnXLskQirvx47RSgNyVAcKPneudt3UePS/Vp/2ntAXIB/ZnmBPi rvkuz/uVqLqxW/ytC5hLUINP0su9pRXLlXWjYSwuu47sDEOQQCToZAuc BodLA9tkut/Wx3vpiLKmTNYPOU735BBy1OrpCXJEJzzahA73x0TNpQi9 8j7dH6dlQqzcds69EzQ6NfW2YwXDXTvM8hg+r/BvarvHGYDuLj/Zm96o vUr9vNoY4uCvFxym7jnbp0tW0A4Lh2jYMoi7BicJ9tQRHrVi10inhPkU z835kJjL5HfYXYFRsKcHBVu3RjVUW6KH+9jWmxqdIfbgEbMw/KhEH5z4 WdsTfSX1fXpasF+R3e/4fuLmqy/sY3u6r8vus1dqRMGsFQfxp3HGH15b BPID9ZlvCL6kFqOP9ZObYgi4HyBp5WRfVuRUpIIBCjCCAQagAwIBEqKB /gSB+yqrzpMkt6mBL8datfhCA8QkVoxhRkR9p8cEpb4wu9cbVrXkQAkq jq6endFOstiWEHM9Yv6da4M3HmVgoQr+yeECguvqL9TKBA87E5yUbAEO R090LciiZnRpU8g+vUDZ7cvF7Nx/doshmy82l/pxPUUyBXEJcDm+a6R5 fF5JYpSy/AI0GsoDh6brHBg8AcyNC8SDL/bOybQS/6KiskoZwrBsmumX UVudMMpbGyd2113i5jgccxE2UfUoJp5DU8LBekIux4KKXh8QE8ctewkX j1uT7BIv8CJ64BKsyR5qfk3AWdqM1+Ma0ejtOEGtuLhPKQXf8YnBW5zv 4EzB 0 recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13304 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;489873631.sig-SMB4-1.brockley.harte-lyne.ca. ANY TKEY ;; ANSWER SECTION: 489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TKEY gss-tsig. 1593782418 1593782418 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvuDJDPZTRZw4t rumU7CUM54QqUWXZEf6MQ5ZeOQhrzV8cOQAwx0mMTkLIQm+YAu4Bysim Qn+Dfqy1qLL8mPSCes86vUp4l/Sa8a6mKjQ91+FeGqsorgsAEYrLaGXl vSBcP+Qxi+FC1e07Iuv3LXF/ 0 ;; TSIG PSEUDOSECTION: 489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG gss-tsig. 1593782418 300 28 BAQF//////8AAAAAMRP+/dHMO1zAtXPIT0vu4A== 13304 NOERROR 0 Sending update to 192.168.18.161#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 38762 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca. ;; TSIG PSEUDOSECTION: 489873631.sig-smb4-1.brockley.harte-lyne.ca. 0 ANY TSIG gss-tsig. 1593782418 300 28 BAQE//////8AAAAAJXvohvDbm2q9Fel/zluw/w== 38762 NOERROR 0 ; TSIG error with server: tsig indicates error Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 38762 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;brockley.harte-lyne.ca. IN SOA ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca. ;; TSIG PSEUDOSECTION: 489873631.sig-SMB4-1.brockley.harte-lyne.ca. 0 ANY TSIG gss-tsig. 1593782418 300 0 38762 BADSIG 0 Failed nsupdate: 2 AND these errors in /var/log/samba4/smbd.log: [2020/07/03 09:03:21.429554, 1] ../../auth/kerberos/gssapi_helper.c:391(gssapi_check_packet) GSS VerifyMic failed: A token had an invalid MIC: unknown mech-code 2529638943 for mech 1 2 840 113554 1 2 2 [2020/07/03 09:03:21.429643, 0] ../../source4/auth/gensec/gensec_gssapi.c:1347(gensec_gssapi_check_packet) gssapi_check_packet(hdr_signing=0,sig_size=28,data=137,pdu=137) failed: NT_STATUS_ACCESS_DENIED What this tells us is that the message integrity code is not matching what is expected. Whether this is a problem speciic to FreeBSd or a general problem with samba I cannot tell. However, if it is with samba I would expect that others on different OSs have run into this and reported it. I cannot find any such reports. |
Samba_server logs this in /var/log/samba4/smbd.log. >> Failed nsupdate: A SMB4-1.brockley.harte-lyne.ca 192.168.216.166 : [Errno 2] >> No such file or directory: '/usr/bin/nsupdate': '/usr/bin/nsupdate' >> Failed update of 1 entries 1. The bind-tools package is not a dependency for samba_server and is not installed with samba410. 2. The bind package is not required when the Samab internal DNS service is selected when a domain is provisioned. 2. Installing the bind-tools package does not resolve the issue as the samba port is looking for /usr/bin/nsupdate and not /usr/local/bin/nsupdate. A work-around is to manually create a symbolic link: ln -s /usr/local/bin/nsupdate /usr/bin/nsupdate