Web lists-archives.com

Re: [Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates




 

    On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
 

 On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
Billy Bob <billysbobs@xxxxxxxxx> wrote:


>> Here is what the logs show WITHOUT the -d option:
>> 
>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
>> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] =
>> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36
>> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status
>> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364
>> (secs) under 25% threshold, reply with unaltered, existing lease for
>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for
>> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11
>> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to
>> d4:be:d9:22:9f:7d (mgmt01) via eno1
>> 
> 
> This shows the script is being run with the correct data, but for some
> reason, your kerberos key isn't correct
> 
> What is in your ticket ?
> 
> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:
> 
> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> Default principal: dhcpduser@xxxxxxxxxxxxxxxxxx
> 
> Valid starting    Expires            Service principal
> 11/01/19 10:12:50  11/01/19 20:12:50  krbtgt/SAMDOM.EXAMPLE.COM@xxxxxxxxxxxxxxxxxx
>     renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> 11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com@xxxxxxxxxxxxxxxxxx
>     renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
> 
> And running 'ktutil' produces this:
> 
> root@dc4:~# ktutil
> ktutil:  rkt /etc/dhcpduser.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>    1    1            dhcpduser@xxxxxxxxxxxxxxxxxx
>    2    1            dhcpduser@xxxxxxxxxxxxxxxxxx
>    3    1            dhcpduser@xxxxxxxxxxxxxxxxxx
>    4    1            dhcpduser@xxxxxxxxxxxxxxxxxx
>    5    1            dhcpduser@xxxxxxxxxxxxxxxxxx
> ktutil:  q
> 
> I would delete the ticket and keytab, recreate the keytab and then try
> again.> 
 
 $ sudo klist -ce /tmp/dhcp-dyndns.cc
 
Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser@CORP.<DOMAIN>.COM

Valid starting       Expires              Service principal
01/11/2019 09:54:32  01/11/2019 19:54:32  krbtgt/CORP.<DOMAIN>.COM@CORP.<DOMAIN>.COM
        renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
01/11/2019 09:54:32  01/11/2019 19:54:32  DNS/dc01.corp.<DOMAIN>.com@CORP.<DOMAIN>.COM
        renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac


$ sudo ktutil

ktutil:  rkt /etc/dhcpduser.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2                  dhcpduser@CORP.<DOMAIN>.COM
   2    2                  dhcpduser@CORP.<DOMAIN>.COM
   3    2                  dhcpduser@CORP.<DOMAIN>.COM
   4    2                  dhcpduser@CORP.<DOMAIN>.COM
   5    2                  dhcpduser@CORP.<DOMAIN>.COM


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba