Web lists-archives.com

Re: [Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates




On Fri, 11 Jan 2019 17:44:48 +0000 (UTC)
Billy Bob via samba <samba@xxxxxxxxxxxxxxx> wrote:

>  
> 
>     On Friday, January 11, 2019 11:20 AM, Billy Bob via samba
> <samba@xxxxxxxxxxxxxxx> wrote: 
> 
>  
> 
>     On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> wrote: 
> 
>  On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
> Billy Bob <billysbobs@xxxxxxxxx> wrote:
> 
> 
> >>> Here is what the logs show WITHOUT the -d option:
> >>> 
> >>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
> >>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
> >>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
> >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
> >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] =
> >>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement
> >>> argv[3] = 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
> >>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
> >>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
> >>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11
> >>> 10:00:36 dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh
> >>> exit status 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease:
> >>> lease age 364 (secs) under 25% threshold, reply with unaltered,
> >>> existing lease for 172.20.10.165 Jan 11 10:00:36 dc01
> >>> dhcpd[1704]: DHCPREQUEST for 172.20.10.165 from d4:be:d9:22:9f:7d
> >>> (mgmt01) via eno1 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPACK on
> >>> 172.20.10.165 to d4:be:d9:22:9f:7d (mgmt01) via eno1
> >>> 
> >> 
> >> This shows the script is being run with the correct data, but for
> >> some reason, your kerberos key isn't correct
> >> 
> >> What is in your ticket ?
> >> 
> >> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:
> >> 
> >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> >> Default principal: dhcpduser@xxxxxxxxxxxxxxxxxx
> >> 
> >> Valid starting    Expires            Service principal
> >> 11/01/19 10:12:50  11/01/19 20:12:50
> >> krbtgt/SAMDOM.EXAMPLE.COM@xxxxxxxxxxxxxxxxxx
> >>     renew until 12/01/19 10:12:50, Etype (skey, tkt):
> >>aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> >> 11/01/19 10:12:50  11/01/19 20:12:50
> >> DNS/dc4.samdom.example.com@xxxxxxxxxxxxxxxxxx
> >>     renew until 12/01/19 10:12:50, Etype (skey, tkt):
> >>arcfour-hmac, arcfour-hmac 
> >> 
> >> And running 'ktutil' produces this:
> >> 
> >> root@dc4:~# ktutil
> >> ktutil:  rkt /etc/dhcpduser.keytab
> >> ktutil:  l
> >> slot KVNO Principal
> >> ---- ----
> >> ---------------------------------------------------------------------
> >>    1    1            dhcpduser@xxxxxxxxxxxxxxxxxx
> >>    2    1            dhcpduser@xxxxxxxxxxxxxxxxxx
> >>    3    1            dhcpduser@xxxxxxxxxxxxxxxxxx
> >>    4    1            dhcpduser@xxxxxxxxxxxxxxxxxx
> >>    5    1            dhcpduser@xxxxxxxxxxxxxxxxxx
> >> ktutil:  q
> >> 
> >> I would delete the ticket and keytab, recreate the keytab and then
> >> try again.> 
> >  
>  > $ sudo klist -ce /tmp/dhcp-dyndns.cc
> >  
> > Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> > Default principal: dhcpduser@CORP.<DOMAIN>.COM> 
> > 
> > Valid starting       Expires              Service principal
> > 01/11/2019 09:54:32  01/11/2019 19:54:32
> > krbtgt/CORP.<DOMAIN>.COM@CORP.<DOMAIN>.COM
> >         renew until 01/12/2019 09:54:32, Etype (skey, tkt):
> >aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> > 01/11/2019 09:54:32  01/11/2019 19:54:32
> > DNS/dc01.corp.<DOMAIN>.com@CORP.<DOMAIN>.COM
> >         renew until 01/12/2019 09:54:32, Etype (skey, tkt):
> >arcfour-hmac, arcfour-hmac
> > 
> > 
> > $ sudo ktutil
> > 
> > ktutil:  rkt /etc/dhcpduser.keytab
> > ktutil:  l
> > slot KVNO Principal
> > ---- ----
> > ---------------------------------------------------------------------
> >    1    2                  dhcpduser@CORP.<DOMAIN>.COM
> >    2    2                  dhcpduser@CORP.<DOMAIN>.COM
> >    3    2                  dhcpduser@CORP.<DOMAIN>.COM
> >    4    2                  dhcpduser@CORP.<DOMAIN>.COM
> >    5    2                  dhcpduser@CORP.<DOMAIN>.COM
> > 
> > 
> ========================================================================
> Deleted and recreated /etc/dhcpduser.keytab with same result for
> ticket/keytab, and the same errors when running the script. 

OK, you are now running my scripts as found on the Samba wiki, so it
should work.

Lets check some things, can you post the contents of the following
files:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf
smb.conf
your named.conf file(s)

What OS is this on ?
What version of Bind9 ?

Is a firewall running ?
Is Selinux or Apparmor running ?

You might have posted some of this before, but please post it again.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba