On Thu, 3 Sep 2015, Rowland Penny wrote:> What are the permissions on /var/lib/samba/private/dns ?Also don't forget the permissions on /var/lib/samba/private If you're using sernet's packages, you'll have to chgrp it to to named or give it o+x perms.
On 09/03/2015 01:59 PM, Sketch wrote:> On Thu, 3 Sep 2015, Rowland Penny wrote: > >> What are the permissions on /var/lib/samba/private/dns ? > > Also don't forget the permissions on /var/lib/samba/private > > If you're using sernet's packages, you'll have to chgrp it to to named > or give it o+x perms.chown root:named /var/lib/samba/private Wow that was it! DLZ is up and running. Lots more to get right in the bind config.... Is there a web app to front end samba-tools for maintaining at least the dns portion? Anyway, next to DHCP... I have installed it. But need to config. Rowland, can you send me your sample config you mentioned?
So a quick test: # dig homebase.home.htt ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> homebase.home.htt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15588 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;homebase.home.htt. IN A ;; ANSWER SECTION: homebase.home.htt. 900 IN A 192.168.192.2 ;; AUTHORITY SECTION: home.htt. 900 IN NS homebase.home.htt. ;; Query time: 13 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 03 14:08:30 EDT 2015 ;; MSG SIZE rcvd: 76 On 09/03/2015 02:05 PM, Robert Moskowitz wrote:> > > On 09/03/2015 01:59 PM, Sketch wrote: >> On Thu, 3 Sep 2015, Rowland Penny wrote: >> >>> What are the permissions on /var/lib/samba/private/dns ? >> >> Also don't forget the permissions on /var/lib/samba/private >> >> If you're using sernet's packages, you'll have to chgrp it to to >> named or give it o+x perms. > > chown root:named /var/lib/samba/private > > Wow that was it! > > DLZ is up and running. Lots more to get right in the bind config.... > > Is there a web app to front end samba-tools for maintaining at least > the dns portion? > > Anyway, next to DHCP... > > I have installed it. But need to config. Rowland, can you send me > your sample config you mentioned? > > >
On 03/09/15 19:05, Robert Moskowitz wrote:> > > On 09/03/2015 01:59 PM, Sketch wrote: >> On Thu, 3 Sep 2015, Rowland Penny wrote: >> >>> What are the permissions on /var/lib/samba/private/dns ? >> >> Also don't forget the permissions on /var/lib/samba/private >> >> If you're using sernet's packages, you'll have to chgrp it to to >> named or give it o+x perms. > > chown root:named /var/lib/samba/private > > Wow that was it! > > DLZ is up and running. Lots more to get right in the bind config.... > > Is there a web app to front end samba-tools for maintaining at least > the dns portion?Yes, it is called RSAT and runs on windows :-D> > Anyway, next to DHCP... > > I have installed it. But need to config. Rowland, can you send me > your sample config you mentioned? > > >default-lease-time 14400; max-lease-time 14400; authoritative; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.21 192.168.0.229; option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option time-offset 0; option routers 192.168.0.1; option domain-name "example.com"; option domain-name-servers 192.168.0.2; option domain-search "example.com"; option netbios-name-servers 192.168.0.2; option ntp-servers 192.168.0.2; } on commit { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); set ClientName = pick-first-value(option host-name, config-option-host-name, client-name); log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName)); execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName); } on release { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); log(concat("Release: IP: ", ClientIP)); execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID); } Rowland
On 03/09/15 19:28, Robert Moskowitz wrote:> > > On 09/03/2015 02:17 PM, Rowland Penny wrote: >> On 03/09/15 19:05, Robert Moskowitz wrote: >>> >>> Anyway, next to DHCP... >>> >>> I have installed it. But need to config. Rowland, can you send me >>> your sample config you mentioned? >>> >>> >>> >> >> default-lease-time 14400; >> max-lease-time 14400; >> authoritative; >> >> subnet 192.168.0.0 netmask 255.255.255.0 { >> range 192.168.0.21 192.168.0.229; >> option subnet-mask 255.255.255.0; >> option broadcast-address 192.168.0.255; >> option time-offset 0; >> option routers 192.168.0.1; >> option domain-name "example.com"; >> option domain-name-servers 192.168.0.2; >> option domain-search "example.com"; >> option netbios-name-servers 192.168.0.2; >> option ntp-servers 192.168.0.2; >> } >> >> on commit { >> set ClientIP = binary-to-ascii(10, 8, ".", leased-address); >> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); >> set ClientName = pick-first-value(option host-name, >> config-option-host-name, client-name); >> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: >> ", ClientName)); >> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, >> ClientDHCID, ClientName); >> } >> >> on release { >> set ClientIP = binary-to-ascii(10, 8, ".", leased-address); >> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); >> log(concat("Release: IP: ", ClientIP)); >> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, >> ClientDHCID); >> } > > I can't find dhcp-dyndns.sh > > where does it come from? > >I thought that might be your next question, I wrote it, based on what I found here: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ #!/bin/bash # /usr/local/sbin/dhcp-dyndns.sh # This script is for secure DDNS updates using GSS/TSIG on Samba 4 # Version: 0.8.3 (includes TXTRR records) # Updated with suggestions from L. v. Belle louis at van-belle.nl # method to check for valid kerberos ticket changed LOG="/var/log/dyndns.log" if [ -f /var/log/dyndns.log ]; then : else touch /var/log/dyndns.log fi exec >> $LOG 2>&1 ## CONFIGURATION ## # Samba 4 realm, change this to YOUR realm. SETREALM=EXAMPLE.COM ## define the dhcp user that will be used for the Dynamic updates to samba4 ## this will create a Principal like : user at realm SETDHCPUSER=dhcpduser # DNS domain, change this to YOUR dns domain domain=example.com # TXT RRs (rfc4701) # Set to YES to use TXT RRs TXTRRS="NO" # Additional nsupdate flags (-g already applied), e.g. "-d" for debug #NSUPDFLAGS="-d" # DNS nameserver ns=127.0.0.1 # ## Do not change anything below here # Kerberos principal SETPRINCIPAL=$SETDHCPUSER@$SETREALM # Kerberos keytab SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab # Default DNS resource records TTL RRTTL="3600" # krbcc ticket cache export KRB5CCNAME="/tmp/dhcp-dyndns.cc" ## Command locations, with full paths it speeds up processing. ## ( tested on Ubuntu 14.04, Debian 7.5 ) CMDSORT="$(which sort)" CMDAWK="$(which awk)" CMDHEAD="$(which head)" CMDECHO="$(which echo)" CMDDATE="$(which date)" CMDKINIT="$(which kinit)" CMDKLIST="$(which klist)" CMDGREP="$(which grep)" CMDGETENT="$(which getent)" CMDSAMBATOOL="$(which samba-tool)" CMDCHOWN="$(which chown)" CMDCHMOD="$(which chmod)" CMDHOST="$(which host)" CMDNSUPDATE="$(which nsupdate)" TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}") if [ -z "${TESTUSER}" ]; then echo "No dhcp user exists, need to create it first.. exiting." echo "you can do this by typing the following commands" echo "${CMDKINIT} Administrator@${SETREALM}" echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\"" echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry" echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}" exit 1 fi # Check for Kerberos keytab if [ -f "${SETDHCPKEYTAB}" ]; then : else echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created." echo "Use the following commands as root" echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}" testos=$(uname -a | grep 'Debian') if [ -z "$testos" ]; then echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}" echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}" fi exit 1 fi ## VARIABLES ## # Variables supplied by dhcpd.conf action=$1 ip=$2 DHCID=$3 name=${4%%.*} usage() { echo "USAGE:" echo " `basename $0` add ip-address dhcid|mac-address hostname" echo " `basename $0` delete ip-address dhcid|mac-address" } _KERBEROS () { # get current time as a number test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S) # Check for valid kerberos ticket echo "$test [dyndns] : Running check for valid kerberos ticket" klist -c "$KRB5CCNAME" -s if [ "$?" != "0" ]; then echo "$test [dyndns] : Getting new ticket, old one has expired" kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}" if [ "$?" != "0" ]; then echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed" exit 1; fi else echo "$test [dyndns] : New ticket not required, old one still valid" fi } # Exit if no ip address or mac-address if [ -z "$ip" ] || [ -z "$DHCID" ]; then usage exit 1 fi # Exit if no computer name supplied, unless the action is 'delete' if [ "$name" = "" ]; then if [ "$action" = "delete" ]; then name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}') else usage exit 1; fi fi # Set PTR address ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}') # Create RRTXT record RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum) RRTXT="000101${RRTXT%% *}" # extract txt record, if there is one RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p') ## ${CMDNSUPDATE} ## case "$action" in add) if [ "$TXTRRS" = "YES" ]; then TXTRRS="" # if string is not null if [ -n "$RRTXTOLD" ]; then # if old RRTXT is not the same as $RRTXT then exit if [ "$RRTXT" != "$RRTXTOLD" ]; then echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong" exit 1 fi fi else TXTRRS=";" fi _KERBEROS ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM} update delete $name.$domain $RRTTL A ${TXTRRS}update delete $name.$domain $RRTTL TXT ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT update add $name.$domain $RRTTL A $ip send UPDATE result1=$? ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM} zone 0.168.192.in-addr.arpa update delete $ptr $RRTTL PTR update add $ptr $RRTTL PTR $name.$domain send UPDATE result2=$? ;; delete) if [ "$TXTRRS" = "YES" ]; then TXTRRS="" if [ -n "$RRTXTOLD" ]; then if [ "$RRTXT" != "$RRTXTOLD" ]; then echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong" exit 1 fi else TXTRRS=";" fi else TXTRRS=";" fi _KERBEROS ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM} update delete $name.$domain $RRTTL A ${TXTRRS}update delete $name.$domain $RRTTL TXT send UPDATE result1=$? ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM} update delete $ptr $RRTTL PTR send UPDATE result2=$? ;; *) echo "Invalid action specified" exit 103 ;; esac result="$result1$result2" if [ "$result" != "00" ]; then echo "DHCP-DNS Update failed: $result" logger "DHCP-DNS Update failed: $result" else echo "DHCP-DNS Update succeeded" logger "DHCP-DNS Update succeeded" fi exit $result
Thanks. I will give this a try. Hopefully there won't be any dependency problems! Consider putting it up on some server or such.... On 09/03/2015 02:43 PM, Rowland Penny wrote:> On 03/09/15 19:28, Robert Moskowitz wrote: >> >> >> On 09/03/2015 02:17 PM, Rowland Penny wrote: >>> On 03/09/15 19:05, Robert Moskowitz wrote: >>>> >>>> Anyway, next to DHCP... >>>> >>>> I have installed it. But need to config. Rowland, can you send me >>>> your sample config you mentioned? >>>> >>>> >>>> >>> >>> default-lease-time 14400; >>> max-lease-time 14400; >>> authoritative; >>> >>> subnet 192.168.0.0 netmask 255.255.255.0 { >>> range 192.168.0.21 192.168.0.229; >>> option subnet-mask 255.255.255.0; >>> option broadcast-address 192.168.0.255; >>> option time-offset 0; >>> option routers 192.168.0.1; >>> option domain-name "example.com"; >>> option domain-name-servers 192.168.0.2; >>> option domain-search "example.com"; >>> option netbios-name-servers 192.168.0.2; >>> option ntp-servers 192.168.0.2; >>> } >>> >>> on commit { >>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address); >>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); >>> set ClientName = pick-first-value(option host-name, >>> config-option-host-name, client-name); >>> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " >>> Name: ", ClientName)); >>> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, >>> ClientDHCID, ClientName); >>> } >>> >>> on release { >>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address); >>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); >>> log(concat("Release: IP: ", ClientIP)); >>> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, >>> ClientDHCID); >>> } >> >> I can't find dhcp-dyndns.sh >> >> where does it come from? >> >> > > I thought that might be your next question, I wrote it, based on what > I found here: > > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ > > > #!/bin/bash > > # /usr/local/sbin/dhcp-dyndns.sh > # This script is for secure DDNS updates using GSS/TSIG on Samba 4 > # Version: 0.8.3 (includes TXTRR records) > # Updated with suggestions from L. v. Belle louis at van-belle.nl > # method to check for valid kerberos ticket changed > > LOG="/var/log/dyndns.log" > > if [ -f /var/log/dyndns.log ]; then > : > else > touch /var/log/dyndns.log > fi > > exec >> $LOG 2>&1 > > ## CONFIGURATION ## > > # Samba 4 realm, change this to YOUR realm. > SETREALM=EXAMPLE.COM > ## define the dhcp user that will be used for the Dynamic updates to > samba4 > ## this will create a Principal like : user at realm > SETDHCPUSER=dhcpduser > # DNS domain, change this to YOUR dns domain > domain=example.com > # TXT RRs (rfc4701) > # Set to YES to use TXT RRs > TXTRRS="NO" > # Additional nsupdate flags (-g already applied), e.g. "-d" for debug > #NSUPDFLAGS="-d" > # DNS nameserver > ns=127.0.0.1 > # > ## Do not change anything below here > # Kerberos principal > SETPRINCIPAL=$SETDHCPUSER@$SETREALM > # Kerberos keytab > SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab > # Default DNS resource records TTL > RRTTL="3600" > > # krbcc ticket cache > export KRB5CCNAME="/tmp/dhcp-dyndns.cc" > > ## Command locations, with full paths it speeds up processing. > ## ( tested on Ubuntu 14.04, Debian 7.5 ) > CMDSORT="$(which sort)" > CMDAWK="$(which awk)" > CMDHEAD="$(which head)" > CMDECHO="$(which echo)" > CMDDATE="$(which date)" > CMDKINIT="$(which kinit)" > CMDKLIST="$(which klist)" > CMDGREP="$(which grep)" > CMDGETENT="$(which getent)" > CMDSAMBATOOL="$(which samba-tool)" > CMDCHOWN="$(which chown)" > CMDCHMOD="$(which chmod)" > CMDHOST="$(which host)" > CMDNSUPDATE="$(which nsupdate)" > > TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}") > if [ -z "${TESTUSER}" ]; then > echo "No dhcp user exists, need to create it first.. exiting." > echo "you can do this by typing the following commands" > echo "${CMDKINIT} Administrator@${SETREALM}" > echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} > --description=\"Unprivileged user for DNS updates via ISC DHCP server\"" > echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry" > echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}" > exit 1 > fi > > # Check for Kerberos keytab > if [ -f "${SETDHCPKEYTAB}" ]; then > : > else > echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be > created." > echo "Use the following commands as root" > echo "${CMDSAMBATOOL} domain exportkeytab > --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}" > testos=$(uname -a | grep 'Debian') > if [ -z "$testos" ]; then > echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}" > echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}" > fi > exit 1 > fi > > ## VARIABLES ## > > # Variables supplied by dhcpd.conf > action=$1 > ip=$2 > DHCID=$3 > name=${4%%.*} > > usage() > { > echo "USAGE:" > echo " `basename $0` add ip-address dhcid|mac-address hostname" > echo " `basename $0` delete ip-address dhcid|mac-address" > } > > _KERBEROS () { > # get current time as a number > test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S) > > # Check for valid kerberos ticket > echo "$test [dyndns] : Running check for valid kerberos ticket" > klist -c "$KRB5CCNAME" -s > if [ "$?" != "0" ]; then > echo "$test [dyndns] : Getting new ticket, old one has expired" > kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}" > if [ "$?" != "0" ]; then > echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed" > exit 1; > fi > else > echo "$test [dyndns] : New ticket not required, old one still valid" > fi > > } > > # Exit if no ip address or mac-address > if [ -z "$ip" ] || [ -z "$DHCID" ]; then > usage > exit 1 > fi > > # Exit if no computer name supplied, unless the action is 'delete' > if [ "$name" = "" ]; then > if [ "$action" = "delete" ]; then > name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | > ${CMDAWK} -F '.' '{print $1}') > else > usage > exit 1; > fi > fi > > # Set PTR address > ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print > $4"."$3"."$2"."$1".in-addr.arpa"}') > > # Create RRTXT record > RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum) > RRTXT="000101${RRTXT%% *}" > # extract txt record, if there is one > RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive > text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p') > > ## ${CMDNSUPDATE} ## > > case "$action" in > add) > if [ "$TXTRRS" = "YES" ]; then > TXTRRS="" > # if string is not null > if [ -n "$RRTXTOLD" ]; then > # if old RRTXT is not the same as $RRTXT then exit > if [ "$RRTXT" != "$RRTXTOLD" ]; then > echo "DHCP-DNS: adding records for $ip ($name.$domain) > FAILED: has A record but DHCID is wrong" > exit 1 > fi > fi > else > TXTRRS=";" > fi > > _KERBEROS > > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > update delete $name.$domain $RRTTL A > ${TXTRRS}update delete $name.$domain $RRTTL TXT > ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT > update add $name.$domain $RRTTL A $ip > send > UPDATE > result1=$? > > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > zone 0.168.192.in-addr.arpa > update delete $ptr $RRTTL PTR > update add $ptr $RRTTL PTR $name.$domain > send > UPDATE > result2=$? > ;; > delete) > if [ "$TXTRRS" = "YES" ]; then > TXTRRS="" > if [ -n "$RRTXTOLD" ]; then > if [ "$RRTXT" != "$RRTXTOLD" ]; then > echo "DHCP-DNS: removing records for $ip > ($name.$domain) FAILED: has A record but DHCID is wrong" > exit 1 > fi > else > TXTRRS=";" > fi > else > TXTRRS=";" > fi > > _KERBEROS > > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > update delete $name.$domain $RRTTL A > ${TXTRRS}update delete $name.$domain $RRTTL TXT > send > UPDATE > result1=$? > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > update delete $ptr $RRTTL PTR > send > UPDATE > result2=$? > ;; > *) > echo "Invalid action specified" > exit 103 > ;; > esac > > result="$result1$result2" > > if [ "$result" != "00" ]; then > echo "DHCP-DNS Update failed: $result" > logger "DHCP-DNS Update failed: $result" > else > echo "DHCP-DNS Update succeeded" > logger "DHCP-DNS Update succeeded" > fi > > exit $result > > >
dhcp is working. but what does this mean: Sep 03 15:58:44 homebase.home.htt dhcpd[22993]: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file ??? On 09/03/2015 02:43 PM, Rowland Penny wrote:> On 03/09/15 19:28, Robert Moskowitz wrote: >> >> >> On 09/03/2015 02:17 PM, Rowland Penny wrote: >>> On 03/09/15 19:05, Robert Moskowitz wrote: >>>> >>>> Anyway, next to DHCP... >>>> >>>> I have installed it. But need to config. Rowland, can you send me >>>> your sample config you mentioned? >>>> >>>> >>>> >>> >>> default-lease-time 14400; >>> max-lease-time 14400; >>> authoritative; an't find dhcp-dyndns.sh >> >> where does it come from? >> >> > > I thought that might be your next question, I wrote it, based on what > I found here:
First I am having a couple challenges with your script here: On 09/03/2015 02:43 PM, Rowland Penny wrote:> > I thought that might be your next question, I wrote it, based on what > I found here: > > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ > > > #!/bin/bash > > # /usr/local/sbin/dhcp-dyndns.sh > # This script is for secure DDNS updates using GSS/TSIG on Samba 4 > # Version: 0.8.3 (includes TXTRR records) > # Updated with suggestions from L. v. Belle louis at van-belle.nl > # method to check for valid kerberos ticket changed > > LOG="/var/log/dyndns.log"> if [ -f /var/log/dyndns.log ]; then > : > else > touch /var/log/dyndns.log > fiOf course this file did not exist, and the 'touch' command failed on permissions. I assume dhcpd is running this script as user dhcpd, group dhcpd, so I don't see how it can create the file. I have to create it and set the owner to root:dhcpd> > exec >> $LOG 2>&1Then this line fails and soforth.> > ## CONFIGURATION ## > > # Samba 4 realm, change this to YOUR realm. > SETREALM=EXAMPLE.COM > ## define the dhcp user that will be used for the Dynamic updates to > samba4 > ## this will create a Principal like : user at realm > SETDHCPUSER=dhcpduser > # DNS domain, change this to YOUR dns domain > domain=example.com > # TXT RRs (rfc4701) > # Set to YES to use TXT RRs > TXTRRS="NO" > # Additional nsupdate flags (-g already applied), e.g. "-d" for debug > #NSUPDFLAGS="-d" > # DNS nameserver > ns=127.0.0.1 > # > ## Do not change anything below here > # Kerberos principal > SETPRINCIPAL=$SETDHCPUSER@$SETREALM > # Kerberos keytab > SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab > # Default DNS resource records TTL > RRTTL="3600" > > # krbcc ticket cache > export KRB5CCNAME="/tmp/dhcp-dyndns.cc" > > ## Command locations, with full paths it speeds up processing. > ## ( tested on Ubuntu 14.04, Debian 7.5 ) > CMDSORT="$(which sort)" > CMDAWK="$(which awk)" > CMDHEAD="$(which head)" > CMDECHO="$(which echo)" > CMDDATE="$(which date)" > CMDKINIT="$(which kinit)" > CMDKLIST="$(which klist)" > CMDGREP="$(which grep)" > CMDGETENT="$(which getent)" > CMDSAMBATOOL="$(which samba-tool)" > CMDCHOWN="$(which chown)" > CMDCHMOD="$(which chmod)" > CMDHOST="$(which host)" > CMDNSUPDATE="$(which nsupdate)" > > TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")Sep 3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 64: dhcpduser: command not found Sep 3 19:27:09 homebase dhcpd: (current) UNIX password: passwd: Authentication token manipulation error Sep 3 19:27:09 homebase dhcpd: No dhcp user exists, need to create it first.. exiting. Sep 3 19:27:09 homebase dhcpd: you can do this by typing the following commands Sep 3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM Sep 3 19:27:09 homebase dhcpd: user create dhcpduser --description="Unprivileged user for DNS updates via ISC DHCP server" Sep 3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry Sep 3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser Sep 3 19:27:09 homebase dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256 Is this what I need to do. That is create the dhcpduser? There is no 'user' command. Is this 'adduser'?> if [ -z "${TESTUSER}" ]; then > echo "No dhcp user exists, need to create it first.. exiting." > echo "you can do this by typing the following commands" > echo "${CMDKINIT} Administrator@${SETREALM}" > echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} > --description=\"Unprivileged user for DNS updates via ISC DHCP server\"" > echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry" > echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}" > exit 1 > fi > > # Check for Kerberos keytab > if [ -f "${SETDHCPKEYTAB}" ]; then > : > else > echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be > created." > echo "Use the following commands as root" > echo "${CMDSAMBATOOL} domain exportkeytab > --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}" > testos=$(uname -a | grep 'Debian') > if [ -z "$testos" ]; then > echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}" > echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}" > fi > exit 1 > fi > > ## VARIABLES ## > > # Variables supplied by dhcpd.conf > action=$1 > ip=$2 > DHCID=$3 > name=${4%%.*} > > usage() > { > echo "USAGE:" > echo " `basename $0` add ip-address dhcid|mac-address hostname" > echo " `basename $0` delete ip-address dhcid|mac-address" > } > > _KERBEROS () { > # get current time as a number > test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S) > > # Check for valid kerberos ticket > echo "$test [dyndns] : Running check for valid kerberos ticket" > klist -c "$KRB5CCNAME" -s > if [ "$?" != "0" ]; then > echo "$test [dyndns] : Getting new ticket, old one has expired" > kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}" > if [ "$?" != "0" ]; then > echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed" > exit 1; > fi > else > echo "$test [dyndns] : New ticket not required, old one still valid" > fi > > } > > # Exit if no ip address or mac-address > if [ -z "$ip" ] || [ -z "$DHCID" ]; then > usage > exit 1 > fi > > # Exit if no computer name supplied, unless the action is 'delete' > if [ "$name" = "" ]; then > if [ "$action" = "delete" ]; then > name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | > ${CMDAWK} -F '.' '{print $1}') > else > usage > exit 1; > fi > fi > > # Set PTR address > ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print > $4"."$3"."$2"."$1".in-addr.arpa"}') > > # Create RRTXT record > RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum) > RRTXT="000101${RRTXT%% *}" > # extract txt record, if there is one > RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive > text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p') > > ## ${CMDNSUPDATE} ## > > case "$action" in > add) > if [ "$TXTRRS" = "YES" ]; then > TXTRRS="" > # if string is not null > if [ -n "$RRTXTOLD" ]; then > # if old RRTXT is not the same as $RRTXT then exit > if [ "$RRTXT" != "$RRTXTOLD" ]; then > echo "DHCP-DNS: adding records for $ip ($name.$domain) > FAILED: has A record but DHCID is wrong" > exit 1 > fi > fi > else > TXTRRS=";" > fi > > _KERBEROS > > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > update delete $name.$domain $RRTTL A > ${TXTRRS}update delete $name.$domain $RRTTL TXT > ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT > update add $name.$domain $RRTTL A $ip > send > UPDATE > result1=$? > > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > zone 0.168.192.in-addr.arpa > update delete $ptr $RRTTL PTR > update add $ptr $RRTTL PTR $name.$domain > send > UPDATE > result2=$? > ;; > delete) > if [ "$TXTRRS" = "YES" ]; then > TXTRRS="" > if [ -n "$RRTXTOLD" ]; then > if [ "$RRTXT" != "$RRTXTOLD" ]; then > echo "DHCP-DNS: removing records for $ip > ($name.$domain) FAILED: has A record but DHCID is wrong" > exit 1 > fi > else > TXTRRS=";" > fi > else > TXTRRS=";" > fi > > _KERBEROS > > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > update delete $name.$domain $RRTTL A > ${TXTRRS}update delete $name.$domain $RRTTL TXT > send > UPDATE > result1=$? > ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE > server $ns > realm ${SETREALM} > update delete $ptr $RRTTL PTR > send > UPDATE > result2=$? > ;; > *) > echo "Invalid action specified" > exit 103 > ;; > esac > > result="$result1$result2" > > if [ "$result" != "00" ]; then > echo "DHCP-DNS Update failed: $result" > logger "DHCP-DNS Update failed: $result" > else > echo "DHCP-DNS Update succeeded" > logger "DHCP-DNS Update succeeded" > fi > > exit $resultSep 3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21 (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0 Sep 3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to 02:97:09:02:23:a2 (cubieboard2) via eth0 Sep 3 19:27:12 homebase named[22720]: client 192.168.192.21#36919 (0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN' denied Oops, Looks like I have acl problems in named. That I know how to fix...