Posted on 03-16-2021 08:32 AM
Today I found out that Mac OS 11.x (until 11.2.3 - the actual one) is not updating the Forward DNS registry and de Reverse DNS registry in internal DNS Servers.
The problem is that if you have a Scavenge Age defined to scavenge old dns entries, it will delete the Big Sur workstations DNS entries for the workstations and they will not appear anymore, because they don't automaticaly register again...
Until Mac OS 10.15.7 this was working fine and in Windows machines also.
I have a script that can force this update using the nsupdate terminal command but this registration should happen automatically.
This behaviour is the same when you use DHCP Server IP distribution or Fixed IP assignment for the differets workstations.
Does anyone knows what can be done to solve this? I was waiting for the different Big Sur updates released until now to see if it was patched, but it is not...
Any help would be highly appreciated!
Thanks.
Ricardo
Posted on 03-23-2021 12:42 PM
We're having a similar issue with some random machines on Big Sur. We're seeing this on 11.2.2, 11.2.3 and 11.2.0. We have one machine that did not exhibit the behavior at all on 11.2.0 for some reason and then got upgraded to 11.2.3. The only thing different about this particular machine is that it was an in-place upgrade from originally being on 10.15.7 while the others have been fresh builds and patches.
I'm completely stumped on this.
Posted on 03-23-2021 03:59 PM
Yes @smartsheet-it That is also what we are getting. There must be a bug in Big Sur since version 11.0... I don't understand why are so few people complaining about this...
I hope 11.3 will solve this!!!
Posted on 04-09-2021 07:31 AM
I am also seeing this, on 11.2.3, I upgraded a system from that to 11.3 beta (Apple beta program) and am checking it now but I think the issue remains.
Posted on 04-09-2021 07:32 AM
@user-kEEivOurTr can you share your script ?
Posted on 04-09-2021 10:52 AM
Hi Stubakka.
Here it is.
Just replace YOURDOMAIN.LOCAL by your domain.
Hope that helps.
Regards
Posted on 04-14-2021 11:17 AM
Hi @ricguim I didn't see anything in your post, sorry if I'm missing something.
Posted on 04-15-2021 02:19 PM
I @Stubakka
I have attached the script to my last post but by some reason it didn't upload...
I have done it again. Let me know if you don't get it. If not, send me your direct mail and I will send you attached that way.
Please rename the file attached, deleting the jpeg extension.
Best regards,
Posted on 04-16-2021 01:19 AM
Hey ricguim there is no file attached sadly :-(
Posted on 04-17-2021 07:33 AM
Maybe the system does not allow attachments...
Do you know he correct way to do it?
Posted on 04-17-2021 08:18 AM
Curious about this as well. We still see this with some 10.15.7 macOS devices.
Posted on 04-17-2021 09:16 AM
Maybe you could upload it on https://pastebin.com/ ? Thank you!
Posted on 04-17-2021 11:59 AM
Actually I can paste it here (I hope):
Here it goes:
vdomain=cat /var/run/resolv.conf | awk '/search/ {print $2}'
echo $vdomain
if [ $vdomain != "YOURDOMAIN.LOCAL" ]; then
echo "we are not in YOURDOMAIN.LOCAL"
exit 0
else
echo "run the YOURDOMAIN.LOCAL script"
fi
computernm=scutil --get ComputerName
echo $computernm
ipaddr=/sbin/ifconfig en0 | awk '/inet / {print$2}'
echo $ipaddr
if [ -z "$ipaddr" ]; then
echo "get en1"
ipaddr=/sbin/ifconfig en1 | awk '/inet / {print$2}'
echo "$ipaddr en1"
fi
dnsdelete="update delete $computernm.YOURDOMAIN.LOCAL A"
echo $dnsdelete
dnsupdate="update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"
echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate
nsupdate -v /tmp/nsupdate
echo "dns updated"
rip=$(echo $ipaddr | sed 's/([^.]).([^.]).([^.]).([^.])/4.3.2.1/g')
dnsdelete="update delete $rip.in-addr.arpa PTR"
echo $dnsdelete
dnsupdate="update add $rip.in-addr.arpa 86400 PTR $computernm.YOURDOMAIN.LOCAL."
echo $dnsupdate
echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate
nsupdate -v /tmp/nsupdate
echo "dns updated"
Posted on 04-17-2021 07:41 PM
@ricguim The script you posted is mangled since you didn't use the forum markup tags for an embedded script. Please edit the post and the ``` tag on the lines before and after the script, or select the entire script and click the >_ button above the post edit text area to have the tags added.
Posted on 05-01-2021 03:21 PM
Dynamic DNS updates are still not working properly (natively as they should) on 11.3 for us. Was hoping that this version was going to address this.
Posted on 05-02-2021 10:54 AM
Hi @sdagley
Sorry for take a long time to answer but have been busy around here...
Let's try your tip to send the script:
#!/zsh/sh
##1st get the domain you are on##
vdomain=`cat /var/run/resolv.conf | awk '/search/ {print $2}'`
echo $vdomain
##if not on YOURDOMAIN.LOCAL domain exit##
if [ $vdomain != "YOURDOMAIN.LOCAL" ]; then
echo "we are not in YOURDOMAIN.LOCAL"
exit 0
else
echo "run the YOURDOMAIN.LOCAL script"
fi
computernm=`scutil --get ComputerName`
echo $computernm
ipaddr=`/sbin/ifconfig en0 | awk '/inet / {print$2}'`
echo $ipaddr
##if $ipaddr empty - go for en1###
if [ -z "$ipaddr" ]; then
echo "get en1"
ipaddr=`/sbin/ifconfig en1 | awk '/inet / {print$2}'`
echo "$ipaddr en1"
fi
dnsdelete="update delete $computernm.YOURDOMAIN.LOCAL A"
echo $dnsdelete
#echo "update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"
dnsupdate="update add $computernm.YOURDOMAIN.LOCAL 86400 A $ipaddr"
#echo $dnsupdate
echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate
#cat /tmp/nsupdate
nsupdate -v /tmp/nsupdate
echo "dns updated"
### rdns
rip=$(echo $ipaddr | sed 's/([^.]*).([^.]*).([^.]*).([^.]*)/4.3.2.1/g')
dnsdelete="update delete $rip.in-addr.arpa PTR"
echo $dnsdelete
dnsupdate="update add $rip.in-addr.arpa 86400 PTR $computernm.YOURDOMAIN.LOCAL."
echo $dnsupdate
echo $dnsdelete > /tmp/nsupdate
echo $dnsupdate >> /tmp/nsupdate
echo send >> /tmp/nsupdate
echo quit >> /tmp/nsupdate
#cat /tmp/nsupdate
nsupdate -v /tmp/nsupdate
echo "dns updated"
Let me know if it works now...
As far as I tested, the problem remains with 11.3 update :(
@Apple - Please listen to us...
Posted on 05-02-2021 06:05 PM
Thanks for posting this @ricguim. Question.. how often are your needing To run this? Are you running it via policy on network state change or via launch daemon?
Posted on 05-25-2021 06:48 AM
The fix from above only seems to help me, temporarily (and by temporarily, it only lasts about 10-15 minutes, then I break again. I did some more digging today on OLD threads and have come up with a different solution. My script, below, works with Cisco AnyConnect VPN, but have a look at the links I provide at the top of the script and I'm certain you can tweak for your own:
How to script scutil from emzy reply 9-15-2005 reply on this: http://hints.macworld.com/article.php?story=20050621051643993
Fix commands from last reply from cwaappledevforums at: https://developer.apple.com/forums/thread/670856
sudo scutil << EOF
list "*.DNS"
get State:/Network/Service/com.cisco.anyconnect/DNS
d.show
d.remove ServerAddresses
d.show
d.remove SupplementalMatchDomains
d.show
set State:/Network/Service/com.cisco.anyconnect/DNS
quit
EOF
Posted on 06-03-2021 12:25 PM
This appears to be a Kerberos issue. I don't know enough about Kerberos (especially the macOS specific implementation) to give a definitive answer, but it does seem that Kerberos functionality changed in macOS 11, which most likely has broken something. My testing is with Active Directory joined macOS computers using secured DNS, which I'm assuming is the set up of the OP.
Kerberos principals exist for users, computers and services. It's the computer principal that is in play here I believe. In addition to users authenticating to AD when logging in, the computer itself authenticates during startup. If the computer is named imac for example then it will authenticate to AD as imac$. As a result a Kerberos principal for imac$@DOMAIN.COM will be created and stored in a credential cache. A TGT is issued to this principal which is then used to update DNS securely in AD. If you look at the owner of macOS generated DNS records in Windows DNS manager you'll see that the owner is computer$.
In macOS 11 the Kerberos computer principal appears to be missing. I'm not certain if it's getting created and deleted or not getting created at all. Here's log entry showing a failed DDNS update attempt. I'm gathering the the UUID referenced is for the computer principal that doesn't exist.
opendirectoryd: (ActiveDirectory) [com.apple.opendirectoryd:discovery] DDNS update - failure -- 'fd86:4116:5fec:0:8eda:3c3e:f602:32ad' - exit status [2: No such file or directory] -- tkey query failed: GSSAPI error: Major = Miscellaneous failure (see text), Minor = no credential for CD0E79F1-55A7-4679-9411-72E820421C1A.
In macOS Kerberos, each principal is assigned a random UUID. One thing I've noticed in macOS 11 that's different from previous versions is that if you issue a klist command to view Kerberos credentials for an account that is not authenticated to AD (i.e. a local admin) the result will be
klist: Cache not found: API:A9A8AC16-B767-4BCA-B221-65808815F939
in previous versions (10.15.7 in this case) it is
klist: krb5_cc_get_principal: No credentials cache file found
That tells me that there are some changes under the hood. What I don't know how to do (and I've searched a lot) is to issue a klist command in the context of the machine account (computer$) to verify the UUID. I'm curious if anyone else knows how to do this.
With all of that said, I'm guessing this is a low level bug in the Kerberos framework that is likely only fixable by Apple developers.
Posted on 06-06-2021 08:59 AM
@user-ELBDDyIXGD The "not so funny" thing is that the latest security update for 10.14.6 Mojave, released last week also brokens the link to Active Directory and I suspect it is for the same reason. I did not test the 10.15.7 security update also released at the same time but I guess the (bad) result will be the same.
Had to reinstall 10.14.6 on top of the running system to correct that issue, or the updated machines were not being capable of login in with domain users neither to connect to windows SMB shares... Only local admin was able to login.
What's up Apple??
Posted on 06-07-2021 08:41 AM
I just installed macOS Catalina Security Update 2021-003 (https://support.apple.com/en-us/HT212530) on a machine and haven't noticed any issues yet. AD login is working as well as DDNS. On a different machine running 10.14 I just installed macOS Mojave Security Update 2021-004 (https://support.apple.com/en-us/HT212531) and I am seeing problems. I'm able to log in as an AD user, although these machines are set up with mobile accounts. If I issue a klist command in Terminal it hangs. Likewise if I attempt to connect to a server via SMB the Connecting to smb://server progress bar hangs and never connects. Strangely, DDNS updates do appear to be working still though.
Both security updates mention Heimdal (Kerberos) fixes. It seems Apple has been tweaking the Heimdal code without thoroughly testing.
EDIT: Same issue reported elsewhere
Mojave Security Update 2021-004 broke Kerberos for me
https://discussions.apple.com/thread/252808834
Security Update 2021-003 Catalina and 2021-004 Mojave
https://talk.tidbits.com/t/security-update-2021-003-catalina-and-2021-004-mojave/15754
Posted on 07-23-2021 07:18 AM
Big Sur 11.5 is now available. DDNS is still broken.
On a side note, Mojave Security Update 2021-005 is now available which appears to fix the Kerberos bug introduced in Security Update 2021-004 noted above.