Rowland Penny
2019-Jan-11 16:43 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote:> > > On Friday, January 11, 2019 3:14 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > >I have no idea where the above is coming from, but it isn't from > >the dhcp scripts. > > > > I don't know what to tell you, Rowland. The previous logs were with > the -d option in place, and those extra lines were what was added as > a result of the -d option. > > Here is what the logs show WITHOUT the -d option: > > Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID: > 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]: > execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11 > 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11 > 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165 > Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] > 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]: > execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]: > dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01 > sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 > dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status > 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364 > (secs) under 25% threshold, reply with unaltered, existing lease for > 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for > 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11 > 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to > d4:be:d9:22:9f:7d (mgmt01) via eno1 >This shows the script is being run with the correct data, but for some reason, your kerberos key isn't correct What is in your ticket ? Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this: Ticket cache: FILE:/tmp/dhcp-dyndns.cc Default principal: dhcpduser at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac And running 'ktutil' produces this: root at dc4:~# ktutil ktutil: rkt /etc/dhcpduser.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 dhcpduser at SAMDOM.EXAMPLE.COM 2 1 dhcpduser at SAMDOM.EXAMPLE.COM 3 1 dhcpduser at SAMDOM.EXAMPLE.COM 4 1 dhcpduser at SAMDOM.EXAMPLE.COM 5 1 dhcpduser at SAMDOM.EXAMPLE.COM ktutil: q I would delete the ticket and keytab, recreate the keytab and then try again. Rowland
Billy Bob
2019-Jan-11 16:59 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote:>> Here is what the logs show WITHOUT the -d option: >> >> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID: >> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]: >> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11 >> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11 >> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165 >> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] >> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]: >> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]: >> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01 >> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 >> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status >> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364 >> (secs) under 25% threshold, reply with unaltered, existing lease for >> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for >> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11 >> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to >> d4:be:d9:22:9f:7d (mgmt01) via eno1 >> > > This shows the script is being run with the correct data, but for some > reason, your kerberos key isn't correct > > What is in your ticket ? > > Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this: > > Ticket cache: FILE:/tmp/dhcp-dyndns.cc > Default principal: dhcpduser at SAMDOM.EXAMPLE.COM > > Valid starting Expires Service principal > 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM > renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > And running 'ktutil' produces this: > > root at dc4:~# ktutil > ktutil: rkt /etc/dhcpduser.keytab > ktutil: l > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 1 dhcpduser at SAMDOM.EXAMPLE.COM > 2 1 dhcpduser at SAMDOM.EXAMPLE.COM > 3 1 dhcpduser at SAMDOM.EXAMPLE.COM > 4 1 dhcpduser at SAMDOM.EXAMPLE.COM > 5 1 dhcpduser at SAMDOM.EXAMPLE.COM > ktutil: q > > I would delete the ticket and keytab, recreate the keytab and then try > again.>$ sudo klist -ce /tmp/dhcp-dyndns.cc Ticket cache: FILE:/tmp/dhcp-dyndns.cc Default principal: dhcpduser at CORP.<DOMAIN>.COM Valid starting Expires Service principal 01/11/2019 09:54:32 01/11/2019 19:54:32 krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 01/11/2019 09:54:32 01/11/2019 19:54:32 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac $ sudo ktutil ktutil: rkt /etc/dhcpduser.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 dhcpduser at CORP.<DOMAIN>.COM 2 2 dhcpduser at CORP.<DOMAIN>.COM 3 2 dhcpduser at CORP.<DOMAIN>.COM 4 2 dhcpduser at CORP.<DOMAIN>.COM 5 2 dhcpduser at CORP.<DOMAIN>.COM -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Billy Bob
2019-Jan-11 17:44 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Friday, January 11, 2019 11:20 AM, Billy Bob via samba <samba at lists.samba.org> wrote: On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote:>>> Here is what the logs show WITHOUT the -d option: >>> >>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID: >>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]: >>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11 >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11 >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165 >>> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] >>> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]: >>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]: >>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01 >>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 >>> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status >>> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364 >>> (secs) under 25% threshold, reply with unaltered, existing lease for >>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for >>> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11 >>> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to >>> d4:be:d9:22:9f:7d (mgmt01) via eno1 >>> >> >> This shows the script is being run with the correct data, but for some >> reason, your kerberos key isn't correct >> >> What is in your ticket ? >> >> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this: >> >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc >> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM >> >> Valid starting Expires Service principal >> 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >> renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM >> renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac >> >> And running 'ktutil' produces this: >> >> root at dc4:~# ktutil >> ktutil: rkt /etc/dhcpduser.keytab >> ktutil: l >> slot KVNO Principal >> ---- ---- --------------------------------------------------------------------- >> 1 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 2 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 3 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 4 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 5 1 dhcpduser at SAMDOM.EXAMPLE.COM >> ktutil: q >> >> I would delete the ticket and keytab, recreate the keytab and then try >> again.> >> $ sudo klist -ce /tmp/dhcp-dyndns.cc> > Ticket cache: FILE:/tmp/dhcp-dyndns.cc > Default principal: dhcpduser at CORP.<DOMAIN>.COM> > > Valid starting Expires Service principal > 01/11/2019 09:54:32 01/11/2019 19:54:32 krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM > renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 01/11/2019 09:54:32 01/11/2019 19:54:32 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM > renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > > $ sudo ktutil > > ktutil: rkt /etc/dhcpduser.keytab > ktutil: l > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 2 dhcpduser at CORP.<DOMAIN>.COM > 2 2 dhcpduser at CORP.<DOMAIN>.COM > 3 2 dhcpduser at CORP.<DOMAIN>.COM > 4 2 dhcpduser at CORP.<DOMAIN>.COM > 5 2 dhcpduser at CORP.<DOMAIN>.COM > >=======================================================================Deleted and recreated /etc/dhcpduser.keytab with same result for ticket/keytab, and the same errors when running the script.
Possibly Parallel Threads
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates