Bug 247802 - net/samba410 samba_dnsupdate fails running with -g
Summary: net/samba410 samba_dnsupdate fails running with -g
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Timur I. Bakeyev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-06 13:46 UTC by James B. Byrne
Modified: 2020-07-06 13:58 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (timur)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James B. Byrne 2020-07-06 13:46:57 UTC
[root@smb4-1 ~ (master)]# freebsd-version
12.1-RELEASE-p6

[root@smb4-1 ~ (master)]# pkg info -x samba
samba-nsupdate-9.14.2_1
samba410-4.10.15


[root@smb4-1 ~ (master)]# cat /usr/local/etc/smb4.conf
[global]
. . .
  # DNS  
  dns forwarder = 192.168.18.161 216.185.71.33
  # Note diff: sbin vs. bin and _ vs. - and dns vs. ns
  dns update command = /usr/local/sbin/samba_dnsupdate
  nsupdate command = /usr/local/bin/samba-nsupdate -d -g
  #allow dns updates = secure only | nonsecure | disabled
  allow dns updates = nonsecure
  rndc command = /usr/bin/true
. . .


[root@smb4-1 ~ (master)]# samba_dnsupdate --verbose
IPs: ['192.168.18.161']
. . .
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 as _ldap._tcp.Default-First-Site-Name._sites.brockley.harte-lyne.ca.
Traceback (most recent call last):
  File "/usr/local/sbin/samba_dnsupdate", line 320, in check_dns_name
    ans = check_one_dns_name(normalised_name, d.type, d)
  File "/usr/local/sbin/samba_dnsupdate", line 296, in check_one_dns_name
    ans = resolver.query(name, name_type)
  File "/usr/local/lib/python3.7/site-packages/dns/resolver.py", line 992, in query
    timeout = self._compute_timeout(start, lifetime)
  File "/usr/local/lib/python3.7/site-packages/dns/resolver.py", line 799, in _compute_timeout
    raise Timeout(timeout=duration)
dns.exception.Timeout: The DNS operation timed out after 30.00392723083496 seconds

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/sbin/samba_dnsupdate", line 851, in <module>
    elif not check_dns_name(d):
  File "/usr/local/sbin/samba_dnsupdate", line 322, in check_dns_name
    raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
Exception: Timeout while waiting to contact a working DNS server while looking for SRV _ldap._tcp.Default-First-Site-Name._sites.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 as _ldap._tcp.Default-First-Site-Name._sites.brockley.harte-lyne.ca.

If the -g is removed from 'nsupdate command = /usr/local/bin/samba-nsupdate' then the error disappears.

If the -g is retained and smb4.conf contains: 'allow dns updates = secure only' then the following error is encountered instead:

[root@smb4-1 ~ (master)]#  samba_dnsupdate --verbose -d8 --all-names
. . .
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
Failed update of 29 entries



Given the difficulties I experience when enabling secure updates as detailed here and elsewhere I need to ask: do secure dns updates actually work with the internal DNS in samba410 on FreeBSD?  Are they supposed to? In other words: is this a feature that is not fully implemented?
Comment 1 VVD 2020-07-06 13:58:57 UTC
There are a lot of bug reports here about the same issue.
Check here: https://bugs.freebsd.org/bugzilla/buglist.cgi?list_id=364368&query_format=advanced&short_desc=samba&short_desc_type=allwordssubstr