Reply
Highlighted
Accepted Solution

DDNS GSS-TSIG Updates

[ Edited ]
earose
Techie
Posts: 2
15864     0

I've recently migrated from a Microsoft DHCP solution to Infoblox and I'm working on external DNS updates. I have created the ktpass file on the DC/DNS server. I used the following:

ktpass -princ DNS/ns1.domain.com@domain.com -mapuser infobloxuser@domain.com -pass <password> -out ktpassFile.keytab -ptype krb5_nt_principal -crypto all

I uploaded and assigned GSS-TSIG keys (there are 6 because I used the crypto all option). I configured an External Zone in the Configure DDNS properties. 

But I'm see the following errors:

Deferring GSS-TSIG DDNS updates to DNS server X.X.X.X for principal DNS/ns1@domain.com@domain.com because security tokens are not yet established.

and

Failed to acquire/renew GSS-TSIG credential for princiapl DNS/ns1@domain.com\@domain.com

Any direction would be appreciated.

Thanks.

 

Re: DDNS GSS-TSIG Updates

manoj
Techie
Posts: 11
15865     0

Please use below ktpass command. You not suppose to use 'DNS' (uppercase) in principal if you not running DNS services on Infoblox.

 

ktpass -princ dns/infobloxuser@domain.com -mapuser infobloxuser@domain.com -pass <password> -out ktpassFile.keytab -ptype krb5_nt_principal -crypto AES256-SHA1

Re: DDNS GSS-TSIG Updates

Irina
Techie
Posts: 1
15865     0

I have similar problem.

I'm using Infoblox as DHCP and secondary DNS server.

Primary Domain Controller is Microsoft Windows 2008R2 server.

I'm trying to generate keytab with this command:

 

ktpass -princ dns/dhcpdns.test.local@test.local -mapuser infoblox@test.local -pass PASSWORD -out C:\temp\dns.keytab -ptype krb5_nt_principal -crypto all

 

But I get the same error in syslog:

Deferring GSS-TSIG DDNS updates to DNS server X.X.X.X for principal dns/dhcpdns.test.local@test.local because security tokens are not yet established.

 

When I generate key with ktpass -princ DNS/ ... (in upper case) I get the following message while uploading keytab to the Infoblox:

 

Key ['DNS/dhcpdns.test.local@test.local', 'DNS/dhcpdns.test.local@test.local', 'DNS/dhcpdns.test.local@test.local', 'DNS/dhcpdns.test.local@test.local', 'DNS/dhcpdns.test.local@test.local'] has a DNS service principal name, but is assigned to the DHCP service. Do you want to continue?

 

After that I tried to generate keytab using

ktpass -princ DHCP/dhcpdns.test.local@test.local -mapuser infoblox@test.local -pass PASSWORD -out C:\temp\dns.keytab -ptype krb5_nt_principal -crypto all

command, but result is the same ("Deferring GSS-TSIG DDNS updates to DNS server...").

 

How can I resolve this problem?

 

NIOS version is 6.12.1

Re: DDNS GSS-TSIG Updates

Adviser
Posts: 267
15865     0

Just a quick note, have you looked at the DSBs available here: http://community.infoblox.com/t5/Automation-Scripts/bd-p/AutomationScripts

 

Best,

 

Eric

If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.

Re: DDNS GSS-TSIG Updates

Adviser
Posts: 147
15865     0
Not the solution, but I'm just adding a few thoughts from experience. Often the issue is with the syntax of the command and domain info used to generate the keytab or an issue with time sync. Kerberos doesn't like time drift.

Support is always a great resource for assistance if you are unable to get this working despite everything appearing to be correct. I would suggest reaching out to Support if need be.
Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products

Re: DDNS GSS-TSIG Updates

manoj
Techie
Posts: 11
15865     0

Please try and use specific cypto type "AES256-SHA1" as in 2008R2 some time crypto all does not work. Aslo I would recommend create a new user accoutn from start make him part of DNS admin group and generate new keytab file with correct syntaxt that I provided before.

 

Generally you get differenred messges because you have records al ready exist and Infoblox DHCP server does not have permission to modify that record.

 

Please also confirm whtat is your TXT handling methong, try using ISC trasitional.

 

Also make sure you user correct password for user account when generating keytab file. Wait for some time after uploading new keytab file to Infoblox.

 

Thank you,

Manoj

 

Re: DDNS GSS-TSIG Updates

RScutt Employee
Employee
Posts: 4
15865     0

 


@manoj wrote:

Please try and use specific cypto type "AES256-SHA1" as in 2008R2 some time crypto all does not work. Aslo I would recommend create a new user accoutn from start make him part of DNS admin group and generate new keytab file with correct syntaxt that I provided before.

 

Generally you get differenred messges because you have records al ready exist and Infoblox DHCP server does not have permission to modify that record.

 

Please also confirm whtat is your TXT handling methong, try using ISC trasitional.

 

Also make sure you user correct password for user account when generating keytab file. Wait for some time after uploading new keytab file to Infoblox.

 

Thank you,

Manoj

 


How long do you have to wait?

Re: DDNS GSS-TSIG Updates

Expert
Posts: 181
15865     0

As far as wait time, our AD forest takes about 45 minutes to fully converge.  There are also some other timers related to the keytab logins that seem to cache results even longer.

When we have exported new keytab it is always more than an hour before all the errors go away but we generally see some members succeeding on some updates almost immediately.

Tips from my experience:
1.Be patient, this takes a while for changes to replicate.

2.Name the export file something different each time you export while you’re trouble shooting.  Some versions of NIOS had problems with noticing that a new file was uploaded if just the timestamp was changed.

  1. You’re messing with a mix of linux and windows.   Case matters on everything.  Pay very close attention to typo's.
  2.  Nearly anything that changes the AD account that you are exporting the keytab file from invalidates the keytab export.  Make sure to exclude the account from any scripted changes or updates to your user accounts.
    5.  Even after its all working, watch the DHCP syslog line

 "dhcpd[10431]: Processed 95 deferred DNS updates: 0 successes, 95 deferred again, 0 abandoned (0 unexpired, 0 disabled, not processed)"  

for increases in the deferred updates.   The GSS-TSIG process is not as stable as we would like.   Occasionally it just stops working.   Sometimes it’s the Microsoft DC that just stops accepting the updates, sometimes it’s the Infoblox process that needs restarted.

GSS-TSIG updates over all work very well but it is not perfect. We are after all dealing with a linux emulation of a Microsoft process.  I have a forest with multiple AD integrated DNS zones spread over several hundred DC's and about 50 Infolbox members sending updates.  I troubleshoot something with GSS-TSIG every month or two.


 

Re: DDNS GSS-TSIG Updates

jpcatanzaro
Techie
Posts: 13
15865     0

Wanted to ping this quickly...I'm having the same issues having tried multiple different keytab files generated using all different methods.

 

The DNS server in question is 2012 R2...can anyone let me know a generic idea of the format I should be using, particularly for the principal field in the ktpass command?

 

I've tried it with the following:

 

DNS/[DNS server name receiving the updates]@[DNS domain that server resides in]

 

DNS/[DNS name of infoblox NIOS appliance]@[DNS domain that server resides in]

 

ibdhcp/[DNS name of infoblox NIOS appliance]@[DNS domain that server resides in]

 

 

Originally the NIOS appliance was in a different domain from the DNS server, but now i've deployed a temp dev NIOS appliance in the same domain and even the same subnet as the DNS server as a means of trying to test this and get it working.

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Businesses are investing heavily into securing company resources from cyber-attacks form cybercrimin