nsupdate does not register records to Microsoft DNS using GSSAPI

Bug #1755439 reported by Roger Mårtensson on 2018-03-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Andreas Hasenack

Bug Description

nsupdate version: 9.11.2-P1-1ubuntu3-Ubuntu

The version that is in the development branch of future 18.04 does not work when registering DNS-records (A-records) in a Secure Only Microsoft DNS zone (2008R2).

When it tries to register it get the error "tsig verify failure"

This is a showstopper when you are using SSSD. Especially when using DHCP.

When upgrading to 9.12 (using ISC/PPA) everything works as expected.

Related branches

Andreas Hasenack (ahasenack) wrote :

Lukas Slebodnik <email address hidden> in the sssd mailing list helpfully pointed at https://bugzilla.redhat.com/show_bug.cgi?id=1484451 which leads to upstream's https://bugs.isc.org/Public/Bug/Display.html?id=45854

no longer affects: bind
Changed in bind9 (Ubuntu):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Andreas Hasenack (ahasenack) wrote :

Hello Roger,

I prepared updated packages for bionic and uploaded them to this PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-nsupdate-gssapi-windows-1755439/

Would you be able to do a quick test with them? I don't have a windows AD server setup at the moment.

I did a simple nsupdate -g validation with localhost:
ubuntu@bionic-bind9-nsupdate:~$ kinit
Password for ubuntu@LXD:

ubuntu@bionic-bind9-nsupdate:~$ nsupdate -g
> server
> update add xenial.lxd. 120 TXT "Goodbye from kerberos"
> send

ubuntu@bionic-bind9-nsupdate:~$ dig @ -t txt xenial.lxd +short
"Goodbye from kerberos"

ubuntu@bionic-bind9-nsupdate:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@LXD

Valid starting Expires Service principal
03/14/18 15:02:21 03/15/18 01:02:21 krbtgt/LXD@LXD
        renew until 03/15/18 15:02:20
03/14/18 15:02:45 03/15/18 01:02:21 DNS/lxd@LXD
        renew until 03/15/18 15:02:20

Ok.. I hope I tested the right version. :)
Had to do some apt-get magic to get it installed. (a simple upgrade didn't find it)

myclient:~# nsupdate -V
nsupdate 9.11.2-P1-1ubuntu4-Ubuntu

Sending update to a.b.c.d#53
Out of recvgss
; TSIG error with server: tsig verify failure

Still the same problem. :/

Looks like I tested the wrong version. :/

Ok.. Second try with manual install of dependencies for the new dnsutils-package.

root@myclient:~# nsupdate -V
nsupdate 9.11.2-P1-1ubuntu4~ppa1-Ubuntu

The problem is that when I upgraded it also uninstalled krb5-config and krb5-user which made testing a tad bit difficult.

Maybe some dependencies that is missing in your package?

Andreas Hasenack (ahasenack) wrote :

It's probably because in the meantime I uploaded another bind9 fix to the archive, so the ppa one fell behind. Let me update that with a new upload to the ppa. I'll let you know when it's avaiable (should be a couple of hours at most).

Thanks for testing!

Andreas Hasenack (ahasenack) wrote :

The PPA was updated, can you please try upgrading to it again?

The version you want is 1:9.11.2.P1-1ubuntu5~ppa1

root@webext001:/etc/apt/sources.list.d# nsupdate -V
nsupdate 9.11.2-P1-1ubuntu5~ppa1-Ubuntu

Ok.. Just did a test using the version distributed with 18.04 and from your PPA.
I still have problems with TSIG verification problems but the DNS-record got registered with ppa-version but not the the "original".

So it is a step forward. :)

Andreas Hasenack (ahasenack) wrote :

So it's still behaving differently from 9.12? Do you still get sssd failures when registering the machine?

I was certain that I didn't get TSIG errors with 9.12 but now I'm not that certain.

Will do some more testing when your fix gets merged.

Andreas Hasenack (ahasenack) wrote :

Maybe also make sure you still have a "pristine" environment, given that you had to do some "apt-get magic" to wedge packages into place. Incorrect versions of library packages could cause weird errors.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.11.2.P1-1ubuntu5

bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium

  * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
    DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
    <email address hidden>. (LP: #1755439)

 -- Andreas Hasenack <email address hidden> Fri, 16 Mar 2018 09:38:46 -0300

Changed in bind9 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.