Hello BIND Users,

*Issue Description:*
I'm experiencing an issue with secure Active Directory (AD) updates on an
AlmaLinux 9 system using ISC BIND. Despite following the necessary
configurations, I'm receiving error messages indicating that the requests
from the AD server are not signed and encountering GSSAPI-related errors.
Notably, the exact build and configurations are working without any issues
on CentOS 7.

*Environment:*
- OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto policies)
- BIND version: 9.18.28
- Active Directory: Windows Server [2016]

*Problem:*
AD updates are being denied. The BIND logs indicate that the requests are
not signed and show GSSAPI errors related to unavailable credentials and
missing files.

*Troubleshooting Steps Taken:*
We tried legacy crypto policy, but it did not work.

*Questions:*
1. What could be causing BIND to reject the AD updates as unsigned, given
that the same configuration works on CentOS 7?
2. How can I resolve the GSSAPI errors regarding unavailable credentials
and missing files?
3. Are there any AlmaLinux 9-specific configurations or steps required to
ensure secure AD updates with BIND?
4. Are there any known issues or incompatibilities between ISC BIND and
AlmaLinux 9 that could be causing this problem?

*Additional Information:*
- The same configuration is working correctly on CentOS 7 without any
issues.
- AlmaLinux 9 is using the DEFAULT policy for system-wide crypto policies.

*Current Setup:*
*# named -V*
BIND 9.18.28 (Extended Support Version) <id:>
running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC
Tue May 28 06:27:02 EDT 2024
built by make with  '--prefix=/opt/mydir/' '--enable-dependency-tracking'
'--enable-dnstap' '--enable-singletrace' '--enable-querytrace'
'--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps'
'--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset'
'--with-libidn2' '--with-lmdb' '--with-json-c' '--with-jemalloc=detect'
'--with-maxminddb=yes' '--enable-largefile'
compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3)
compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256
ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384
HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes

default paths:
  named configuration:  /opt/mydir/etc/named.conf
  rndc configuration:   /opt/mydir/etc/rndc.conf
  DNSSEC root key:      /opt/mydir/etc/bind.keys
  nsupdate session key: /opt/mydir/var/run/named/session.key
  named PID file:       /opt/mydir/var/run/named/named.pid
  named lock file:      /opt/mydir/var/run/named/named.lock
  geoip-directory:      /usr/share/GeoIP


*named.conf Snippet:*
options {
        directory "/";
        allow-query {any;};
        allow-transfer {none;};
        blackhole {none;};
        dnssec-validation yes;
        listen-on-v6 {none;};
        rrset-order {
                order cyclic;
        };
        dump-file "/var/named/log/named_dump.db";
        lame-ttl 0;
        max-ncache-ttl 10800;
        minimal-responses yes;
        pid-file "/var/run/named/named.pid";
        recursion no;
        session-keyfile "/var/run/named/session.key";
        statistics-file "/var/named/log/named.stats";
        tcp-clients 150;
        *tkey-gssapi-keytab "/etc/krb5.keytab";*
};

*Zone Section in named.conf:*
zone "_msdcs.example.com" IN {
        type master;
        file "/var/named/zones/masters/db._msdcs.example.com";
        *update-policy { grant * subdomain _msdcs.example.com
<http://msdcs.example.com>. ANY; };*
};
zone "_sites.example.com" IN {
        type master;
        file "/var/named/zones/masters/db._sites.example.com";
        update-policy { grant * subdomain _sites.example.com. ANY; };
};
zone "_tcp.example.com" IN {
        type master;
        file "/var/named/zones/masters/db._tcp.example.com";
        update-policy { grant * subdomain _tcp.example.com. ANY; };
};

*krb5.conf:*
# cat krb5.conf

[libdefaults]

default_realm = EXAMPLE.COM
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 30d
default_keytab_name = FILE:/etc/krb5.keytab

[realms]
EXAMPLE.COM = {
kdc = example.com:88
default_domain = example.com
}


[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

*Specific Error Messages:*
*named.log (with debug level 0):*
update-security: error: client @0x7f01c420f7a8 10.1.10.20#53822: update '_
tcp.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#54527: update '_
sites.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#54470: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#53206: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01c420f7a8 10.1.10.20#49853: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01c420f7a8 10.1.10.20#59529: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#51093: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01c420f7a8 10.1.10.20#58128: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#59368: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#63380: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#57248: update '_
tcp.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#52530: update '_
sites.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#54245: update '_
tcp.example.com/IN' denied
update-security: error: client @0x7f01c420f7a8 10.1.10.20#53890: update '_
sites.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#49508: update '_
tcp.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#56611: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785: update '_
msdcs.example.com/IN' denied
update-security: error: client @0x7f01ac0150a8 10.1.10.20#59729: update '_
msdcs.example.com/IN' denied

*named.log (with debug level 10):*
client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP request
client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242: using view
'_default'
security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: request is not
signed
security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: recursion not
available (recursion not enabled for view)
update-security: error: client @0x7f01ac0150a8 10.1.10.20#64242: update '_
msdcs.example.com/IN' denied
security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: reset client
client: debug 3: clientmgr @0x7f01c4043e40 attach: 6
client: debug 3: query client=0x7f01c41936c8
thread=0x7f01c8c22640(<unknown-query>): query_reset
security: debug 3: client @0x7f01c41936c8 (no-peer): allocate new client
client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP request
client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518: using view
'_default'
security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: request is not
signed
security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: recursion not
available (recursion not enabled for view)
client: debug 3: query client=0x7f01c41936c8
thread=0x7f01c8c22640(<unknown-query>): ns_query_start
general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No
credentials were supplied, or the credentials were unavailable or
inaccessible, Minor = No Kerberos credentials available (default cache:
FILE:/tmp/krb5cc_1001).
general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major =
Unspecified GSS failure.  Minor code may provide more information, Minor =
No such file or directory (filename: /var/tmp/krb5_1001.rcache2).
general: debug 4: process_gsstkey(): dns_tsigerror_badkey
security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518
(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e): reset client
client: debug 3: query client=0x7f01c41936c8
thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY):
query_reset
security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: freeing client
client: debug 3: query client=0x7f01c41936c8
thread=0x7f01c8c22640(<unknown-query>): query_reset
client: debug 3: clientmgr @0x7f01c4043e40 detach: 5

client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP request
client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577: using view
'_default'
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: request is not
signed
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: recursion not
available (recursion not enabled for view)
client: debug 3: query client=0x7f01c420f7a8
thread=0x7f01c8c22640(<unknown-query>): ns_query_start
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): qctx_init
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): client attr:0x20000, query attr:0xF00,
restarts:0, origqname:nameserver.example.com, timer:0, authdb:0, referral:0
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): ns__query_start
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577 (
nameserver.example.com): query 'nameserver.example.com/A/IN' approved
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_lookup
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_gotanswer
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_checkrpz
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): rpz_rewrite
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_prepresponse
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_zerottl_refetch
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_respond
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_getexpire
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_addanswer
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_addrrset
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_setorder
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_additional
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_addrrset: done
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_addnoqnameproof
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_addauth
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): ns_query_done
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577 (
nameserver.example.com): reset client
client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(
nameserver.example.com/A): query_reset
client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP request
client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785: using view
'_default'
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: request is not
signed
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: recursion not
available (recursion not enabled for view)
update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785: update '_
msdcs.example.com/IN' denied
security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: reset client
client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6
client: debug 3: query client=0x7f01ac0eca18
thread=0x7f01c3fff640(<unknown-query>): query_reset
security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate new client
client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP request
client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172: using view
'_default'
security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: request is not
signed
security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: recursion not
available (recursion not enabled for view)
client: debug 3: query client=0x7f01ac0eca18
thread=0x7f01c3fff640(<unknown-query>): ns_query_start
general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No
credentials were supplied, or the credentials were unavailable or
inaccessible, Minor = No Kerberos credentials available (default cache:
FILE:/tmp/krb5cc_1001).
general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major =
Unspecified GSS failure.  Minor code may provide more information, Minor =
No such file or directory (filename: /var/tmp/krb5_1001.rcache2).
general: debug 4: process_gsstkey(): dns_tsigerror_badkey
security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172
(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e): reset client
client: debug 3: query client=0x7f01ac0eca18
thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY):
query_reset

Any insights, suggestions, or further troubleshooting steps to resolve this
issue would be greatly appreciated. Thank you in advance for your
assistance.

Thanks

Nagesh
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to