[Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.
Petr Spacek
pspacek at redhat.com
Thu Oct 27 06:36:56 UTC 2016
On 27.10.2016 04:43, Tyrell Jentink wrote:
>> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
>> > /etc/ipa/.dns_update.txt:
>> > 2016-10-26T23:30:40Z DEBUG debug
>> >
>> > update delete trainmaster.ipa.rxrhouse.net. IN A
>> > show
>> > send
>> >
>> > update delete trainmaster.ipa.rxrhouse.net. IN AAAA
>> > show
>> > send
>> >
>> > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
>> > show
>> > send
>> >
>> > 2016-10-26T23:30:40Z DEBUG Starting external process
>> > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
>> > /etc/ipa/.dns_update.txt
>> > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1
>> > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query:
>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> > ;; UPDATE SECTION:
>> > trainmaster.ipa.rxrhouse.net. 0 ANY A
>> >
>> > Outgoing update query:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
>> > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> > ;; QUESTION SECTION:
>> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
>> >
>> > ;; ADDITIONAL SECTION:
>> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640
[...]
>> >
>> > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
>> > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> > ;; QUESTION SECTION:
>> > ;trainmaster.ipa.rxrhouse.net. IN SOA
>> >
>> > ;; AUTHORITY SECTION:
>> > ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net.
>> > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
>> >
>> > Found zone name: ipa.rxrhouse.net
>> > The master is: ipa-pdc.ipa.rxrhouse.net
>> > start_gssrequest
>> > Found realm from ticket: IPA.RXRHOUSE.NET
>> > send_gssrequest
>> > recvmsg reply from GSS-TSIG query
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
>> > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> > ;; QUESTION SECTION:
>> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
>> >
>> > ;; ANSWER SECTION:
>> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805
>> > 1466388205 3 NOERROR 101
>> > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
>> > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
>> > AwIBAaELMAkbB2FkLXBkYyQ=
>> > 0
>> >
>> > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
>> > failure. Minor code may provide more information, Minor = Message stream
>> > modified.
>> >
>> > 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
>> > /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>> > 2016-10-26T23:30:40Z ERROR Failed to update DNS records.
>> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
>> > trainmaster.ipa.rxrhouse.net IN A
>> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
>> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
>> > trainmaster.ipa.rxrhouse.net IN AAAA
>> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
>> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa.
>> > IN PTR
>> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
>> > 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
>> > trainmaster.ipa.rxrhouse.net: 10.42.0.100.
>> > 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es):
>> > 10.42.0.100.
>> >
> -- Full logs can be found here: http://pastebin.com/90dG9Ffu
>
> - For grins, I decided to test:
> kinit admin
> id admin
> getent passwd admin
> on the client, and all of those all made valid responses... So
> authentication is working, I just can't update DNS records.
>
>
> So that's what I've tried, and where I'm at... My client machines running
> modern client software can NOT update DNS records, complaining about GSSAPI
> "Message Stream Modified" errors... And I have no idea how to troubleshoot
> that... Any ideas?
Interesting, I haven't seen this one :-)
There is something fishy in GSSAPI negotiation between the client and DNS server.
I would try this (and watch out for suspicious messages along the way):
1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves
(from the client) to correct IP address of IPA DNS server.
2) Verify that Kerberos ticket for the DNS server can be obtained:
$ kinit -k
$ kvno DNS/ipa-pdc.ipa.rxrhouse.net
$ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net
3) Create a plain text file with update message content:
cat > /tmp/dnsupdate <<<EOF
debug
update delete trainmaster.ipa.rxrhouse.net. IN A
send
EOF
4) call nsupdate on it
$ KRB5_TRACE=/dev/stdout nsupdate -g /tmp/dnsupdate
Does it produce the same error? (It should, but with more debuginfo.)
What version of server and client packages are you using?
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list