Big Sur problem - Dinamic registration in DNS Server

ricguim
New Contributor II

Today I found out that Mac OS 11.x (until 11.2.3 - the actual one) is not updating the Forward DNS registry and de Reverse DNS registry in internal DNS Servers.
The problem is that if you have a Scavenge Age defined to scavenge old dns entries, it will delete the Big Sur workstations DNS entries for the workstations and they will not appear anymore, because they don't automaticaly register again...

Until Mac OS 10.15.7 this was working fine and in Windows machines also.

I have a script that can force this update using the nsupdate terminal command but this registration should happen automatically.

This behaviour is the same when you use DHCP Server IP distribution or Fixed IP assignment for the differets workstations.

Does anyone knows what can be done to solve this? I was waiting for the different Big Sur updates released until now to see if it was patched, but it is not...

Any help would be highly appreciated!

Thanks.

Ricardo

21 REPLIES 21

BigCat4Life
New Contributor II

We're having a similar issue with some random machines on Big Sur. We're seeing this on 11.2.2, 11.2.3 and 11.2.0. We have one machine that did not exhibit the behavior at all on 11.2.0 for some reason and then got upgraded to 11.2.3. The only thing different about this particular machine is that it was an in-place upgrade from originally being on 10.15.7 while the others have been fresh builds and patches.

I'm completely stumped on this.

ricguim
New Contributor II

Yes @smartsheet-it That is also what we are getting. There must be a bug in Big Sur since version 11.0... I don't understand why are so few people complaining about this...

I hope 11.3 will solve this!!!

Stubakka
Contributor II

I am also seeing this, on 11.2.3, I upgraded a system from that to 11.3 beta (Apple beta program) and am checking it now but I think the issue remains.

Stubakka
Contributor II

@user-kEEivOurTr can you share your script ?

ricguim
New Contributor II

Hi Stubakka.

Here it is.

Just replace YOURDOMAIN.LOCAL by your domain.

Hope that helps.

Regards

Stubakka
Contributor II

Hi @ricguim I didn't see anything in your post, sorry if I'm missing something.

ricguim
New Contributor II

I @Stubakka

I have attached the script to my last post but by some reason it didn't upload...

I have done it again. Let me know if you don't get it. If not, send me your direct mail and I will send you attached that way.

Please rename the file attached, deleting the jpeg extension.

Best regards,

user-frHfOGKQpA
New Contributor

Hey ricguim there is no file attached sadly :-(

ricguim
New Contributor II

Maybe the system does not allow attachments...
Do you know he correct way to do it?

rqomsiya
Contributor III

Curious about this as well. We still see this with some 10.15.7 macOS devices.

user-frHfOGKQpA
New Contributor

Maybe you could upload it on https://pastebin.com/ ? Thank you!

ricguim
New Contributor II

Actually I can paste it here (I hope):

Here it goes:

!/zsh/sh

1st get the domain you are on

vdomain=cat /var/run/resolv.conf | awk '/search/ {print $2}'
echo $vdomain

if not on YOURDOMAIN.LOCAL domain exit

if [ $vdomain != "YOURDOMAIN.LOCAL" ]; then
echo "we are not in YOURDOMAIN.LOCAL"
exit 0
else
echo "run the YOURDOMAIN.LOCAL script"
fi

computernm=scutil --get ComputerName
echo $computernm
ipaddr=/sbin/ifconfig en0 | awk '/inet / {print$2}'
echo $ipaddr

if $ipaddr empty - go for en1#

if [ -z "$ipaddr" ]; then
echo "get en1"
ipaddr=/sbin/ifconfig en1 | awk '/inet / {print$2}'
echo "$ipaddr en1"
fi
dnsdelete="update delete $computernm.YOURDOMAIN.LOCAL A"
echo $dnsdelete

echo "update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"

dnsupdate="update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"

echo $dnsupdate

echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate

cat /tmp/nsupdate

nsupdate -v /tmp/nsupdate
echo "dns updated"

rdns

rip=$(echo $ipaddr | sed 's/([^.]).([^.]).([^.]).([^.])/4.3.2.1/g')

dnsdelete="update delete $rip.in-addr.arpa PTR"
echo $dnsdelete
dnsupdate="update add $rip.in-addr.arpa 86400 PTR $computernm.YOURDOMAIN.LOCAL."
echo $dnsupdate

echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate

cat /tmp/nsupdate

nsupdate -v /tmp/nsupdate
echo "dns updated"

sdagley
Esteemed Contributor II

@ricguim The script you posted is mangled since you didn't use the forum markup tags for an embedded script. Please edit the post and the ``` tag on the lines before and after the script, or select the entire script and click the >_ button above the post edit text area to have the tags added.

BigCat4Life
New Contributor II

Dynamic DNS updates are still not working properly (natively as they should) on 11.3 for us. Was hoping that this version was going to address this.

ricguim
New Contributor II

Hi @sdagley

Sorry for take a long time to answer but have been busy around here...

Let's try your tip to send the script:

#!/zsh/sh
##1st get the domain you are on##
vdomain=`cat /var/run/resolv.conf | awk '/search/ {print $2}'`
echo $vdomain

##if not on YOURDOMAIN.LOCAL domain exit##
if [ $vdomain != "YOURDOMAIN.LOCAL" ]; then
echo "we are not in YOURDOMAIN.LOCAL"
exit 0
else
echo "run the YOURDOMAIN.LOCAL script"
fi

computernm=`scutil --get ComputerName`
echo $computernm
ipaddr=`/sbin/ifconfig en0 | awk '/inet / {print$2}'`
echo $ipaddr
##if $ipaddr empty - go for en1###
if [ -z "$ipaddr" ]; then
echo "get en1"
ipaddr=`/sbin/ifconfig en1 | awk '/inet / {print$2}'`
echo "$ipaddr en1"
fi
dnsdelete="update delete $computernm.YOURDOMAIN.LOCAL A"
echo $dnsdelete
#echo "update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"
dnsupdate="update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"
#echo $dnsupdate

echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate

#cat /tmp/nsupdate
nsupdate -v /tmp/nsupdate
echo "dns updated"

### rdns
rip=$(echo $ipaddr | sed 's/([^.]*).([^.]*).([^.]*).([^.]*)/4.3.2.1/g')

dnsdelete="update delete $rip.in-addr.arpa PTR"
echo $dnsdelete
dnsupdate="update add $rip.in-addr.arpa 86400 PTR $computernm.YOURDOMAIN.LOCAL."
echo $dnsupdate

echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate

#cat /tmp/nsupdate
nsupdate -v /tmp/nsupdate
echo "dns updated"

Let me know if it works now...

As far as I tested, the problem remains with 11.3 update :(

@Apple - Please listen to us...

rqomsiya
Contributor III

Thanks for posting this @ricguim. Question.. how often are your needing To run this? Are you running it via policy on network state change or via launch daemon?

turbul3nt
New Contributor

The fix from above only seems to help me, temporarily (and by temporarily, it only lasts about 10-15 minutes, then I break again. I did some more digging today on OLD threads and have come up with a different solution. My script, below, works with Cisco AnyConnect VPN, but have a look at the links I provide at the top of the script and I'm certain you can tweak for your own:


How to script scutil from emzy reply 9-15-2005 reply on this: http://hints.macworld.com/article.php?story=20050621051643993

Fix commands from last reply from cwaappledevforums at: https://developer.apple.com/forums/thread/670856

sudo scutil << EOF
list "*.DNS"
get State:/Network/Service/com.cisco.anyconnect/DNS
d.show
d.remove ServerAddresses
d.show
d.remove SupplementalMatchDomains
d.show
set State:/Network/Service/com.cisco.anyconnect/DNS
quit
EOF

user-ELBDDyIXGD
New Contributor II

This appears to be a Kerberos issue. I don't know enough about Kerberos (especially the macOS specific implementation) to give a definitive answer, but it does seem that Kerberos functionality changed in macOS 11, which most likely has broken something. My testing is with Active Directory joined macOS computers using secured DNS, which I'm assuming is the set up of the OP.

Kerberos principals exist for users, computers and services. It's the computer principal that is in play here I believe. In addition to users authenticating to AD when logging in, the computer itself authenticates during startup. If the computer is named imac for example then it will authenticate to AD as imac$. As a result a Kerberos principal for imac$@DOMAIN.COM will be created and stored in a credential cache. A TGT is issued to this principal which is then used to update DNS securely in AD. If you look at the owner of macOS generated DNS records in Windows DNS manager you'll see that the owner is computer$.

In macOS 11 the Kerberos computer principal appears to be missing. I'm not certain if it's getting created and deleted or not getting created at all. Here's log entry showing a failed DDNS update attempt. I'm gathering the the UUID referenced is for the computer principal that doesn't exist.

opendirectoryd: (ActiveDirectory) [com.apple.opendirectoryd:discovery] DDNS update - failure -- 'fd86:4116:5fec:0:8eda:3c3e:f602:32ad' - exit status [2: No such file or directory] -- tkey query failed: GSSAPI error: Major = Miscellaneous failure (see text), Minor = no credential for CD0E79F1-55A7-4679-9411-72E820421C1A.

In macOS Kerberos, each principal is assigned a random UUID. One thing I've noticed in macOS 11 that's different from previous versions is that if you issue a klist command to view Kerberos credentials for an account that is not authenticated to AD (i.e. a local admin) the result will be

klist: Cache not found: API:A9A8AC16-B767-4BCA-B221-65808815F939

in previous versions (10.15.7 in this case) it is

klist: krb5_cc_get_principal: No credentials cache file found

That tells me that there are some changes under the hood. What I don't know how to do (and I've searched a lot) is to issue a klist command in the context of the machine account (computer$) to verify the UUID. I'm curious if anyone else knows how to do this.

With all of that said, I'm guessing this is a low level bug in the Kerberos framework that is likely only fixable by Apple developers.

ricguim
New Contributor II

@user-ELBDDyIXGD The "not so funny" thing is that the latest security update for 10.14.6 Mojave, released last week also brokens the link to Active Directory and I suspect it is for the same reason. I did not test the 10.15.7 security update also released at the same time but I guess the (bad) result will be the same.
Had to reinstall 10.14.6 on top of the running system to correct that issue, or the updated machines were not being capable of login in with domain users neither to connect to windows SMB shares... Only local admin was able to login.

What's up Apple??

user-ELBDDyIXGD
New Contributor II

I just installed macOS Catalina Security Update 2021-003 (https://support.apple.com/en-us/HT212530) on a machine and haven't noticed any issues yet. AD login is working as well as DDNS. On a different machine running 10.14 I just installed macOS Mojave Security Update 2021-004 (https://support.apple.com/en-us/HT212531) and I am seeing problems. I'm able to log in as an AD user, although these machines are set up with mobile accounts. If I issue a klist command in Terminal it hangs. Likewise if I attempt to connect to a server via SMB the Connecting to smb://server progress bar hangs and never connects. Strangely, DDNS updates do appear to be working still though.

Both security updates mention Heimdal (Kerberos) fixes. It seems Apple has been tweaking the Heimdal code without thoroughly testing.

EDIT: Same issue reported elsewhere
Mojave Security Update 2021-004 broke Kerberos for me
https://discussions.apple.com/thread/252808834

Security Update 2021-003 Catalina and 2021-004 Mojave
https://talk.tidbits.com/t/security-update-2021-003-catalina-and-2021-004-mojave/15754

user-ELBDDyIXGD
New Contributor II

Big Sur 11.5 is now available. DDNS is still broken.

On a side note, Mojave Security Update 2021-005 is now available which appears to fix the Kerberos bug introduced in Security Update 2021-004 noted above.