nsupdate does not register records to Microsoft DNS using GSSAPI

Bug #1755439 reported by Roger Mårtensson on 2018-03-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Andreas Hasenack

Bug Description

nsupdate version: 9.11.2-P1-1ubuntu3-Ubuntu

The version that is in the development branch of future 18.04 does not work when registering DNS-records (A-records) in a Secure Only Microsoft DNS zone (2008R2).

When it tries to register it get the error "tsig verify failure"

This is a showstopper when you are using SSSD. Especially when using DHCP.

When upgrading to 9.12 (using ISC/PPA) everything works as expected.

Related branches

Andreas Hasenack (ahasenack) wrote :

Lukas Slebodnik <email address hidden> in the sssd mailing list helpfully pointed at https://bugzilla.redhat.com/show_bug.cgi?id=1484451 which leads to upstream's https://bugs.isc.org/Public/Bug/Display.html?id=45854

no longer affects: bind
Changed in bind9 (Ubuntu):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Andreas Hasenack (ahasenack) wrote :

Hello Roger,

I prepared updated packages for bionic and uploaded them to this PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-nsupdate-gssapi-windows-1755439/

Would you be able to do a quick test with them? I don't have a windows AD server setup at the moment.

I did a simple nsupdate -g validation with localhost:
ubuntu@bionic-bind9-nsupdate:~$ kinit
Password for ubuntu@LXD:

ubuntu@bionic-bind9-nsupdate:~$ nsupdate -g
> server
> update add xenial.lxd. 120 TXT "Goodbye from kerberos"
> send

ubuntu@bionic-bind9-nsupdate:~$ dig @ -t txt xenial.lxd +short
"Goodbye from kerberos"

ubuntu@bionic-bind9-nsupdate:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@LXD

Valid starting Expires Service principal
03/14/18 15:02:21 03/15/18 01:02:21 krbtgt/LXD@LXD
        renew until 03/15/18 15:02:20
03/14/18 15:02:45 03/15/18 01:02:21 DNS/lxd@LXD
        renew until 03/15/18 15:02:20

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.