Thank you all for your assistance. The issue has finally been resolved. It turns out I was running BIND in a chroot jail, and the /var/tmp folder was missing within the chroot environment. This was the cause of the AD update denials.
On Tue, Aug 20, 2024 at 3:27 PM Petr Špaček <pspa...@isc.org> wrote: > Hi Nagesh, > > it's unclear what exactly is the log about. Is that first start of the > server? (I guess so.) Or the client's attempt? > > You have mentioned that you have two systems, one working and other one > failing. I suggest you gather logs from both and compare them line by > line to find the difference. > > Petr Špaček > Internet Systems Consortium > > > On 20. 08. 24 11:18, Nagesh Thati wrote: > > Hi, > > We have checked all the files related to krb and keytab, all files and > > their permissions are good. But still updates are getting denied. I am > > attaching the Krb5 Trace output also, please check and let me know. > > tkey-gssapi-credential option also specified in the named.conf, but > > still updated are denied. > > > > *_KRB5_TRACE Output:_* > > /[597869] 1724136604.999060: Getting initial credentials for > > DNS/example-master.example....@example.com > > <mailto:example-master.example....@example.com> > > [597869] 1724136605.002377: Sending unauthenticated request > > [597869] 1724136605.002378: Sending request (194 bytes) to EXAMPLE.COM > > <http://EXAMPLE.COM> > > [597869] 1724136605.002379: Resolving hostname example.com > > <http://example.com> > > [597869] 1724136605.002380: Sending initial UDP request to dgram > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136605.002381: Received answer (205 bytes) from dgram > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136605.002382: Sending DNS URI query for > > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>. > > [597869] 1724136605.002383: No URI records found > > [597869] 1724136605.002384: Sending DNS SRV query for > > _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>. > > [597869] 1724136605.002385: Sending DNS SRV query for > > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>. > > [597869] 1724136605.002386: No SRV records found > > [597869] 1724136605.002387: Response was not from primary KDC > > [597869] 1724136605.002388: Received error from KDC: > > -1765328359/Additional pre-authentication required > > [597869] 1724136605.002391: Preauthenticating using KDC method data > > [597869] 1724136605.002392: Processing preauth types: PA-PK-AS-REQ (16), > > PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) > > [597869] 1724136605.002393: Selected etype info: etype aes256-cts, salt > > "EXAMPLE.COMDNSexample-master.example.com > > <http://EXAMPLE.COMDNSexample-master.example.com>", params "" > > [597869] 1724136605.002394: PKINIT client has no configured identity; > > giving up > > [597869] 1724136605.002395: Preauth module pkinit (16) (real) returned: > > -1765328174/No pkinit_anchors supplied > > [597869] 1724136610.500899: AS key obtained for encrypted timestamp: > > aes256-cts/7523 > > [597869] 1724136610.500901: Encrypted timestamp (for 1724136611.194769): > > plain 301AA011180F32303234303832303036353031315AA105020302F8D1, > > encrypted > > > 8D719F980037E7626CE2B7B1C8B82E56AD5866596D5041C925C85D032BDA06F6102F5E50952B725E4DA945243897C9F92C13213B136CBBAA > > [597869] 1724136610.500902: Preauth module encrypted_timestamp (2) > > (real) returned: 0/Success > > [597869] 1724136610.500903: Produced preauth for next request: > > PA-ENC-TIMESTAMP (2) > > [597869] 1724136610.500904: Sending request (274 bytes) to EXAMPLE.COM > > <http://EXAMPLE.COM> > > [597869] 1724136610.500905: Resolving hostname example.com > > <http://example.com> > > [597869] 1724136610.500906: Sending initial UDP request to dgram > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136610.500907: Received answer (94 bytes) from dgram > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136610.500908: Sending DNS URI query for > > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>. > > [597869] 1724136610.500909: No URI records found > > [597869] 1724136610.500910: Sending DNS SRV query for > > _kerberos-master._udp.EXAMPLE.COM <http://udp.EXAMPLE.COM>. > > [597869] 1724136610.500911: Sending DNS SRV query for > > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>. > > [597869] 1724136610.500912: No SRV records found > > [597869] 1724136610.500913: Response was not from primary KDC > > [597869] 1724136610.500914: Received error from KDC: > > -1765328332/Response too big for UDP, retry with TCP > > [597869] 1724136610.500915: Request or response is too big for UDP; > > retrying with TCP > > [597869] 1724136610.500916: Sending request (274 bytes) to EXAMPLE.COM > > <http://EXAMPLE.COM> (tcp only) > > [597869] 1724136610.500917: Resolving hostname example.com > > <http://example.com> > > [597869] 1724136610.500918: Initiating TCP connection to stream > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136610.500919: Sending TCP request to stream 10.1.8.171:88 > > <http://10.1.8.171:88> > > [597869] 1724136610.500920: Received answer (1737 bytes) from stream > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136610.500921: Terminating TCP connection to stream > > 10.1.8.171:88 <http://10.1.8.171:88> > > [597869] 1724136610.500922: Sending DNS URI query for > > _kerberos.EXAMPLE.COM <http://kerberos.EXAMPLE.COM>. > > [597869] 1724136610.500923: No URI records found > > [597869] 1724136610.500924: Sending DNS SRV query for > > _kerberos-master._tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>. > > [597869] 1724136610.500925: No SRV records found > > [597869] 1724136610.500926: Response was not from primary KDC > > [597869] 1724136610.500927: Processing preauth types: PA-ETYPE-INFO2 (19) > > [597869] 1724136610.500928: Selected etype info: etype aes256-cts, salt > > "EXAMPLE.COMDNSexample-master.example.com > > <http://EXAMPLE.COMDNSexample-master.example.com>", params "" > > [597869] 1724136610.500929: Produced preauth for next request: (empty) > > [597869] 1724136610.500930: AS key determined by preauth: aes256-cts/7523 > > [597869] 1724136610.500931: Decrypted AS reply; session key is: > > aes256-cts/9EA3 > > [597869] 1724136610.500932: FAST negotiation: unavailable > > [597869] 1724136610.500933: Resolving unique ccache of type MEMORY > > [597869] 1724136610.500934: Initializing MEMORY:ii4Cyzt with default > > princ DNS/example-master.example....@example.com > > <mailto:example-master.example....@example.com> > > [597869] 1724136610.500935: Storing config in MEMORY:ii4Cyzt for > > krbtgt/example....@example.com <mailto:example....@example.com>: > pa_type: 2 > > [597869] 1724136610.500936: Storing > > DNS/example-master.example....@example.com > > <mailto:example-master.example....@example.com> -> > > krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM > > <http://EXAMPLE.COM>\@EXAMPLE.COM@X-CACHECONF: in MEMORY:ii4Cyzt > > [597869] 1724136610.500937: Storing > > DNS/example-master.example....@example.com > > <mailto:example-master.example....@example.com> -> > > krbtgt/example....@example.com <mailto:example....@example.com> in > > MEMORY:ii4Cy/ > > / > > / > > / > > / > > /Thanks,/ > > /Nagesh/ > > > > On Thu, Aug 8, 2024 at 6:20 PM Petr Špaček <pspa...@isc.org > > <mailto:pspa...@isc.org>> wrote: > > > > Hello, > > > > my first bet is missing tkey-gssapi-credential configuration > statement > > [1], followed by: > > - or incorrect content of keytab, > > - some file permission problem related to /etc/krb5.keytab, or > > /var/tmp, > > or /tmp, > > - It's Red Hat so a SELinux denial might be a problem as well. > > > > KRB5_TRACE environment variable might help with debugging, see "man > > kerberos" and also check other environment variables and config files > > listed there. > > > > Given that you have a working system I suggest you compare all of the > > above to find out what's the difference. > > > > [1] > > > https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab > < > https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-tkey-gssapi-keytab > > > > > > Petr Špaček > > Internet Systems Consortium > > > > > > On 08. 08. 24 14:23, Nagesh Thati wrote: > > > Hello Guys, > > > Any help is much appreciated. > > > Thanks > > > Nagesh > > > > > > On Tue, Aug 6, 2024 at 7:11 PM Nagesh Thati <tcpnag...@gmail.com > > <mailto:tcpnag...@gmail.com> > > > <mailto:tcpnag...@gmail.com <mailto:tcpnag...@gmail.com>>> wrote: > > > > > > Hello BIND Users, > > > > > > *Issue Description:* > > > I'm experiencing an issue with secure Active Directory (AD) > > updates > > > on an AlmaLinux 9 system using ISC BIND. Despite following the > > > necessary configurations, I'm receiving error messages > indicating > > > that the requests from the AD server are not signed and > > encountering > > > GSSAPI-related errors. Notably, the exact build and > > configurations > > > are working without any issues on CentOS 7. > > > > > > *Environment:* > > > - OS: AlmaLinux 9 (using DEFAULT policy for system-wide > > crypto policies) > > > - BIND version: 9.18.28 > > > - Active Directory: Windows Server [2016] > > > > > > *Problem:* > > > AD updates are being denied. The BIND logs indicate that the > > > requests are not signed and show GSSAPI errors related to > > > unavailable credentials and missing files. > > > > > > *Troubleshooting Steps Taken:* > > > We tried legacy crypto policy, but it did not work. > > > > > > *Questions:* > > > 1. What could be causing BIND to reject the AD updates as > > unsigned, > > > given that the same configuration works on CentOS 7? > > > 2. How can I resolve the GSSAPI errors regarding unavailable > > > credentials and missing files? > > > 3. Are there any AlmaLinux 9-specific configurations or steps > > > required to ensure secure AD updates with BIND? > > > 4. Are there any known issues or incompatibilities between > > ISC BIND > > > and AlmaLinux 9 that could be causing this problem? > > > > > > *Additional Information:* > > > - The same configuration is working correctly on CentOS 7 > without > > > any issues. > > > - AlmaLinux 9 is using the DEFAULT policy for system-wide > crypto > > > policies. > > > > > > *_Current Setup:_* > > > > > > *# named -V* > > > BIND 9.18.28 (Extended Support Version) <id:> > > > running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP > > > PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024 > > > built by make with '--prefix=/opt/mydir/' > > > '--enable-dependency-tracking' '--enable-dnstap' > > > '--enable-singletrace' '--enable-querytrace' > > > '--disable-auto-validation' '--enable-dnsrps-dl' > > '--enable-dnsrps' > > > '--enable-full-report' '--with-tuning=large' > > '--enable-fixed-rrset' > > > '--with-libidn2' '--with-lmdb' '--with-json-c' > > > '--with-jemalloc=detect' '--with-maxminddb=yes' > > '--enable-largefile' > > > compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3) > > > compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022 > > > linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022 > > > compiled with libuv version: 1.42.0 > > > linked to libuv version: 1.42.0 > > > compiled with libnghttp2 version: 1.43.0 > > > linked to libnghttp2 version: 1.43.0 > > > compiled with json-c version: 0.14 > > > linked to json-c version: 0.14 > > > compiled with zlib version: 1.2.11 > > > linked to zlib version: 1.2.11 > > > linked to maxminddb version: 1.5.2 > > > compiled with protobuf-c version: 1.3.3 > > > linked to protobuf-c version: 1.3.3 > > > threads support is enabled > > > DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 > > > ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 > > > DS algorithms: SHA-1 SHA-256 SHA-384 > > > HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 > > > HMAC-SHA384 HMAC-SHA512 > > > TKEY mode 2 support (Diffie-Hellman): yes > > > TKEY mode 3 support (GSS-API): yes > > > > > > default paths: > > > named configuration: /opt/mydir/etc/named.conf > > > rndc configuration: /opt/mydir/etc/rndc.conf > > > DNSSEC root key: /opt/mydir/etc/bind.keys > > > nsupdate session key: /opt/mydir/var/run/named/session.key > > > named PID file: /opt/mydir/var/run/named/named.pid > > > named lock file: /opt/mydir/var/run/named/named.lock > > > geoip-directory: /usr/share/GeoIP > > > *named.conf Snippet:* > > > options { > > > directory "/"; > > > allow-query {any;}; > > > allow-transfer {none;}; > > > blackhole {none;}; > > > dnssec-validation yes; > > > listen-on-v6 {none;}; > > > rrset-order { > > > order cyclic; > > > }; > > > dump-file "/var/named/log/named_dump.db"; > > > lame-ttl 0; > > > max-ncache-ttl 10800; > > > minimal-responses yes; > > > pid-file "/var/run/named/named.pid"; > > > recursion no; > > > session-keyfile "/var/run/named/session.key"; > > > statistics-file "/var/named/log/named.stats"; > > > tcp-clients 150; > > > *tkey-gssapi-keytab "/etc/krb5.keytab";* > > > }; > > > > > > *Zone Section in named.conf:* > > > zone "_msdcs.example.com <http://msdcs.example.com> > > <http://msdcs.example.com <http://msdcs.example.com>>" IN { > > > type master; > > > file "/var/named/zones/masters/db._msdcs.example.com > > <http://msdcs.example.com> > > > <http://msdcs.example.com <http://msdcs.example.com>>"; > > > *update-policy { grant * subdomain _msdcs.example.com > > <http://msdcs.example.com> > > > <http://msdcs.example.com <http://msdcs.example.com>>. ANY; > };* > > > }; > > > zone "_sites.example.com <http://sites.example.com> > > <http://sites.example.com <http://sites.example.com>>" IN { > > > type master; > > > file "/var/named/zones/masters/db._sites.example.com > > <http://sites.example.com> > > > <http://sites.example.com <http://sites.example.com>>"; > > > update-policy { grant * subdomain _sites.example.com > > <http://sites.example.com> > > > <http://sites.example.com <http://sites.example.com>>. ANY; > }; > > > }; > > > zone "_tcp.example.com <http://tcp.example.com> > > <http://tcp.example.com <http://tcp.example.com>>" IN { > > > type master; > > > file "/var/named/zones/masters/db._tcp.example.com > > <http://tcp.example.com> > > > <http://tcp.example.com <http://tcp.example.com>>"; > > > update-policy { grant * subdomain _tcp.example.com > > <http://tcp.example.com> > > > <http://tcp.example.com <http://tcp.example.com>>. ANY; }; > > > }; > > > > > > *krb5.conf:* > > > # cat krb5.conf > > > > > > [libdefaults] > > > > > > default_realm = EXAMPLE.COM <http://EXAMPLE.COM> > > <http://EXAMPLE.COM <http://EXAMPLE.COM>> > > > default_tkt_enctypes = aes256-cts > > > default_tgs_enctypes = aes256-cts > > > dns_lookup_realm = true > > > dns_lookup_kdc = true > > > ticket_lifetime = 30d > > > default_keytab_name = FILE:/etc/krb5.keytab > > > > > > [realms] > > > EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM > > <http://EXAMPLE.COM>> = { > > > kdc = example.com:88 <http://example.com:88> > > <http://example.com:88 <http://example.com:88>> > > > default_domain = example.com <http://example.com> > > <http://example.com <http://example.com>> > > > } > > > > > > > > > [domain_realm] > > > .example.com <http://example.com> <http://example.com > > <http://example.com>> = EXAMPLE.COM <http://EXAMPLE.COM> > > <http://EXAMPLE.COM <http://EXAMPLE.COM>> > > > example.com <http://example.com> <http://example.com > > <http://example.com>> = EXAMPLE.COM <http://EXAMPLE.COM> > > <http://EXAMPLE.COM <http://EXAMPLE.COM>> > > > > > > *_Specific Error Messages:_* > > > *named.log (with debug level 0):* > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#53822: > > > update '_tcp.example.com/IN <http://tcp.example.com/IN> > > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#54527: > > > update '_sites.example.com/IN <http://sites.example.com/IN> > > <http://sites.example.com/IN <http://sites.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#54470: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#53206: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#49853: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#59529: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#51093: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#58128: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#59368: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#63380: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#57248: > > > update '_tcp.example.com/IN <http://tcp.example.com/IN> > > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#52530: > > > update '_sites.example.com/IN <http://sites.example.com/IN> > > <http://sites.example.com/IN <http://sites.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#54245: > > > update '_tcp.example.com/IN <http://tcp.example.com/IN> > > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#53890: > > > update '_sites.example.com/IN <http://sites.example.com/IN> > > <http://sites.example.com/IN <http://sites.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#49508: > > > update '_tcp.example.com/IN <http://tcp.example.com/IN> > > <http://tcp.example.com/IN <http://tcp.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#56611: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#62785: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#59729: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > > > > *named.log (with debug level 10):* > > > client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP > > request > > > client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242: > > using view > > > '_default' > > > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: > > request > > > is not signed > > > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: > > > recursion not available (recursion not enabled for view) > > > update-security: error: client @0x7f01ac0150a8 > 10.1.10.20#64242: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: > > reset client > > > client: debug 3: clientmgr @0x7f01c4043e40 attach: 6 > > > client: debug 3: query client=0x7f01c41936c8 > > > thread=0x7f01c8c22640(<unknown-query>): query_reset > > > security: debug 3: client @0x7f01c41936c8 (no-peer): allocate > > new client > > > client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP > > request > > > client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518: > > using view > > > '_default' > > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: > > request > > > is not signed > > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: > > > recursion not available (recursion not enabled for view) > > > client: debug 3: query client=0x7f01c41936c8 > > > thread=0x7f01c8c22640(<unknown-query>): ns_query_start > > > general: debug 3: failed gss_inquire_cred: GSSAPI error: > > Major = No > > > credentials were supplied, or the credentials were > unavailable or > > > inaccessible, Minor = No Kerberos credentials available > (default > > > cache: FILE:/tmp/krb5cc_1001). > > > general: debug 3: failed gss_accept_sec_context: GSSAPI > > error: Major > > > = Unspecified GSS failure. Minor code may provide more > > information, > > > Minor = No such file or directory (filename: > > > /var/tmp/krb5_1001.rcache2). > > > general: debug 4: process_gsstkey(): dns_tsigerror_badkey > > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518 > > > > (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e): > > > reset client > > > client: debug 3: query client=0x7f01c41936c8 > > > > > > > thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): > query_reset > > > security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: > > freeing > > > client > > > client: debug 3: query client=0x7f01c41936c8 > > > thread=0x7f01c8c22640(<unknown-query>): query_reset > > > client: debug 3: clientmgr @0x7f01c4043e40 detach: 5 > > > > > > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP > > request > > > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577: > > using view > > > '_default' > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: > > request > > > is not signed > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: > > > recursion not available (recursion not enabled for view) > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(<unknown-query>): ns_query_start > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): qctx_init > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): client attr:0x20000, query > > > attr:0xF00, restarts:0, origqname:nameserver.example.com > > <http://nameserver.example.com> > > > <http://nameserver.example.com > > <http://nameserver.example.com>>, timer:0, authdb:0, referral:0 > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): ns__query_start > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577 > > > (nameserver.example.com <http://nameserver.example.com> > > <http://nameserver.example.com <http://nameserver.example.com>>): > query > > > 'nameserver.example.com/A/IN > > <http://nameserver.example.com/A/IN> > > <http://nameserver.example.com/A/IN > > <http://nameserver.example.com/A/IN>>' > > > approved > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_lookup > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_gotanswer > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_checkrpz > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): rpz_rewrite > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_prepresponse > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_zerottl_refetch > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_respond > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_getexpire > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_addanswer > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_addrrset > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_setorder > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_additional > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_addrrset: done > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_addnoqnameproof > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_addauth > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): ns_query_done > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577 > > > (nameserver.example.com <http://nameserver.example.com> > > <http://nameserver.example.com <http://nameserver.example.com>>): > > reset client > > > client: debug 3: query client=0x7f01c420f7a8 > > > thread=0x7f01c8c22640(nameserver.example.com/A > > <http://nameserver.example.com/A> > > > <http://nameserver.example.com/A > > <http://nameserver.example.com/A>>): query_reset > > > client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP > > request > > > client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785: > > using view > > > '_default' > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: > > request > > > is not signed > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: > > > recursion not available (recursion not enabled for view) > > > update-security: error: client @0x7f01c420f7a8 > 10.1.10.20#62785: > > > update '_msdcs.example.com/IN <http://msdcs.example.com/IN> > > <http://msdcs.example.com/IN <http://msdcs.example.com/IN>>' denied > > > security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: > > reset client > > > client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6 > > > client: debug 3: query client=0x7f01ac0eca18 > > > thread=0x7f01c3fff640(<unknown-query>): query_reset > > > security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate > > new client > > > client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP > > request > > > client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172: > > using view > > > '_default' > > > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: > > request > > > is not signed > > > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: > > > recursion not available (recursion not enabled for view) > > > client: debug 3: query client=0x7f01ac0eca18 > > > thread=0x7f01c3fff640(<unknown-query>): ns_query_start > > > general: debug 3: failed gss_inquire_cred: GSSAPI error: > > Major = No > > > credentials were supplied, or the credentials were > unavailable or > > > inaccessible, Minor = No Kerberos credentials available > (default > > > cache: FILE:/tmp/krb5cc_1001). > > > general: debug 3: failed gss_accept_sec_context: GSSAPI > > error: Major > > > = Unspecified GSS failure. Minor code may provide more > > information, > > > Minor = No such file or directory (filename: > > > /var/tmp/krb5_1001.rcache2). > > > general: debug 4: process_gsstkey(): dns_tsigerror_badkey > > > security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172 > > > > (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e): > > > reset client > > > client: debug 3: query client=0x7f01ac0eca18 > > > > > > > thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): > query_reset > > > > > > Any insights, suggestions, or further troubleshooting steps to > > > resolve this issue would be greatly appreciated. Thank you in > > > advance for your assistance. > > > > > > Thanks > > > > > > Nagesh > > > > > > > > > > -- > > Petr Špaček > > > > -- > Petr Špaček > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
