Billy Bob
2019-Jan-11 17:44 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Friday, January 11, 2019 11:20 AM, Billy Bob via samba <samba at lists.samba.org> wrote: On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote:>>> Here is what the logs show WITHOUT the -d option: >>> >>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID: >>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]: >>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11 >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11 >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165 >>> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] >>> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]: >>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]: >>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01 >>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 >>> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status >>> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364 >>> (secs) under 25% threshold, reply with unaltered, existing lease for >>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for >>> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11 >>> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to >>> d4:be:d9:22:9f:7d (mgmt01) via eno1 >>> >> >> This shows the script is being run with the correct data, but for some >> reason, your kerberos key isn't correct >> >> What is in your ticket ? >> >> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this: >> >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc >> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM >> >> Valid starting Expires Service principal >> 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >> renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM >> renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac >> >> And running 'ktutil' produces this: >> >> root at dc4:~# ktutil >> ktutil: rkt /etc/dhcpduser.keytab >> ktutil: l >> slot KVNO Principal >> ---- ---- --------------------------------------------------------------------- >> 1 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 2 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 3 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 4 1 dhcpduser at SAMDOM.EXAMPLE.COM >> 5 1 dhcpduser at SAMDOM.EXAMPLE.COM >> ktutil: q >> >> I would delete the ticket and keytab, recreate the keytab and then try >> again.> >> $ sudo klist -ce /tmp/dhcp-dyndns.cc> > Ticket cache: FILE:/tmp/dhcp-dyndns.cc > Default principal: dhcpduser at CORP.<DOMAIN>.COM> > > Valid starting Expires Service principal > 01/11/2019 09:54:32 01/11/2019 19:54:32 krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM > renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 01/11/2019 09:54:32 01/11/2019 19:54:32 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM > renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > > $ sudo ktutil > > ktutil: rkt /etc/dhcpduser.keytab > ktutil: l > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 2 dhcpduser at CORP.<DOMAIN>.COM > 2 2 dhcpduser at CORP.<DOMAIN>.COM > 3 2 dhcpduser at CORP.<DOMAIN>.COM > 4 2 dhcpduser at CORP.<DOMAIN>.COM > 5 2 dhcpduser at CORP.<DOMAIN>.COM > >=======================================================================Deleted and recreated /etc/dhcpduser.keytab with same result for ticket/keytab, and the same errors when running the script.
Rowland Penny
2019-Jan-11 18:04 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Fri, 11 Jan 2019 17:44:48 +0000 (UTC) Billy Bob via samba <samba at lists.samba.org> wrote:> > > On Friday, January 11, 2019 11:20 AM, Billy Bob via samba > <samba at lists.samba.org> wrote: > > > > On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) > Billy Bob <billysbobs at yahoo.com> wrote: > > > >>> Here is what the logs show WITHOUT the -d option: > >>> > >>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID: > >>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]: > >>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11 > >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11 > >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] > >>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement > >>> argv[3] = 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]: > >>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]: > >>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01 > >>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 > >>> 10:00:36 dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh > >>> exit status 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: > >>> lease age 364 (secs) under 25% threshold, reply with unaltered, > >>> existing lease for 172.20.10.165 Jan 11 10:00:36 dc01 > >>> dhcpd[1704]: DHCPREQUEST for 172.20.10.165 from d4:be:d9:22:9f:7d > >>> (mgmt01) via eno1 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPACK on > >>> 172.20.10.165 to d4:be:d9:22:9f:7d (mgmt01) via eno1 > >>> > >> > >> This shows the script is being run with the correct data, but for > >> some reason, your kerberos key isn't correct > >> > >> What is in your ticket ? > >> > >> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this: > >> > >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc > >> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM > >> > >> Valid starting Expires Service principal > >> 11/01/19 10:12:50 11/01/19 20:12:50 > >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > >> renew until 12/01/19 10:12:50, Etype (skey, tkt): > >>aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >> 11/01/19 10:12:50 11/01/19 20:12:50 > >> DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM > >> renew until 12/01/19 10:12:50, Etype (skey, tkt): > >>arcfour-hmac, arcfour-hmac > >> > >> And running 'ktutil' produces this: > >> > >> root at dc4:~# ktutil > >> ktutil: rkt /etc/dhcpduser.keytab > >> ktutil: l > >> slot KVNO Principal > >> ---- ---- > >> --------------------------------------------------------------------- > >> 1 1 dhcpduser at SAMDOM.EXAMPLE.COM > >> 2 1 dhcpduser at SAMDOM.EXAMPLE.COM > >> 3 1 dhcpduser at SAMDOM.EXAMPLE.COM > >> 4 1 dhcpduser at SAMDOM.EXAMPLE.COM > >> 5 1 dhcpduser at SAMDOM.EXAMPLE.COM > >> ktutil: q > >> > >> I would delete the ticket and keytab, recreate the keytab and then > >> try again.> > > > > $ sudo klist -ce /tmp/dhcp-dyndns.cc > > > > Ticket cache: FILE:/tmp/dhcp-dyndns.cc > > Default principal: dhcpduser at CORP.<DOMAIN>.COM> > > > > Valid starting Expires Service principal > > 01/11/2019 09:54:32 01/11/2019 19:54:32 > > krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM > > renew until 01/12/2019 09:54:32, Etype (skey, tkt): > >aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > 01/11/2019 09:54:32 01/11/2019 19:54:32 > > DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM > > renew until 01/12/2019 09:54:32, Etype (skey, tkt): > >arcfour-hmac, arcfour-hmac > > > > > > $ sudo ktutil > > > > ktutil: rkt /etc/dhcpduser.keytab > > ktutil: l > > slot KVNO Principal > > ---- ---- > > --------------------------------------------------------------------- > > 1 2 dhcpduser at CORP.<DOMAIN>.COM > > 2 2 dhcpduser at CORP.<DOMAIN>.COM > > 3 2 dhcpduser at CORP.<DOMAIN>.COM > > 4 2 dhcpduser at CORP.<DOMAIN>.COM > > 5 2 dhcpduser at CORP.<DOMAIN>.COM > > > > > =======================================================================> Deleted and recreated /etc/dhcpduser.keytab with same result for > ticket/keytab, and the same errors when running the script.OK, you are now running my scripts as found on the Samba wiki, so it should work. Lets check some things, can you post the contents of the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf smb.conf your named.conf file(s) What OS is this on ? What version of Bind9 ? Is a firewall running ? Is Selinux or Apparmor running ? You might have posted some of this before, but please post it again. Rowland
Billy Bob
2019-Jan-11 18:43 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Friday, January 11, 2019 12:04 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> OK, you are now running my scripts as found on the Samba wiki, so it > should work. > > Lets check some things, can you post the contents of the following > files: > > /etc/resolv.confsearch corp.<DOMAIN>.com# nameserver 172.20.10.131nameserver 172.20.10.130> /etc/hostnamedc01> /etc/hosts127.0.0.1 localhost172.20.10.130 dc01.corp.<DOMAIN>.com dc01 # The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters> /etc/krb5.conf[libdefaults] default_realm = CORP.<DOMAIN>.COM dns_lookup_realm = false dns_lookup_kdc = true> smb.confIs at /usr/local/samba/etc/smb.conf, and contains: # Global parameters[global] bind interfaces only = Yes interfaces = lo eno1 netbios name = DC01 realm = CORP.<DOMAIN>.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = CORP idmap_ldb:use rfc2307 = yes dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool [netlogon] path = /usr/local/samba/var/locks/sysvol/corp.<DOMAIN>.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No> your named.conf file(s)Is at /etc/bind/named.conf, and contains: # Global Configuration Optionsoptions { auth-nxdomain yes; directory "/var/cache/bind"; notify no; empty-zones-enable no; # Enable dynamic DNS updates using Kerberos tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # IP addresses and network ranges allowed to query the DNS server: allow-query { 127.0.0.1; 172.20.10.128/25; }; # IP addresses and network ranges allowed to run recursive queries: # (Zones not served by this DNS server) allow-recursion { 127.0.0.1; 172.20.10.128/25; }; # Forward queries that can not be answered from own zones # to these DNS servers: forwarders { 172.20.10.129; }; # Disable zone transfers allow-transfer { none; }; }; # Configure dynamically loadable zones (DLZ) from AD schemadlz "AD DNS Zone" { database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";}; # Root Servers# (Required for recursive DNS queries)zone "." { type hint; file "named.root";}; # localhost zonezone "localhost" { type master; file "master/localhost.zone";}; # 127.0.0. zone.zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone";};> What OS is this on ?Ubuntu 18.04.1, fully updated On startup, no systemctl status errors for system, samba-ad-dc, bind9, ntp or isc-dhcp-server> What version of Bind9 ?$ sudo named -V BIND 9.11.3-1ubuntu1.3-Ubuntu ... built by make with ... '--sysconfdir=/etc' ... '--sysconfdir=/etc/bind' ... '--with-gssapi=/usr' ...> Is a firewall running ?Not on the server> Is Selinux or Apparmor running ?AppArmor is running, with dhcpd, named and ntpd in Complain mode; in any case, no violations are being logged as DENIED
Reasonably Related Threads
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
- samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates