From: | "Petr Menšík" <pemensik@redhat.com> |
Date: | Thu, 24 Aug 2017 17:02:00 +0200 |
Subject: | nsupdate: GSSAPI fails to authenticate against AD in bind 9.11 |
To: | bind9-bugs@isc.org |
Hello.
Bug was reported on Fedora 26, that nsupdate authenticated by GSSAPI
against Active Directory 2012-r2 server is getting refused. It affects
all 9.11.x versions I have tried. But works well with 9.10.5. OpenSSL
1.1 and 1.0 gives the same results.
Original bug is at [1]. First attachment [2] shows output of 9.11.2
nsupdate, which always fail on update request, that follows successful
GSS-TSIG query. However previous version in second attachment [3] made
by nsupdate 9.10.5 is successful.
New versions report this with -L 10:
24-Aug-2017 10:56:13.904 GSS verify error: GSSAPI error: Major = A token
had an invalid Message Integrity Check (MIC), Minor = Packet was
replayed in wrong direction.
24-Aug-2017 10:56:13.904 tsig key
'1729469141.sig-jetfire.sssdad2012r2.com' (<null>): signature failed to
verify(1)
I have to admit I could not see anything wrong with authentication at
first glance. I tried to find something in source code changes
unsucessfully. Then used git bisect to find the failure.
According to my bisecting, first commit that broke authentication was
change 4079 [RT #37442] [4]. Surprising was it works again in master
branch. If my bisecting was correct again, it was fixed (by some
unintentional change I think) in commit RT #44029 [5].
I would be grateful if some small fix could be backported into 9.11
branch(es)
Regards,
Petr
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1484451
[2] https://bugzilla.redhat.com/attachment.cgi?id=1317147
[3] https://bugzilla.redhat.com/attachment.cgi?id=1317148
[4]
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=a8da00ef95ba37b9d071c2b8db1a0c967e060106
[5]
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=03be5a6b4e6311b14a12dec5b15a62f55586aaf4
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com PGP: 65C6C973