Web lists-archives.com

Re: [Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates




 

    On Friday, January 11, 2019 2:21 PM, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
  
> > > 
> >    On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba
> > <samba@xxxxxxxxxxxxxxx> wrote: 
> > > There doesn't seem to be anything really wrong there,the only really
> > > difference between your named.conf and mine is that I have:
> > > 
> > >     dnssec-validation no;
> > >     dnssec-enable no;
> > >     dnssec-lookaside no;
> > >     listen-on-v6 { none; };
> > >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > > 
> > > as well.> 
> > > 
> > > Rowland
> > > 
> > Thank you. I am going back to bare metal, and we'll see where it ends
> > up. I will leave script intact as presented in WIki. Are you going to
> > change it today per comment on other thread at
> > https://lists.samba.org/archive/samba/2019-January/220369.html ;?
> > 
> > 
> >    
> 
> I have considered this, My dhcp server is working perfectly after the
> changes, but I decided (because you are having problems) not to change
> the wiki yet. I know there is nothing wrong with the present scripts
> and I may introduce an error if I do change them now, I don't think I
> will, but it is better safe than sorry.> 

Rowland,
I have completely rebuilt this, testing extensively along the way. All "appeared" fine through installation of DCHP (without dynamic updates), and upon introduction of the update script the errors returned.
Two additional observations, though, at this point.
(1) As a last check, I commented out the script calls in the dhcpd.conf file, and then set the network adapted on my domain joined Win 10 management workstation to register its own DNS. THIS FAILED, as shown in the BIND logs:
Jan 12 17:23:01 dc01 named[1109]: samba_dlz: starting transaction on zone corp.<DOMAIN>.com
Jan 12 17:23:01 dc01 named[1109]: client @0x7f87bc028a50 172.20.10.165#54313: update 'corp.<DOMAIN>.com/IN' denied
Jan 12 17:23:01 dc01 named[1109]: samba_dlz: cancelling transaction on zone corp.<DOMAIN>.com

(2) In an attempt to try to understand at least the nature of the error messages I used journactl to grep out more detailed messages associated with the dhcpd process. I am including that dialog at the end of this post. First, though, I am wondering if you wouldn't ming looking at the isc.org bug tracker at:
https://bugs.isc.org/Public/Bug/Display.html?id=46086
In particular, at
https://bugs.isc.org/Public/Bug/Display.html?id=46086#txn-496516
you will find a dialog that is the spitting image of error messages that I am getting. Whether this is the script (I don't think it is), dhcpd, bind9, krb5, samba_dlz (note first comment regarding failure to perform dynamic updates from the domain joined machine), or something else, I am hoping that your experience will point me in the direction of figuring out what is going wrong.
Although I think I have very faithfully followed the Wiki and official guidance, I would be happy to find a stupid mistake on my part. On the other hand, I am not finding where I have made any departure.
Here is the output of the journalctl -b | grep 2402 (omitting server dhcpd startup):
Jan 12 15:01:22 dc01 dhcpd[2402]: Commit: IP: 172.20.10.165 DHCID: 1:d4:be:d9:22:9f:7d Name: mgmt01
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[1] = add
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[2] = 172.20.10.165
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[3] = 1:d4:be:d9:22:9f:7d
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[4] = mgmt01
Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  57445
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;mgmt01.corp.<DOMAIN>.com.                IN        SOA
Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
Jan 12 15:01:22 dc01 sh[2402]: corp.<DOMAIN>.com.                0        IN        SOA        dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 20 900 600 86400 3600
Jan 12 15:01:22 dc01 sh[2402]: Found zone name: corp.<DOMAIN>.com
Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:    525
Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 1547326882 1547326882 3 NOERROR 1397 YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6 vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7 K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2 FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7 mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1 HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4 LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHje4jcNkyR L3BtTFOr35zzpxfW9BM5nMEjbH5R+UtagN9ahwTy2T7A8wC3jYOsG8Lw RuCKU/+IOag9LOgJ6xiDTt51TO4DuK+suSlIPbkaqcxOS8e0VBAOmeJy tSydV7cII6fkZOqQiywSG0vbsF1F+Yr5O3pQtbdv4XvJ/+qGyt0n+mZA EiiB0GuCtYBTZk0Hi87R+fymMCKEJv0Zfc51gNYvTYmtKRyC/HWxaBIY rdj3OGZfyCcdOKACT3OItCk0BisrGXEXGhDEzqDXZEffHrsuNrjkdPmE bRH24L58VcEBAfs= 0
Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:    525
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  59301
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;165.10.20.172.in-addr.arpa.        IN        SOA
Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 10.20.172.in-addr.arpa.        0        IN        SOA        dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 2 900 600 86400 3600
Jan 12 15:01:22 dc01 sh[2402]: Found zone name: 10.20.172.in-addr.arpa
Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  10987
Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 1547326882 1547326882 3 NOERROR 1397 YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6 vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7 K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2 FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7 mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1 HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4 LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHj8A+H/HqI uJGQ1BkC2aHoH2Z8wK5kko2Z03RMxyxdfV0NeXI4aOmNRk4R6A/9oguR 2k7/rkz7RuJhgHXaZuPZ3qiz3lSHQMBY3QYGJxcDPNvCeIldBChe+Krj zV96NBNWnl/V9Cax85a1nvktOk9zffA7TpncQq06bvVWn2NnZxkKkxcv ZdNrRha8MrszSHtObY/PPjb7wEOSPAM5C27QOrXsyZr2BopPtWAXiuRV g6oHW+5kwNhB4ZRq3ccQxj8jEnZ8jX4t6Px4avee/GeyIGVXhQKwCYFQ fJ94W9DktWCMQ2w= 0
Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  10987
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 12 15:01:22 dc01 dhcpd[2402]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816
Jan 12 15:01:22 dc01 dhcpd[2402]: reuse_lease: lease age 3321 (secs) under 25% threshold, reply with unaltered, existing lease for 172.20.10.165
Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPREQUEST for 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1
Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPACK on 172.20.10.165 to d4:be:d9:22:9f:7d (mgmt01) via eno1




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba