-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator #54
Comments
Removing This code gets used against an AD server also, I've never had this problem. |
I think the gokrb5 error is not terribly helpful. I have a feeling if the server rejects your request for whatever reason, it returns your signature back to you which is why you get that message. In GSSAPI/Kerberos parlance, you the client are the initiator, the server is the acceptor. Basically that message is the server rejecting the request for some reason, you get the same error if you try and create a wildcard DNS record. |
well what is strange is that even though it sends the rejected response it still creates the record and there seems to be a window where subsequent requests work fine after the initial rejection. i can try adding some of the flags back in and see which one(s) reproduce the issue. |
it does seem to be the // reproduces issue
apreq, err := spnego.NewKRB5TokenAPREQ(cl, tkt, key, []int{gssapi.ContextFlagInteg, gssapi.ContextFlagMutual, gssapi.ContextFlagReplay}, []int{gssapi.ContextFlagMutual})
// works
apreq, err := spnego.NewKRB5TokenAPREQ(cl, tkt, key, []int{gssapi.ContextFlagInteg, gssapi.ContextFlagMutual}, []int{flags.APOptionMutualRequired}) |
Terraform negotiates a new Kerberos context for each and every request. They're not reused, even though they could be, because Windows rejects requests using them after 5 minutes despite indicating them as being valid for an hour so it was less hassle to just negotiate a fresh context for each request. The fact that the request is actioned, but still rejected points to something screwy on the server side, that doesn't even begin to make sense. Here are the flags that There are tests that both this library and the Terraform provider run against a real DNS server which are consistently passing. I'm also running this code against Windows and I've not seen this problem ever. The only thing I can think of that might screw things up is if you're sending requests to different DNS servers, i.e. negotiate a context with one, send the signed request to another but that shouldn't be possible as from experience the SPN needs to match the hostname of the DNS server. |
I am using test AD DC/DNS server spun up in GCP. Pointing to the same server for DNS and KDC. The easiest way to reproduce is by creating a brand new forward zone with nothing in it. In my test i am creating a cname entry. I can try some other record types and see if i can narrow the issue down. I agree it makes no sense like many things in windows. I'll also try to reproduce with nsupdate. |
Can you get a pcap for the traffic when it works and when it fails? It needs to be whole packets rather than truncated and I specifically need the TKEY exchange that happens before the actual DNS updates. I'd like to see if the remote end is actually negotiating different context flags. I'm requesting the Integrity, Mutual and Replay flags but I think the remote end can respond and accept a subset of that, however the first two flags are mandatory and have to be present. I'm currently assuming the remote side honours all three. In the CGo version of the code, the Lines 172 to 180 in 5045f82
The fourth return argument would contain the negotiated flags. I'm not sure how to retrieve those with the gokrb5 implementation but I'm guessing they're buried in one of the structs somewhere, however I think from memory the flags are visible in a pcap so I'd like to check that if possible. |
For me, it was resolved after I implemented two things:
if both or one of these is not implemented I got the same error |
Interesting. Thanks for the info! |
Hello There, I’m getting this issue out of nowhere as "It was working before fine". I got the logs from the DNS Server like:
Any hints to help me figure it out ? Thanks, |
The server refused the update, for some reason. There was a Windows Server update recently that broke some aspects of Kerberos, I don't know if it would have any affect on this or not. |
It appears that the terraform dns provider is throwing the error "Error updating DNS record: unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator" from this package. See issue hashicorp/terraform-provider-dns#160
I have traced the issue to the parameters passed to https://github.com/bodgit/tsig/blob/v1.1.1/gss/gokrb5.go#L243
When changing the parameters to match those passed in the ns1 fork https://github.com/ns1/tsig/blob/master/gss/gokrb5.go#L150 the issue does not present itself. I am not sure why this resolves the issue and really have no insight into what the parameters do.
The issue is reproducible on an active directory dns server.
The text was updated successfully, but these errors were encountered: