Hello, Hope everyone is fine on this quarantine timeframe.
So here is the issue: I’ve an Active Directory domain on Windows Server 2019 (upgraded since 2012 R2 days) that uses BIND9 as DNS service. This domain never had Windows DNS Server. Everything works as expected, except for the GSS-TSIG updates, I’m scratching my head trying to solve this but nothing works and the debug messages does not says anything, which is extremely frustrating. The scenario is the following: 192.168.1.2: BIND9 Master (RHEL8) 192.168.1.3: BIND9 Slave #1 (RHEL8) 192.168.1.4: BIND9 Slave #2 (RHEL8) 192.168.1.5: DC #1 (Server 2019) 192.168.1.6: DC #2 (Server 2019) BIND 9 version: bind-9.11.13-3.el8.x86_64 bind-license-9.11.13-3.el8.noarch bind-libs-9.11.13-3.el8.x86_64 bind-export-libs-9.11.13-3.el8.x86_64 bind-utils-9.11.13-3.el8.x86_64 bind-libs-lite-9.11.13-3.el8.x86_64 All machines are configured pointing to 192.168.1.2 and 192.168.1.3 for DNS service. Those slaves are pretty simple, they run just a catalog zone to fetch everything from master: // Catalog Zone zone “catalog.local.example.com<http://catalog.local.example.com>" { type slave; file "slaves/catalog.local.example.com.db"; masters { 192.168.1.2; }; }; On the master, is where anything else is configured: // Options options { … // Recursion and caching disable recursion no; additional-from-auth no; additional-from-cache no; // Keys managed-keys-directory "/var/named/dynamic”; // Signed kerberos updates tkey-gssapi-keytab “/etc/krb5.keytab"; tkey-gssapi-credential “DNS/[email protected]<mailto:DNS/[email protected]>"; tkey-domain "LOCAL.EXAMPLE.COM<http://LOCAL.EXAMPLE.COM>”; // Catalog zones support server-id "authoritative"; allow-new-zones yes; }; // Catalog Zone zone "catalog.local.example.com<http://catalog.local.example.com>" { type master; file "/var/named/static/catalog.local.example.com.db"; also-notify { 192.168.1.3; 192.168.1.4; }; notify explicit; }; // Start of AD authoritative dynamic zones zone "local.example.com" { type master; file "/var/named/dynamic/local.example.com.db"; notify yes; check-names ignore; allow-transfer { intnameservers; }; # allow-update { # domaincontrollers; # }; update-policy { # grant * krb5-subdomain local.example.com. ANY; # grant * ms-subdomain local.example.com. ANY; grant * subdomain local.example.com. ANY; }; }; I’ve tried a lot of combination in update policy, nothing really works: krb5-self, ms-selfsub and etc. The other files and settings on the system appears to be right: [root@ns named]# file /etc/krb5.keytab /etc/krb5.keytab: Kerberos Keytab file, realm=LOCAL.EXAMPLE.COM<http://LOCAL.EXAMPLE.COM>, principal=DNS/ns.local.example.com<http://ns.local.example.com>, type=1, date=Sat May 23 07:40:19 2020, kvno=17 [root@ns named]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 17 DNS/[email protected]<mailto:DNS/[email protected]> (aes256-cts-hmac-sha1-96) [root@pallet named]# cat /etc/krb5.conf # To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 # default_realm = EXAMPLE.COM<http://EXAMPLE.COM> default_realm = LOCAL.EXAMPLE.COM<http://LOCAL.EXAMPLE.COM> default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM<http://EXAMPLE.COM> = { # kdc = kerberos.example.com<http://kerberos.example.com> # admin_server = kerberos.example.com<http://kerberos.example.com> # } [domain_realm] # .example.com<http://example.com> = EXAMPLE.COM<http://EXAMPLE.COM> # example.com<http://example.com> = EXAMPLE.COM<http://EXAMPLE.COM> [root@ns named]# hostname ns.example.com<http://ns.example.com> So that’s is it, on the logs I only get the following, when I try to issue ipconfig /registerdns on a Windows domain-joined machine: 23-May-2020 01:57:03.693 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#62276: updating zone 'local.example.com/IN':<http://local.example.com/IN':> prerequisites are OK 23-May-2020 01:57:03.693 update-security: error: client @0x7fa1100a1ca0 192.168.1.12#62276: update 'local.example.com/IN<http://local.example.com/IN>' denied 23-May-2020 01:57:03.693 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#62276: updating zone 'local.example.com/IN':<http://local.example.com/IN':> rolling back 23-May-2020 01:57:03.700 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#65242: updating zone 'local.example.com/IN':<http://local.example.com/IN':> prerequisites are OK 23-May-2020 01:57:03.700 update-security: error: client @0x7fa1100a1ca0 192.168.1.12#65242: update 'local.example.com/IN<http://local.example.com/IN>' denied 23-May-2020 01:57:03.700 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#65242: updating zone 'local.example.com/IN':<http://local.example.com/IN':> rolling back 23-May-2020 01:57:05.740 update: debug 8: client @0x7fa1100a1ca0 192.168.1.15#49688: updating zone 'local.example.com/IN':<http://local.example.com/IN':> prerequisites are OK 23-May-2020 01:57:05.740 update-security: error: client @0x7fa1100a1ca0 192.168.1.15#49688: update 'local.example.com/IN<http://local.example.com/IN>' denied 23-May-2020 01:57:05.740 update: debug 8: client @0x7fa1100a1ca0 192.168.1.15#49688: updating zone 'local.example.com/IN':<http://local.example.com/IN':> rolling back Any help on how to start debugging it is greatly appreciated. Thanks, PS: My implementation was based on this article: http://ddiguru.com/blog/configuring-gss-tsig-on-bind; except for the +DesOnly option, because it’s deprecated right now. I’ve enabled the AES256 passwords on the BIND9 user account on AD side and set the password after it so the hashes could be generated.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
