[Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.
Tyrell Jentink
tyrell at jentink.net
Thu Oct 27 19:47:11 UTC 2016
Thank you Petr! I found the problem, but quite by accident... There may
be a Best Practice at hand that I wasn't aware of...
I still have the Windows AD server sitting on the side, serving as DHCP
server and waiting patiently for my Cross Realm Trust; That server will
forward DNS requests to the IPA server, and return a non-authoritative
answer. Occasionally, that server will seemingly loose track of the IPA
server, and stop returning results... And that happened while I was trying
to follow through with your request for info... So as a quick work around,
I simply dropped the AD server from my resolv.conf...
And then performed your requests, without errors. I ran the DNS Update
from the ipa-server-install script, and that worked without errors. I
added the AD server back into resolv.conf, and everything failed again. I
put the AD server as the SECOND name server in resolv.conf, and the errors
went away. So I've clearly identified the problem.
I uninstalled the client, and reinstalled the client, and everything went
cleanly.
To prevent this problem in the future... I will be changing the DHCP
options to list the IPA DNS first for the Linux clients, and the AD DNS
first for Windows clients; I still want the AD DNS server in the list, as a
fallback. Is this plan the best practice here?
On Wed, Oct 26, 2016 at 11:36 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 27.10.2016 04:43, Tyrell Jentink wrote:
> >> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
> >> > /etc/ipa/.dns_update.txt:
> >> > 2016-10-26T23:30:40Z DEBUG debug
> >> >
> >> > update delete trainmaster.ipa.rxrhouse.net. IN A
> >> > show
> >> > send
> >> >
> >> > update delete trainmaster.ipa.rxrhouse.net. IN AAAA
> >> > show
> >> > send
> >> >
> >> > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
> >> > show
> >> > send
> >> >
> >> > 2016-10-26T23:30:40Z DEBUG Starting external process
> >> > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
> >> > /etc/ipa/.dns_update.txt
> >> > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1
> >> > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query:
> >> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> >> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> > ;; UPDATE SECTION:
> >> > trainmaster.ipa.rxrhouse.net. 0 ANY A
> >> >
> >> > Outgoing update query:
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
> >> > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >> > ;; QUESTION SECTION:
> >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
> >> >
> >> > ;; ADDITIONAL SECTION:
> >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig.
> 1477524640
> [...]
> >> >
> >> > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query:
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
> >> > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL: 0
> >> > ;; QUESTION SECTION:
> >> > ;trainmaster.ipa.rxrhouse.net. IN SOA
> >> >
> >> > ;; AUTHORITY SECTION:
> >> > ipa.rxrhouse.net. 0 IN SOA
> ipa-pdc.ipa.rxrhouse.net.
> >> > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
> >> >
> >> > Found zone name: ipa.rxrhouse.net
> >> > The master is: ipa-pdc.ipa.rxrhouse.net
> >> > start_gssrequest
> >> > Found realm from ticket: IPA.RXRHOUSE.NET
> >> > send_gssrequest
> >> > recvmsg reply from GSS-TSIG query
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
> >> > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >> > ;; QUESTION SECTION:
> >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
> >> >
> >> > ;; ANSWER SECTION:
> >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig.
> 1466301805
> >> > 1466388205 3 NOERROR 101
> >> > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
> >> > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
> >> > AwIBAaELMAkbB2FkLXBkYyQ=
> >> > 0
> >> >
> >> > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
> >> > failure. Minor code may provide more information, Minor = Message
> stream
> >> > modified.
> >> >
> >> > 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command
> '/usr/bin/nsupdate -g
> >> > /etc/ipa/.dns_update.txt' returned non-zero exit status 1
> >> > 2016-10-26T23:30:40Z ERROR Failed to update DNS records.
> >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
> >> > trainmaster.ipa.rxrhouse.net IN A
> >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
> >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
> >> > trainmaster.ipa.rxrhouse.net IN AAAA
> >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
> >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
> 100.0.42.10.in-addr.arpa.
> >> > IN PTR
> >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
> >> > 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
> >> > trainmaster.ipa.rxrhouse.net: 10.42.0.100.
> >> > 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for
> address(es):
> >> > 10.42.0.100.
> >> >
> > -- Full logs can be found here: http://pastebin.com/90dG9Ffu
> >
> > - For grins, I decided to test:
> > kinit admin
> > id admin
> > getent passwd admin
> > on the client, and all of those all made valid responses... So
> > authentication is working, I just can't update DNS records.
> >
> >
> > So that's what I've tried, and where I'm at... My client machines
> running
> > modern client software can NOT update DNS records, complaining about
> GSSAPI
> > "Message Stream Modified" errors... And I have no idea how to
> troubleshoot
> > that... Any ideas?
>
> Interesting, I haven't seen this one :-)
>
> There is something fishy in GSSAPI negotiation between the client and DNS
> server.
>
> I would try this (and watch out for suspicious messages along the way):
>
> 1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves
> (from the client) to correct IP address of IPA DNS server.
>
> 2) Verify that Kerberos ticket for the DNS server can be obtained:
> $ kinit -k
> $ kvno DNS/ipa-pdc.ipa.rxrhouse.net
> $ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net
>
> 3) Create a plain text file with update message content:
> cat > /tmp/dnsupdate <<<EOF
> debug
> update delete trainmaster.ipa.rxrhouse.net. IN A
> send
> EOF
>
> 4) call nsupdate on it
> $ KRB5_TRACE=/dev/stdout nsupdate -g /tmp/dnsupdate
>
> Does it produce the same error? (It should, but with more debuginfo.)
>
>
> What version of server and client packages are you using?
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161027/f2999f5a/attachment.htm>
More information about the Freeipa-users
mailing list