It's me again :-) Now we have DDNS with DHCP running but we have a problem on one of our two DCs. Btw we used the setup and the script from wiki. Doing a "dhclient" on a host we are getting the following messages: ------------- Mai 16 12:13:28 samba41 dhcpd[3961]: Commit: IP: 192.168.0.249 DHCID: 1:50:5b:5d:1c:ab:aa Name: horst Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[0] /etc/dhcp/bin/dhcp-dyndns.sh Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[1] = add Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[2] 192.168.0.249 Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[3] 1:50:5b:5d:1c:ab:aa Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[4] = horst Mai 16 12:13:28 samba41 root[7505]: DHCP-DNS Update failed: 11 Mai 16 12:13:28 samba41 dhcpd[3961]: execute: /etc/dhcp/bin/dhcp-dyndns.sh exit status 2816 ------------- We then tried to create the entry with the script: ---------------- /etc/dhcp/bin/dhcp-dyndns.sh "add" 192.168.225.60 1:50:5b:5d:1c:ab:aa horst . . . 3160958102.sig-samba41.example.net. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 dns_tkey_negotiategss: TKEY is unacceptable ---------------- Then we checked with: ----------- samba_dnsupdate --verbose ----------- Everything is fine, no error about the unacceptable TKEY We did everything from: https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable - deleted the dns.keytab - deleted the dns-samba41 user - run "samba_upgradedns --dns-backend=BIND9_DLZ" We checked the permissions of all files. We checked the bind9 config for the TKEY line. Everything is ok. The update works on the second DC without any error about the key. It's only one ADDC that makes the problem. The only differences we found was that the username on the working ADDC is in capital letters (CN=dns-SAMBA42) and on the non working ADDC in small letter (CN=dns-samba41). But on both systems it's the same inside the dns.keytab. (small =non working | capital = working). Any help? Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180516/cec58b2c/signature.sig>
On Wed, 16 May 2018 12:32:52 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> It's me again :-) > Now we have DDNS with DHCP running but we have a problem on one of our > two DCs. Btw we used the setup and the script from wiki. > Doing a "dhclient" on a host we are getting the following messages: > ------------- > Mai 16 12:13:28 samba41 dhcpd[3961]: Commit: IP: 192.168.0.249 DHCID: > 1:50:5b:5d:1c:ab:aa Name: horst > Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[0] > /etc/dhcp/bin/dhcp-dyndns.sh > Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[1] = add > Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[2] > 192.168.0.249 > Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[3] > 1:50:5b:5d:1c:ab:aa > Mai 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[4] = horst > Mai 16 12:13:28 samba41 root[7505]: DHCP-DNS Update failed: 11 > Mai 16 12:13:28 samba41 dhcpd[3961]: execute: > /etc/dhcp/bin/dhcp-dyndns.sh exit status 2816 > ------------- > > We then tried to create the entry with the script: > ---------------- > /etc/dhcp/bin/dhcp-dyndns.sh "add" 192.168.225.60 1:50:5b:5d:1c:ab:aa > horst . > . > . > 3160958102.sig-samba41.example.net. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY > 0 0 > > dns_tkey_negotiategss: TKEY is unacceptable > ---------------- > > Then we checked with: > ----------- > samba_dnsupdate --verbose > ----------- > Everything is fine, no error about the unacceptable TKEY > > We did everything from: > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable > > - deleted the dns.keytab > - deleted the dns-samba41 user > - run "samba_upgradedns --dns-backend=BIND9_DLZ" > > We checked the permissions of all files. We checked the bind9 config > for the TKEY line. Everything is ok. > The update works on the second DC without any error about the key. > It's only one ADDC that makes the problem. > The only differences we found was that the username on the working > ADDC is in capital letters (CN=dns-SAMBA42) and on the non working > ADDC in small letter (CN=dns-samba41). But on both systems it's the > same inside the dns.keytab. (small =non working | capital = working). > > Any help? > > Stefan >Have you set up 'failover' ? The records belong to whoever creates them, so if one DC creates them, then the other cannot. Rowland
The DDNS setup from the wiki uses the keytab of the seperate "Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" you have to Check this one not the one which BIND uses. Regards Am 16.05.2018 um 12:45 schrieb Rowland Penny via samba:> On Wed, 16 May 2018 12:32:52 +0200 Stefan Kania via samba > <samba at lists.samba.org> wrote: > >> It's me again :-) Now we have DDNS with DHCP running but we have >> a problem on one of our two DCs. Btw we used the setup and the >> script from wiki. Doing a "dhclient" on a host we are getting the >> following messages: ------------- Mai 16 12:13:28 samba41 >> dhcpd[3961]: Commit: IP: 192.168.0.249 DHCID: 1:50:5b:5d:1c:ab:aa >> Name: horst Mai 16 12:13:28 samba41 dhcpd[3961]: >> execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns.sh Mai 16 >> 12:13:28 samba41 dhcpd[3961]: execute_statement argv[1] = add Mai >> 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[2] = >> 192.168.0.249 Mai 16 12:13:28 samba41 dhcpd[3961]: >> execute_statement argv[3] = 1:50:5b:5d:1c:ab:aa Mai 16 12:13:28 >> samba41 dhcpd[3961]: execute_statement argv[4] = horst Mai 16 >> 12:13:28 samba41 root[7505]: DHCP-DNS Update failed: 11 Mai 16 >> 12:13:28 samba41 dhcpd[3961]: execute: >> /etc/dhcp/bin/dhcp-dyndns.sh exit status 2816 ------------- >> >> We then tried to create the entry with the script: >> ---------------- /etc/dhcp/bin/dhcp-dyndns.sh "add" >> 192.168.225.60 1:50:5b:5d:1c:ab:aa horst . . . >> 3160958102.sig-samba41.example.net. 0 ANY TKEY gss-tsig. 0 0 3 >> BADKEY 0 0 >> >> dns_tkey_negotiategss: TKEY is unacceptable ---------------- >> >> Then we checked with: ----------- samba_dnsupdate --verbose >> ----------- Everything is fine, no error about the unacceptable >> TKEY >> >> We did everything from: >> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable >> >> >>- deleted the dns.keytab>> - deleted the dns-samba41 user - run "samba_upgradedns >> --dns-backend=BIND9_DLZ" >> >> We checked the permissions of all files. We checked the bind9 >> config for the TKEY line. Everything is ok. The update works on >> the second DC without any error about the key. It's only one ADDC >> that makes the problem. The only differences we found was that >> the username on the working ADDC is in capital letters >> (CN=dns-SAMBA42) and on the non working ADDC in small letter >> (CN=dns-samba41). But on both systems it's the same inside the >> dns.keytab. (small =non working | capital = working). >> >> Any help? >> >> Stefan >> > > Have you set up 'failover' ? The records belong to whoever creates > them, so if one DC creates them, then the other cannot. > > Rowland >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller