Reply

Client Fail to update DDNS using gss-tsig

[ Edited ]
Superuser
Posts: 105
2421     0

Hi Teams,

 

Im doing some lab about ddns. The scenario will be client (already join domain to corp.abc.net) update their IP to Infoblox that running dns.

 

here what i've done:

1. create user on domain controller (ib, password P@ssw0rd)

2. create keytab file on domain controller (ktpass -princ DNS/ib.abc.net@CORP.ABC.NET -mapuser ib@corp.abc.net -pass P@ssw0rd -out c:\ns1.keytab -ptype krb5_nt_principal -crypto AES256-SHA1)

3. Already import the keytab to Infoblox.

4. Execute command ipconfig /registerdns from the pc client

 

after the above activity, i check the logs on infoblox:

2020-04-26 21:56:01 ICT daemon ERROR named[13999] gss_accept_sec_context: continuation call to routine required
2020-04-26 21:56:01 ICT daemon INFO named[13999] GSS-TSIG verify stats: 0 ok, 0 failed (0 integrity, 0 time)
2020-04-26 21:56:01 ICT daemon INFO named[13999] GSS-TSIG accept stats: 0 ok, 1 failed (0 NTLM, 1 principal, 0 key, 0 integrity, 0 time)
2020-04-26 21:56:01 ICT daemon ERROR named[13999] 192.168.137.20#59616: GSS-TSIG authentication failed for (DNS/ib.corp.abc.net@CORP.ABC.NET, kvno 4, arcfour-hmac-md5): unknown principal
2020-04-26 21:56:01 ICT daemon ERROR named[13999] client @0x7fd5840f9000 192.168.137.20#57468: update 'corp.abc.net/IN' denied

 

any step that i miss?

 

thanks

Re: Client Fail to update DDNS using gss-tsig

Superuser
Posts: 105
2421     0

This issue happen because the DC adminitrator create a wrong keytab file. it's not mapped to correct user that already created.

 

Thanks

Re: Client Fail to update DDNS using gss-tsig

[ Edited ]
New Member
Posts: 2
2421     0

I followed the same steps and mapped right username. But in infoblox syslogs i am getting below error -

 

10.239.40.254#54721: GSS-TSIG authentication failed for (DNS/ip-ib-00011-z5e.infoblox.com@domainname.net, kvno 6, arcfour-hmac-md5): unknown principal

 

Any suggestion for this ?

Re: Client Fail to update DDNS using gss-tsig

Expert
Posts: 11
2421     0

I see that your Clients are asking with the wrong encryption scheme "arcfour-hmac-md5"

 

I think the Infoblox Support Documents lack a important information.

 

Fix

Please check if the Service AD Account you map to the ktpass tool has the Checkbox "This account supports Kerberos AES 256 bit encryption".

 

If not, check it, regenerate the keytab file, upload it to the appliance and reboot the dns client machine

 

Now they should query the AD Controller and choose the higher AES256 encryption for gss-tsig updates

 

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You