Yet another GSS-TSIG thread for BIND9 with AD

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Yet another GSS-TSIG thread for BIND9 with AD

Bind-Users forum mailing list
Hello,

Hope everyone is fine on this quarantine timeframe.

So here is the issue: I’ve an Active Directory domain on Windows Server 2019 (upgraded since 2012 R2 days) that uses BIND9 as DNS service. This domain never had Windows DNS Server.

Everything works as expected, except for the GSS-TSIG updates, I’m scratching my head trying to solve this but nothing works and the debug messages does not says anything, which is extremely frustrating.

The scenario is the following:

192.168.1.2: BIND9 Master (RHEL8)
192.168.1.3: BIND9 Slave #1 (RHEL8)
192.168.1.4: BIND9 Slave #2 (RHEL8)
192.168.1.5: DC #1 (Server 2019)
192.168.1.6: DC #2 (Server 2019)

BIND 9 version:
bind-9.11.13-3.el8.x86_64
bind-license-9.11.13-3.el8.noarch
bind-libs-9.11.13-3.el8.x86_64
bind-export-libs-9.11.13-3.el8.x86_64
bind-utils-9.11.13-3.el8.x86_64
bind-libs-lite-9.11.13-3.el8.x86_64

All machines are configured pointing to 192.168.1.2 and 192.168.1.3 for DNS service. Those slaves are pretty simple, they run just a catalog zone to fetch everything from master:

// Catalog Zone
zone “catalog.local.example.com" {
type slave;
file "slaves/catalog.local.example.com.db";
masters { 192.168.1.2; };
};

On the master, is where anything else is configured:

// Options
options {
// Recursion and caching disable
        recursion no;
        additional-from-auth no;
        additional-from-cache no;

// Keys
        managed-keys-directory "/var/named/dynamic”;

// Signed kerberos updates
        tkey-gssapi-keytab “/etc/krb5.keytab";
        tkey-gssapi-credential “[hidden email]";
        tkey-domain "LOCAL.EXAMPLE.COM”;

// Catalog zones support
        server-id "authoritative";
        allow-new-zones yes;
};

// Catalog Zone
zone "catalog.local.example.com" {
        type master;
        file "/var/named/static/catalog.local.example.com.db";
        also-notify { 192.168.1.3; 192.168.1.4; };
        notify explicit;
};

// Start of AD authoritative dynamic zones

zone "local.example.com" {
        type master;
        file "/var/named/dynamic/local.example.com.db";
        notify yes;
        check-names ignore;
        allow-transfer { intnameservers; };
#       allow-update {
#               domaincontrollers;
#       };
        update-policy {
#               grant * krb5-subdomain local.example.com. ANY;
#               grant * ms-subdomain local.example.com. ANY;
                grant * subdomain local.example.com. ANY;
        };
};

I’ve tried a lot of combination in update policy, nothing really works: krb5-self, ms-selfsub and etc.

The other files and settings on the system appears to be right:

[root@ns named]# file /etc/krb5.keytab 
/etc/krb5.keytab: Kerberos Keytab file, realm=LOCAL.EXAMPLE.COM, principal=DNS/ns.local.example.com, type=1, date=Sat May 23 07:40:19 2020, kvno=17

[root@ns named]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  17 [hidden email] (aes256-cts-hmac-sha1-96) 

[root@pallet named]# cat /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_realm = LOCAL.EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

[root@ns named]# hostname
ns.example.com

So that’s is it, on the logs I only get the following, when I try to issue ipconfig /registerdns on a Windows domain-joined machine:

23-May-2020 01:57:03.693 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#62276: updating zone 'local.example.com/IN': prerequisites are OK
23-May-2020 01:57:03.693 update-security: error: client @0x7fa1100a1ca0 192.168.1.12#62276: update 'local.example.com/IN' denied
23-May-2020 01:57:03.693 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#62276: updating zone 'local.example.com/IN': rolling back
23-May-2020 01:57:03.700 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#65242: updating zone 'local.example.com/IN': prerequisites are OK
23-May-2020 01:57:03.700 update-security: error: client @0x7fa1100a1ca0 192.168.1.12#65242: update 'local.example.com/IN' denied
23-May-2020 01:57:03.700 update: debug 8: client @0x7fa1100a1ca0 192.168.1.12#65242: updating zone 'local.example.com/IN': rolling back
23-May-2020 01:57:05.740 update: debug 8: client @0x7fa1100a1ca0 192.168.1.15#49688: updating zone 'local.example.com/IN': prerequisites are OK
23-May-2020 01:57:05.740 update-security: error: client @0x7fa1100a1ca0 192.168.1.15#49688: update 'local.example.com/IN' denied
23-May-2020 01:57:05.740 update: debug 8: client @0x7fa1100a1ca0 192.168.1.15#49688: updating zone 'local.example.com/IN': rolling back 

Any help on how to start debugging it is greatly appreciated.

Thanks,

PS: My implementation was based on this article: http://ddiguru.com/blog/configuring-gss-tsig-on-bind; except for the +DesOnly option, because it’s deprecated right now. I’ve enabled the AES256 passwords on the BIND9 user account on AD side and set the password after it so the hashes could be generated.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Yet another GSS-TSIG thread for BIND9 with AD

Tim Maestas


On Sat, May 23, 2020 at 12:19 PM Vinícius Ferrão via bind-users <[hidden email]> wrote:

                grant * subdomain local.example.com. ANY;
        };
};



I use:
grant LOCAL.EXAMPLE.COM ms-self .;
...for my domain joined members and
grant HOSTNAME$@LOCAL.EXAMPLE.COM subdomain local.example.com ANY;
....for my domain controllers.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Yet another GSS-TSIG thread for BIND9 with AD

Bind-Users forum mailing list
Hi Tim, sorry foi the delayed answer, but the message was gone to the spam folder.

I tried with your settings but the results were the same:

==> /var/log/named/update.log <==
12-Jun-2020 23:14:42.767 client @0x7f2c580a1ca0 192.0.2.11#55332: updating zone 'local.example.com/IN': prerequisites are OK
12-Jun-2020 23:14:42.767 client @0x7f2c580a1ca0 192.0.2.11#55332: updating zone 'local.example.com/IN': rolling back

==> /var/log/named/default.log <==
12-Jun-2020 23:14:42.767 client @0x7f2c580a1ca0 192.0.2.11#55332: update 'local.example.com/IN’ denied


On 24 May 2020, at 02:39, Tim Maestas <[hidden email]> wrote:



On Sat, May 23, 2020 at 12:19 PM Vinícius Ferrão via bind-users <[hidden email]> wrote:

                grant * subdomain local.example.com. ANY;
        };
};



I use:
grant LOCAL.EXAMPLE.COM ms-self .;
...for my domain joined members and
grant HOSTNAME$@LOCAL.EXAMPLE.COM subdomain local.example.com ANY;
....for my domain controllers.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users