Hello BIND Users, *Issue Description:* I'm experiencing an issue with secure Active Directory (AD) updates on an AlmaLinux 9 system using ISC BIND. Despite following the necessary configurations, I'm receiving error messages indicating that the requests from the AD server are not signed and encountering GSSAPI-related errors. Notably, the exact build and configurations are working without any issues on CentOS 7.
*Environment:* - OS: AlmaLinux 9 (using DEFAULT policy for system-wide crypto policies) - BIND version: 9.18.28 - Active Directory: Windows Server [2016] *Problem:* AD updates are being denied. The BIND logs indicate that the requests are not signed and show GSSAPI errors related to unavailable credentials and missing files. *Troubleshooting Steps Taken:* We tried legacy crypto policy, but it did not work. *Questions:* 1. What could be causing BIND to reject the AD updates as unsigned, given that the same configuration works on CentOS 7? 2. How can I resolve the GSSAPI errors regarding unavailable credentials and missing files? 3. Are there any AlmaLinux 9-specific configurations or steps required to ensure secure AD updates with BIND? 4. Are there any known issues or incompatibilities between ISC BIND and AlmaLinux 9 that could be causing this problem? *Additional Information:* - The same configuration is working correctly on CentOS 7 without any issues. - AlmaLinux 9 is using the DEFAULT policy for system-wide crypto policies. *Current Setup:* *# named -V* BIND 9.18.28 (Extended Support Version) <id:> running on Linux x86_64 5.14.0-427.18.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 28 06:27:02 EDT 2024 built by make with '--prefix=/opt/mydir/' '--enable-dependency-tracking' '--enable-dnstap' '--enable-singletrace' '--enable-querytrace' '--disable-auto-validation' '--enable-dnsrps-dl' '--enable-dnsrps' '--enable-full-report' '--with-tuning=large' '--enable-fixed-rrset' '--with-libidn2' '--with-lmdb' '--with-json-c' '--with-jemalloc=detect' '--with-maxminddb=yes' '--enable-largefile' compiled by GCC 11.4.1 20231218 (Red Hat 11.4.1-3) compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022 linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022 compiled with libuv version: 1.42.0 linked to libuv version: 1.42.0 compiled with libnghttp2 version: 1.43.0 linked to libnghttp2 version: 1.43.0 compiled with json-c version: 0.14 linked to json-c version: 0.14 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 linked to maxminddb version: 1.5.2 compiled with protobuf-c version: 1.3.3 linked to protobuf-c version: 1.3.3 threads support is enabled DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 DS algorithms: SHA-1 SHA-256 SHA-384 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 TKEY mode 2 support (Diffie-Hellman): yes TKEY mode 3 support (GSS-API): yes default paths: named configuration: /opt/mydir/etc/named.conf rndc configuration: /opt/mydir/etc/rndc.conf DNSSEC root key: /opt/mydir/etc/bind.keys nsupdate session key: /opt/mydir/var/run/named/session.key named PID file: /opt/mydir/var/run/named/named.pid named lock file: /opt/mydir/var/run/named/named.lock geoip-directory: /usr/share/GeoIP *named.conf Snippet:* options { directory "/"; allow-query {any;}; allow-transfer {none;}; blackhole {none;}; dnssec-validation yes; listen-on-v6 {none;}; rrset-order { order cyclic; }; dump-file "/var/named/log/named_dump.db"; lame-ttl 0; max-ncache-ttl 10800; minimal-responses yes; pid-file "/var/run/named/named.pid"; recursion no; session-keyfile "/var/run/named/session.key"; statistics-file "/var/named/log/named.stats"; tcp-clients 150; *tkey-gssapi-keytab "/etc/krb5.keytab";* }; *Zone Section in named.conf:* zone "_msdcs.example.com" IN { type master; file "/var/named/zones/masters/db._msdcs.example.com"; *update-policy { grant * subdomain _msdcs.example.com <http://msdcs.example.com>. ANY; };* }; zone "_sites.example.com" IN { type master; file "/var/named/zones/masters/db._sites.example.com"; update-policy { grant * subdomain _sites.example.com. ANY; }; }; zone "_tcp.example.com" IN { type master; file "/var/named/zones/masters/db._tcp.example.com"; update-policy { grant * subdomain _tcp.example.com. ANY; }; }; *krb5.conf:* # cat krb5.conf [libdefaults] default_realm = EXAMPLE.COM default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 30d default_keytab_name = FILE:/etc/krb5.keytab [realms] EXAMPLE.COM = { kdc = example.com:88 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM *Specific Error Messages:* *named.log (with debug level 0):* update-security: error: client @0x7f01c420f7a8 10.1.10.20#53822: update '_ tcp.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#54527: update '_ sites.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#54470: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#53206: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01c420f7a8 10.1.10.20#49853: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01c420f7a8 10.1.10.20#59529: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#51093: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01c420f7a8 10.1.10.20#58128: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#59368: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#63380: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#57248: update '_ tcp.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#52530: update '_ sites.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#54245: update '_ tcp.example.com/IN' denied update-security: error: client @0x7f01c420f7a8 10.1.10.20#53890: update '_ sites.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#49508: update '_ tcp.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#56611: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785: update '_ msdcs.example.com/IN' denied update-security: error: client @0x7f01ac0150a8 10.1.10.20#59729: update '_ msdcs.example.com/IN' denied *named.log (with debug level 10):* client: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: UDP request client: debug 5: client @0x7f01ac0150a8 10.1.10.20#64242: using view '_default' security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: request is not signed security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: recursion not available (recursion not enabled for view) update-security: error: client @0x7f01ac0150a8 10.1.10.20#64242: update '_ msdcs.example.com/IN' denied security: debug 3: client @0x7f01ac0150a8 10.1.10.20#64242: reset client client: debug 3: clientmgr @0x7f01c4043e40 attach: 6 client: debug 3: query client=0x7f01c41936c8 thread=0x7f01c8c22640(<unknown-query>): query_reset security: debug 3: client @0x7f01c41936c8 (no-peer): allocate new client client: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: TCP request client: debug 5: client @0x7f01c41936c8 10.1.10.20#58518: using view '_default' security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: request is not signed security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: recursion not available (recursion not enabled for view) client: debug 3: query client=0x7f01c41936c8 thread=0x7f01c8c22640(<unknown-query>): ns_query_start general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No credentials were supplied, or the credentials were unavailable or inaccessible, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1001). general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No such file or directory (filename: /var/tmp/krb5_1001.rcache2). general: debug 4: process_gsstkey(): dns_tsigerror_badkey security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518 (568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e): reset client client: debug 3: query client=0x7f01c41936c8 thread=0x7f01c8c22640(568-ms-7.16519-4ead2f01.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset security: debug 3: client @0x7f01c41936c8 10.1.10.20#58518: freeing client client: debug 3: query client=0x7f01c41936c8 thread=0x7f01c8c22640(<unknown-query>): query_reset client: debug 3: clientmgr @0x7f01c4043e40 detach: 5 client: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: UDP request client: debug 5: client @0x7f01c420f7a8 10.1.10.20#58577: using view '_default' security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: request is not signed security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577: recursion not available (recursion not enabled for view) client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640(<unknown-query>): ns_query_start client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): qctx_init client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): client attr:0x20000, query attr:0xF00, restarts:0, origqname:nameserver.example.com, timer:0, authdb:0, referral:0 client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): ns__query_start security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577 ( nameserver.example.com): query 'nameserver.example.com/A/IN' approved client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_lookup client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_gotanswer client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_checkrpz client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): rpz_rewrite client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_prepresponse client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_zerottl_refetch client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_respond client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_getexpire client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_addanswer client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_addrrset client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_setorder client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_additional client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_addrrset: done client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_addnoqnameproof client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_addauth client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): ns_query_done security: debug 3: client @0x7f01c420f7a8 10.1.10.20#58577 ( nameserver.example.com): reset client client: debug 3: query client=0x7f01c420f7a8 thread=0x7f01c8c22640( nameserver.example.com/A): query_reset client: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: UDP request client: debug 5: client @0x7f01c420f7a8 10.1.10.20#62785: using view '_default' security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: request is not signed security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: recursion not available (recursion not enabled for view) update-security: error: client @0x7f01c420f7a8 10.1.10.20#62785: update '_ msdcs.example.com/IN' denied security: debug 3: client @0x7f01c420f7a8 10.1.10.20#62785: reset client client: debug 3: clientmgr @0x7f01c4055fc0 attach: 6 client: debug 3: query client=0x7f01ac0eca18 thread=0x7f01c3fff640(<unknown-query>): query_reset security: debug 3: client @0x7f01ac0eca18 (no-peer): allocate new client client: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: TCP request client: debug 5: client @0x7f01ac0eca18 10.1.10.20#58172: using view '_default' security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: request is not signed security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172: recursion not available (recursion not enabled for view) client: debug 3: query client=0x7f01ac0eca18 thread=0x7f01c3fff640(<unknown-query>): ns_query_start general: debug 3: failed gss_inquire_cred: GSSAPI error: Major = No credentials were supplied, or the credentials were unavailable or inaccessible, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1001). general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No such file or directory (filename: /var/tmp/krb5_1001.rcache2). general: debug 4: process_gsstkey(): dns_tsigerror_badkey security: debug 3: client @0x7f01ac0eca18 10.1.10.20#58172 (568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e): reset client client: debug 3: query client=0x7f01ac0eca18 thread=0x7f01c3fff640(568-ms-7.16520-4ead2f11.0e0f8a94-47f4-11ef-b587-0050568f702e/TKEY): query_reset Any insights, suggestions, or further troubleshooting steps to resolve this issue would be greatly appreciated. Thank you in advance for your assistance. Thanks Nagesh
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users