Web lists-archives.com

[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates




 PRIOR THREAD: https://lists.samba.org/archive/samba/2019-January/220292.html

In the  referenced prior thread, I had an issue of samba_dnsupdate --verbose --all-names causing a dns_tkey_gssnegotiate: TKEY is unacceptable error.

Ultimately, the solution kindly provided by Rowland was to insert dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool into the [global] section of the smb.conf file.

I am now having a similar issue with dhcpd dynamic updates, though. In addition to solving that problem, however, and at least suspecting some relationship between the two, I am first curious about the prior solution.

Why was it necessary to select the --use-samba-tool vs. --use-nsupdate option, and what is happening as a result of this selection? (I looked at the dns-update script, but promise that I am too dense to figure this all out in the time I have left to get these servers running -- yes, the secondary DC is right behind this mess.)

As to the current issue, I am attemting to configure DHCP to update DNS records with BIND9, as outlined in the Samba Wiki (with correction of a couple errors in the "on release" and "on expiry" sections of the example dhcpd.conf file).

As some background, the following script and configuration was working fine in the prior incarnation of the DC. In that version, however, the Kerberos enablement of the nambed.conf file wrongly included:

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";

as opposed to:

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

This change precipitated the prior issue, and I would guess should be considered, in addition to the smb.conf change, in addressing the current issue.===================================
  CURRENT SMB.CONF
  /usr/local/samba/etc/smb.conf
===================================
[global]
        bind interfaces only = Yes
        interfaces = lo eno1
        netbios name = DC01
        realm = CORP.<DOMAIN>.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CORP
        idmap_ldb:use rfc2307 = yes
        dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/corp.<DOMAIN>.com/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

===================================
  CURRENT DHCPD.CONF
  /etc/dhcp/dhcpd.conf
===================================
authoritative;
ddns-update-style none;
option domain-name "corp.<DOMAIN>.com";
option domain-name-servers 172.20.10.130;
option ntp-servers 172.20.10.130;
option broadcast-address 172.20.10.255;
option routers 172.20.10.129;
option netbios-name-servers 172.20.10.130;
option time-offset 0;

subnet 172.20.10.128 netmask 255.255.255.128 {
  option subnet-mask 255.255.255.128;
  pool {
    range 172.20.10.165 172.20.10.229;
    default-lease-time 43200;
    max-lease-time 86400;
  }
}
on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID, "");
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
log(concat("Expired: IP: ", ClientIP));
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "0", "");
}
===================================
  CURRENT DHCP-DYNDNS.SH
  /usr/local/bin/dhcp-dyndns.sh
===================================
#!/bin/bash
# /usr/local/bin/dhcp-dyndns.sh
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
NSUPDFLAGS="-d"
# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
# Check for valid kerberos ticket

_KERBEROS () {

klist -c /tmp/dhcp-dyndns.cc -s
if [ "$?" != "0" ]; then
    kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc "dhcpduser@CORP.<DOMAIN>.COM"
    if [ "$?" != "0" ]; then
        exit 1;
    fi
fi
}
# Exit if no ip address or mac-address
if [ -z "${ip}" ] || [ -z "${DHCID}" ]; then
    exit 1;
fi
# Exit if no computer name supplied, unless the action is 'delete'
if [ "${name}" = "" ]; then
    if [ "${action}" = "delete" ]; then
        name=$(host -t PTR "${ip}" | awk '{print $NF}' | awk -F '.' '{print $1}')
    else
        exit 1;
    fi
fi
# Set PTR address
ptr=$(echo ${ip} | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
## nsupdate ##

case "${action}" in
add)
_KERBEROS
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm CORP.<DOMAIN>.COM
update delete ${name}.corp.<DOMAIN>.com 3600 A
update add ${name}.corp.<DOMAIN>.com 3600 A ${ip}
send
UPDATE
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm CORP.<DOMAIN>.COM
update delete ${ptr} 3600 PTR
update add ${ptr} 3600 PTR ${name}.corp.<DOMAIN>.com
send
UPDATE
;;
delete)
_KERBEROS
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm CORP.<DOMAIN>.COM
update delete ${name}.corp.<DOMAIN>.com 3600 A
send
UPDATE
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm CORP.<DOMAIN>.COM
update delete ${ptr} 3600 PTR
send
UPDATE
;;
*)

exit 1

;;
esac
exit 0
===================================
  THE DCHP DNS UPDATE USER
===================================
Create update user
  $ sudo samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
    User 'dhcpduser' created successfully
Set dhcpduser account to never expire:
  $ sudo samba-tool user setexpiry --noexpiry dhcpduser
    Expiry for user 'dhcpduser' disabled.
Add dhcpduser user to the DnsAdmins group
  $ sudo samba-tool group addmembers DnsAdmins dhcpduser
    Added members to group DnsAdmins
Export the required keytab
  Determine dhcpd user and group
    $ ps aux | grep dhcpd
      USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
      dhcpd     1280  0.0  0.0  45148 15612 ?        Ss   16:16   0:00 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf
  Export keytab
    $ sudo samba-tool domain exportkeytab --principal=dhcpduser@CORP.<DOMAIN>.COM /etc/dhcpduser.keytab
      Export one principal to /etc/dhcpduser.keytab
  Set permissions
    $ sudo chown dhcpd:dhcpd  /etc/dhcpduser.keytab
    $ sudo chmod 400 /etc/dhcpduser.keytab    $ sudo ls -la /etc/dhcpduser.keytab      -r-------- 1 dhcpd dhcpd 347 Jan  9 16:20 /etc/dhcpduser.keytab
===================================
  ERRORS
===================================
Jan 10 12:41:45 dc01 dhcpd[5099]: Commit: IP: 172.20.10.165 DHCID: 1:d4:be:d9:22:9f:7d Name: mgmt01
Jan 10 12:41:45 dc01 dhcpd[5099]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jan 10 12:41:45 dc01 dhcpd[5099]: execute_statement argv[1] = add
Jan 10 12:41:45 dc01 dhcpd[5099]: execute_statement argv[2] = 172.20.10.165
Jan 10 12:41:45 dc01 dhcpd[5099]: execute_statement argv[3] = 1:d4:be:d9:22:9f:7d
Jan 10 12:41:45 dc01 dhcpd[5099]: execute_statement argv[4] = mgmt01
Jan 10 12:41:45 dc01 sh[5099]: Reply from SOA query:
Jan 10 12:41:45 dc01 sh[5099]: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  14904
Jan 10 12:41:45 dc01 sh[5099]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Jan 10 12:41:45 dc01 sh[5099]: ;; QUESTION SECTION:
Jan 10 12:41:45 dc01 sh[5099]: ;mgmt01.corp.<DOMAIN>.com.                IN        SOA
Jan 10 12:41:45 dc01 sh[5099]: ;; AUTHORITY SECTION:
Jan 10 12:41:45 dc01 sh[5099]: corp.<DOMAIN>.com.                0        IN        SOA        dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 38 900 600 86400 3600
Jan 10 12:41:45 dc01 sh[5099]: Found zone name: corp.<DOMAIN>.com
Jan 10 12:41:45 dc01 sh[5099]: The master is: dc01.corp.<DOMAIN>.com
Jan 10 12:41:45 dc01 sh[5099]: start_gssrequest
Jan 10 12:41:45 dc01 sh[5099]: send_gssrequest
Jan 10 12:41:45 dc01 sh[5099]: Outgoing update query:
Jan 10 12:41:45 dc01 sh[5099]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  37508
Jan 10 12:41:45 dc01 sh[5099]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Jan 10 12:41:45 dc01 sh[5099]: ;; QUESTION SECTION:
Jan 10 12:41:45 dc01 sh[5099]: ;2880862545.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 10 12:41:45 dc01 sh[5099]: ;; ADDITIONAL SECTION:
Jan 10 12:41:45 dc01 sh[5099]: 2880862545.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 1547145705 1547145705 3 NOERROR 1397 YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOo
Jan 10 12:41:45 dc01 sh[5099]: recvmsg reply from GSS-TSIG query
Jan 10 12:41:45 dc01 sh[5099]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  37508
Jan 10 12:41:45 dc01 sh[5099]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Jan 10 12:41:45 dc01 sh[5099]: ;; QUESTION SECTION:
Jan 10 12:41:45 dc01 sh[5099]: ;2880862545.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 10 12:41:45 dc01 sh[5099]: ;; ANSWER SECTION:
Jan 10 12:41:45 dc01 sh[5099]: 2880862545.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 10 12:41:45 dc01 sh[5099]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 10 12:41:45 dc01 sh[5099]: Reply from SOA query:
Jan 10 12:41:45 dc01 sh[5099]: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  48142
Jan 10 12:41:45 dc01 sh[5099]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Jan 10 12:41:45 dc01 sh[5099]: ;; QUESTION SECTION:
Jan 10 12:41:45 dc01 sh[5099]: ;165.10.20.172.in-addr.arpa.        IN        SOA
Jan 10 12:41:45 dc01 sh[5099]: ;; AUTHORITY SECTION:
Jan 10 12:41:45 dc01 sh[5099]: 10.20.172.in-addr.arpa.        0        IN        SOA        dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 2 900 600 86400 3600
Jan 10 12:41:45 dc01 sh[5099]: Found zone name: 10.20.172.in-addr.arpa
Jan 10 12:41:45 dc01 sh[5099]: The master is: dc01.corp.<DOMAIN>.com
Jan 10 12:41:45 dc01 sh[5099]: start_gssrequest
Jan 10 12:41:45 dc01 sh[5099]: send_gssrequest
Jan 10 12:41:45 dc01 sh[5099]: Outgoing update query:
Jan 10 12:41:45 dc01 sh[5099]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39103
Jan 10 12:41:45 dc01 sh[5099]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Jan 10 12:41:45 dc01 sh[5099]: ;; QUESTION SECTION:
Jan 10 12:41:45 dc01 sh[5099]: ;3162717331.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 10 12:41:45 dc01 sh[5099]: ;; ADDITIONAL SECTION:
Jan 10 12:41:45 dc01 sh[5099]: 3162717331.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 1547145705 1547145705 3 NOERROR 1397 YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOo
Jan 10 12:41:45 dc01 sh[5099]: recvmsg reply from GSS-TSIG query
Jan 10 12:41:45 dc01 sh[5099]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39103
Jan 10 12:41:45 dc01 sh[5099]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Jan 10 12:41:45 dc01 sh[5099]: ;; QUESTION SECTION:
Jan 10 12:41:45 dc01 sh[5099]: ;3162717331.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 10 12:41:45 dc01 sh[5099]: ;; ANSWER SECTION:
Jan 10 12:41:45 dc01 sh[5099]: 3162717331.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 10 12:41:45 dc01 sh[5099]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 10 12:41:45 dc01 dhcpd[5099]: DHCPREQUEST for 172.20.10.165 from d4:be:d9:22:9f:7d via eno1
Jan 10 12:41:45 dc01 dhcpd[5099]: DHCPACK on 172.20.10.165 to d4:be:d9:22:9f:7d (mgmt01) via eno1

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba