Skip Menu |
Report information
The Basics
Id: 45854
Status: resolved
Priority: 50/50
Queue: bind9-public
People
Owner: Nobody in particular
Requestors: Petr Menšík <pemensik@redhat.com>
Cc:
AdminCc:
Bug Information
Version Fixed: 9.11.3, 9.12.0
Version Found: (no value)
Versions Affected: (no value)
Versions Planned: (no value)
Priority: P2 Normal
Severity: S2 Normal
CVSS Score: (no value)
CVE ID: (no value)
Component: (no value)
Area: bug
Dates
Created:Thu, 24 Aug 2017 11:02:36 -0400
Updated:Thu, 31 Aug 2017 21:26:32 -0400
Closed:Thu, 31 Aug 2017 21:26:32 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History Show full headers
# Thu, 24 Aug 2017 11:02:37 -0400 Petr Menšík <pemensik@redhat.com> - Ticket created [Reply] [Comment]
From: "Petr Menšík" <pemensik@redhat.com>
Date: Thu, 24 Aug 2017 17:02:00 +0200
Subject: nsupdate: GSSAPI fails to authenticate against AD in bind 9.11
To: bind9-bugs@isc.org
Download (untitled) / with headers
text/plain 1.8KiB
Hello. Bug was reported on Fedora 26, that nsupdate authenticated by GSSAPI against Active Directory 2012-r2 server is getting refused. It affects all 9.11.x versions I have tried. But works well with 9.10.5. OpenSSL 1.1 and 1.0 gives the same results. Original bug is at [1]. First attachment [2] shows output of 9.11.2 nsupdate, which always fail on update request, that follows successful GSS-TSIG query. However previous version in second attachment [3] made by nsupdate 9.10.5 is successful. New versions report this with -L 10: 24-Aug-2017 10:56:13.904 GSS verify error: GSSAPI error: Major = A token had an invalid Message Integrity Check (MIC), Minor = Packet was replayed in wrong direction. 24-Aug-2017 10:56:13.904 tsig key '1729469141.sig-jetfire.sssdad2012r2.com' (<null>): signature failed to verify(1) I have to admit I could not see anything wrong with authentication at first glance. I tried to find something in source code changes unsucessfully. Then used git bisect to find the failure. According to my bisecting, first commit that broke authentication was change 4079 [RT #37442] [4]. Surprising was it works again in master branch. If my bisecting was correct again, it was fixed (by some unintentional change I think) in commit RT #44029 [5]. I would be grateful if some small fix could be backported into 9.11 branch(es) Regards, Petr [1] https://bugzilla.redhat.com/show_bug.cgi?id=1484451 [2] https://bugzilla.redhat.com/attachment.cgi?id=1317147 [3] https://bugzilla.redhat.com/attachment.cgi?id=1317148 [4] https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=a8da00ef95ba37b9d071c2b8db1a0c967e060106 [5] https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=03be5a6b4e6311b14a12dec5b15a62f55586aaf4 -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@redhat.com PGP: 65C6C973
# Fri, 25 Aug 2017 01:10:57 -0400 Mark Andrews <marka@isc.org> - Correspondence added [Reply] [Comment]
Date: Fri, 25 Aug 2017 15:10:46 +1000
Subject: Re: [ISC-Bugs #45854] nsupdate: GSSAPI fails to authenticate against AD in bind 9.11
From: "Mark Andrews" <marka@isc.org>
To: bind9-confidential@isc.org
Download (untitled) / with headers
text/plain 1004B
I suspect this is really a Windows TSIG bug where it doesn't handle compressed TSIG owner names correctly. The change resulted in the workaround for this Windows bug being lost (preventing the TSIG owner name being compressed). The following preserves the DNS_NAMEATTR_NOCOMPRESS attribute when setting case. Mark diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 5b88f20a98..a168588683 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -465,6 +465,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_name_copy(owner_name, name, NULL); dns_rdataset_getownercase(rdataset, name); + if ((owner_name->attributes & DNS_NAMEATTR_NOCOMPRESS) != 0) + name->attributes |= DNS_NAMEATTR_NOCOMPRESS; + do { /* * Copy out the name, type, class, ttl. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
# Fri, 25 Aug 2017 01:10:59 -0400 The RT System itself - Status changed from 'new' to 'open'
# Fri, 25 Aug 2017 01:37:13 -0400 Mark Andrews <marka@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 16B
ready for review
# Fri, 25 Aug 2017 01:43:15 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'review'
# Fri, 25 Aug 2017 01:43:26 -0400 Mark Andrews <marka@isc.org> - Area bug added
# Fri, 25 Aug 2017 01:43:26 -0400 Mark Andrews <marka@isc.org> - Priority P2 Normal added
# Fri, 25 Aug 2017 01:43:26 -0400 Mark Andrews <marka@isc.org> - Severity S2 Normal added
# Mon, 28 Aug 2017 12:24:24 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
# Thu, 31 Aug 2017 09:48:27 -0400 Francis Dupont <Francis_Dupont@isc.org> - Taken
# Thu, 31 Aug 2017 10:18:55 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 74B
On Fri Aug 25 05:37:13 2017, marka wrote: > ready for review => code OK.
# Thu, 31 Aug 2017 10:18:56 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Mark Andrews <marka@isc.org>
# Thu, 31 Aug 2017 21:26:29 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.11.3, 9.12.0 added
# Thu, 31 Aug 2017 21:26:30 -0400 Mark Andrews <marka@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 128B
4697. [bug] Restore workaround for Microsoft Windows TSIG hash computation bug. [RT #45854]
# Thu, 31 Aug 2017 21:26:32 -0400 Mark Andrews <marka@isc.org> - Status changed from 'review' to 'resolved'
# Thu, 31 Aug 2017 21:26:32 -0400 Mark Andrews <marka@isc.org> - Untaken