samba - Sep 2015 - further testing - Re: dhcp errors - Re: dhcp example

First I am having a couple challenges with your script here:

On 09/03/2015 02:43 PM, Rowland Penny wrote:
>
> I thought that might be your next question, I wrote it, based on what 
> I found here:
>
>
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
>
> #!/bin/bash
>
> # /usr/local/sbin/dhcp-dyndns.sh
> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
> # Version: 0.8.3 (includes TXTRR records)
> # Updated with suggestions from L. v. Belle   louis at van-belle.nl
> # method to check for valid kerberos ticket changed
>
> LOG="/var/log/dyndns.log"
> if [ -f /var/log/dyndns.log ]; then
>     :
> else
>     touch /var/log/dyndns.log
> fi
Of course this file did not exist, and the 'touch' command failed on 
permissions.

I assume dhcpd is running this script as user dhcpd, group dhcpd, so I 
don't see how it can create the file.  I have to create it and set the 
owner to root:dhcpd

>
> exec >> $LOG 2>&1
Then this line fails and soforth.
>
> ## CONFIGURATION ##
>
> # Samba 4 realm, change this to YOUR realm.
> SETREALM=EXAMPLE.COM
> ## define the dhcp user that will be used for the Dynamic updates to 
> samba4
> ## this will create a Principal like : user at realm
> SETDHCPUSER=dhcpduser
> # DNS domain, change this to YOUR dns domain
> domain=example.com
> # TXT RRs (rfc4701)
> # Set to YES to use TXT RRs
> TXTRRS="NO"
> # Additional nsupdate flags (-g already applied), e.g. "-d" for
debug
> #NSUPDFLAGS="-d"
> # DNS nameserver
> ns=127.0.0.1
> #
> ## Do not change anything below here
> # Kerberos principal
> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
> # Kerberos keytab
> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
> # Default DNS resource records TTL
> RRTTL="3600"
>
> # krbcc ticket cache
> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>
> ## Command locations, with full paths it speeds up processing.
> ## ( tested on Ubuntu 14.04, Debian 7.5 )
> CMDSORT="$(which sort)"
> CMDAWK="$(which awk)"
> CMDHEAD="$(which head)"
> CMDECHO="$(which echo)"
> CMDDATE="$(which date)"
> CMDKINIT="$(which kinit)"
> CMDKLIST="$(which klist)"
> CMDGREP="$(which grep)"
> CMDGETENT="$(which getent)"
> CMDSAMBATOOL="$(which samba-tool)"
> CMDCHOWN="$(which chown)"
> CMDCHMOD="$(which chmod)"
> CMDHOST="$(which host)"
> CMDNSUPDATE="$(which nsupdate)"
>
> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
Sep  3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 64: 
dhcpduser: command not found
Sep  3 19:27:09 homebase dhcpd: (current) UNIX password: passwd: 
Authentication token manipulation error
Sep  3 19:27:09 homebase dhcpd: No dhcp user exists, need to create it 
first.. exiting.
Sep  3 19:27:09 homebase dhcpd: you can do this by typing the following 
commands
Sep  3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM
Sep  3 19:27:09 homebase dhcpd: user create dhcpduser 
--description="Unprivileged user for DNS updates via ISC DHCP server"
Sep  3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
Sep  3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
Sep  3 19:27:09 homebase dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh 
exit status 256

Is this what I need to do.  That is create the dhcpduser?  There is no 
'user' command.  Is this 'adduser'?
> if [ -z "${TESTUSER}" ]; then
>     echo "No dhcp user exists, need to create it first..
exiting."
>     echo "you can do this by typing the following commands"
>     echo "${CMDKINIT} Administrator@${SETREALM}"
>     echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} 
> --description=\"Unprivileged user for DNS updates via ISC DHCP
server\""
>     echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER}
--noexpiry"
>     echo "${CMDSAMBATOOL} group addmembers DnsAdmins
${SETDHCPUSER}"
>     exit 1
> fi
>
> # Check for Kerberos keytab
> if [ -f "${SETDHCPKEYTAB}" ]; then
>     :
> else
>     echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be 
> created."
>     echo "Use the following commands as root"
>     echo "${CMDSAMBATOOL} domain exportkeytab 
> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>     testos=$(uname -a | grep 'Debian')
>     if [ -z "$testos" ]; then
>         echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>         echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>     fi
>     exit 1
> fi
>
> ## VARIABLES ##
>
> # Variables supplied by dhcpd.conf
> action=$1
> ip=$2
> DHCID=$3
> name=${4%%.*}
>
> usage()
> {
> echo "USAGE:"
> echo "  `basename $0` add ip-address dhcid|mac-address hostname"
> echo "  `basename $0` delete ip-address dhcid|mac-address"
> }
>
> _KERBEROS () {
> # get current time as a number
> test=$(${CMDDATE} +%d'-'%m'-'%y'
'%H':'%M':'%S)
>
> # Check for valid kerberos ticket
> echo "$test [dyndns] : Running check for valid kerberos ticket"
> klist -c "$KRB5CCNAME" -s
> if [ "$?" != "0" ]; then
>     echo "$test [dyndns] : Getting new ticket, old one has
expired"
>     kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME"
"${SETPRINCIPAL}"
>     if [ "$?" != "0" ]; then
>         echo "$test [dyndns] : dhcpd kinit for dynamic DNS
failed"
>         exit 1;
>     fi
> else
>     echo "$test [dyndns] : New ticket not required, old one still
valid"
> fi
>
> }
>
> # Exit if no ip address or mac-address
> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
>     usage
>     exit 1
> fi
>
> # Exit if no computer name supplied, unless the action is 'delete'
> if [ "$name" = "" ]; then
>     if [ "$action" = "delete" ]; then
>         name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print
$NF}' |
> ${CMDAWK} -F '.' '{print $1}')
>     else
>         usage
>         exit 1;
>     fi
> fi
>
> # Set PTR address
> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print 
>
$4"."$3"."$2"."$1".in-addr.arpa"}')
>
> # Create RRTXT record
> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
> RRTXT="000101${RRTXT%% *}"
> # extract txt record, if there is one
> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n
'/descriptive
> text/s/^.*[[:space:]]descriptive
text[[:space:]]*"\(.*\)"$/\1/p')
>
> ## ${CMDNSUPDATE} ##
>
> case "$action" in
> add)
>     if [ "$TXTRRS" = "YES" ]; then
>         TXTRRS=""
>         # if string is not null
>         if [ -n "$RRTXTOLD" ]; then
>             # if old RRTXT is not the same as $RRTXT then exit
>             if [ "$RRTXT" != "$RRTXTOLD" ]; then
>                 echo "DHCP-DNS: adding records for $ip ($name.$domain)
> FAILED: has A record but DHCID is wrong"
>                 exit 1
>             fi
>         fi
>     else
>         TXTRRS=";"
>     fi
>
>     _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $name.$domain $RRTTL A
> ${TXTRRS}update delete $name.$domain $RRTTL TXT
> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
> update add $name.$domain $RRTTL A $ip
> send
> UPDATE
> result1=$?
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> zone 0.168.192.in-addr.arpa
> update delete $ptr $RRTTL PTR
> update add $ptr $RRTTL PTR $name.$domain
> send
> UPDATE
> result2=$?
> ;;
> delete)
>      if [ "$TXTRRS" = "YES" ]; then
>         TXTRRS=""
>         if [ -n "$RRTXTOLD" ]; then
>             if [ "$RRTXT" != "$RRTXTOLD" ]; then
>                 echo "DHCP-DNS: removing records for $ip 
> ($name.$domain) FAILED: has A record but DHCID is wrong"
>                 exit 1
>             fi
>         else
>             TXTRRS=";"
>         fi
>      else
>        TXTRRS=";"
>      fi
>
>      _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $name.$domain $RRTTL A
> ${TXTRRS}update delete $name.$domain $RRTTL TXT
> send
> UPDATE
> result1=$?
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $ptr $RRTTL PTR
> send
> UPDATE
> result2=$?
> ;;
> *)
> echo "Invalid action specified"
> exit 103
> ;;
> esac
>
> result="$result1$result2"
>
> if [ "$result" != "00" ]; then
>     echo "DHCP-DNS Update failed: $result"
>     logger "DHCP-DNS Update failed: $result"
> else
>    echo "DHCP-DNS Update succeeded"
>    logger "DHCP-DNS Update succeeded"
> fi
>
> exit $result
Sep  3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21 
(192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
Sep  3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to 
02:97:09:02:23:a2 (cubieboard2) via eth0
Sep  3 19:27:12 homebase named[22720]: client 192.168.192.21#36919 
(0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN'
denied

Oops, Looks like I have acl problems in named.  That I know how to fix...

I am reading through the script and see some things I did not change...

Will do that and try again.  As well as create the log file manually.

On 09/03/2015 07:47 PM, Robert Moskowitz wrote:
> First I am having a couple challenges with your script here:
>
> On 09/03/2015 02:43 PM, Rowland Penny wrote:
>>
>> I thought that might be your next question, I wrote it, based on what 
>> I found here:
>>
>>
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>>
>>
>> #!/bin/bash
>>
>> # /usr/local/sbin/dhcp-dyndns.sh
>> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
>> # Version: 0.8.3 (includes TXTRR records)
>> # Updated with suggestions from L. v. Belle   louis at van-belle.nl
>> # method to check for valid kerberos ticket changed
>>
>> LOG="/var/log/dyndns.log"
>
>> if [ -f /var/log/dyndns.log ]; then
>>     :
>> else
>>     touch /var/log/dyndns.log
>> fi
>
> Of course this file did not exist, and the 'touch' command failed
on
> permissions.
>
> I assume dhcpd is running this script as user dhcpd, group dhcpd, so I 
> don't see how it can create the file.  I have to create it and set the 
> owner to root:dhcpd
>
>
>>
>> exec >> $LOG 2>&1
>
> Then this line fails and soforth.
>
>>
>> ## CONFIGURATION ##
>>
>> # Samba 4 realm, change this to YOUR realm.
>> SETREALM=EXAMPLE.COM
>> ## define the dhcp user that will be used for the Dynamic updates to 
>> samba4
>> ## this will create a Principal like : user at realm
>> SETDHCPUSER=dhcpduser
>> # DNS domain, change this to YOUR dns domain
>> domain=example.com
>> # TXT RRs (rfc4701)
>> # Set to YES to use TXT RRs
>> TXTRRS="NO"
>> # Additional nsupdate flags (-g already applied), e.g. "-d"
for debug
>> #NSUPDFLAGS="-d"
>> # DNS nameserver
>> ns=127.0.0.1
>> #
>> ## Do not change anything below here
>> # Kerberos principal
>> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
>> # Kerberos keytab
>> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
>> # Default DNS resource records TTL
>> RRTTL="3600"
>>
>> # krbcc ticket cache
>> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>>
>> ## Command locations, with full paths it speeds up processing.
>> ## ( tested on Ubuntu 14.04, Debian 7.5 )
>> CMDSORT="$(which sort)"
>> CMDAWK="$(which awk)"
>> CMDHEAD="$(which head)"
>> CMDECHO="$(which echo)"
>> CMDDATE="$(which date)"
>> CMDKINIT="$(which kinit)"
>> CMDKLIST="$(which klist)"
>> CMDGREP="$(which grep)"
>> CMDGETENT="$(which getent)"
>> CMDSAMBATOOL="$(which samba-tool)"
>> CMDCHOWN="$(which chown)"
>> CMDCHMOD="$(which chmod)"
>> CMDHOST="$(which host)"
>> CMDNSUPDATE="$(which nsupdate)"
>>
>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
>
> Sep  3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 
> 64: dhcpduser: command not found
> Sep  3 19:27:09 homebase dhcpd: (current) UNIX password: passwd: 
> Authentication token manipulation error
> Sep  3 19:27:09 homebase dhcpd: No dhcp user exists, need to create it 
> first.. exiting.
> Sep  3 19:27:09 homebase dhcpd: you can do this by typing the 
> following commands
> Sep  3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM
> Sep  3 19:27:09 homebase dhcpd: user create dhcpduser 
> --description="Unprivileged user for DNS updates via ISC DHCP
server"
> Sep  3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
> Sep  3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
> Sep  3 19:27:09 homebase dhcpd: execute: 
> /usr/local/sbin/dhcp-dyndns.sh exit status 256
>
> Is this what I need to do.  That is create the dhcpduser?  There is no 
> 'user' command.  Is this 'adduser'?
>
>> if [ -z "${TESTUSER}" ]; then
>>     echo "No dhcp user exists, need to create it first..
exiting."
>>     echo "you can do this by typing the following commands"
>>     echo "${CMDKINIT} Administrator@${SETREALM}"
>>     echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} 
>> --description=\"Unprivileged user for DNS updates via ISC DHCP
server\""
>>     echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER}
--noexpiry"
>>     echo "${CMDSAMBATOOL} group addmembers DnsAdmins
${SETDHCPUSER}"
>>     exit 1
>> fi
>>
>> # Check for Kerberos keytab
>> if [ -f "${SETDHCPKEYTAB}" ]; then
>>     :
>> else
>>     echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to
be
>> created."
>>     echo "Use the following commands as root"
>>     echo "${CMDSAMBATOOL} domain exportkeytab 
>> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>>     testos=$(uname -a | grep 'Debian')
>>     if [ -z "$testos" ]; then
>>         echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>>         echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>>     fi
>>     exit 1
>> fi
>>
>> ## VARIABLES ##
>>
>> # Variables supplied by dhcpd.conf
>> action=$1
>> ip=$2
>> DHCID=$3
>> name=${4%%.*}
>>
>> usage()
>> {
>> echo "USAGE:"
>> echo "  `basename $0` add ip-address dhcid|mac-address
hostname"
>> echo "  `basename $0` delete ip-address dhcid|mac-address"
>> }
>>
>> _KERBEROS () {
>> # get current time as a number
>> test=$(${CMDDATE} +%d'-'%m'-'%y'
'%H':'%M':'%S)
>>
>> # Check for valid kerberos ticket
>> echo "$test [dyndns] : Running check for valid kerberos
ticket"
>> klist -c "$KRB5CCNAME" -s
>> if [ "$?" != "0" ]; then
>>     echo "$test [dyndns] : Getting new ticket, old one has
expired"
>>     kinit -F -k -t "${SETDHCPKEYTAB}" -c
"$KRB5CCNAME" "${SETPRINCIPAL}"
>>     if [ "$?" != "0" ]; then
>>         echo "$test [dyndns] : dhcpd kinit for dynamic DNS
failed"
>>         exit 1;
>>     fi
>> else
>>     echo "$test [dyndns] : New ticket not required, old one still
valid"
>> fi
>>
>> }
>>
>> # Exit if no ip address or mac-address
>> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
>>     usage
>>     exit 1
>> fi
>>
>> # Exit if no computer name supplied, unless the action is
'delete'
>> if [ "$name" = "" ]; then
>>     if [ "$action" = "delete" ]; then
>>         name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK}
'{print $NF}' |
>> ${CMDAWK} -F '.' '{print $1}')
>>     else
>>         usage
>>         exit 1;
>>     fi
>> fi
>>
>> # Set PTR address
>> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print 
>>
$4"."$3"."$2"."$1".in-addr.arpa"}')
>>
>> # Create RRTXT record
>> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
>> RRTXT="000101${RRTXT%% *}"
>> # extract txt record, if there is one
>> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n
'/descriptive
>> text/s/^.*[[:space:]]descriptive
text[[:space:]]*"\(.*\)"$/\1/p')
>>
>> ## ${CMDNSUPDATE} ##
>>
>> case "$action" in
>> add)
>>     if [ "$TXTRRS" = "YES" ]; then
>>         TXTRRS=""
>>         # if string is not null
>>         if [ -n "$RRTXTOLD" ]; then
>>             # if old RRTXT is not the same as $RRTXT then exit
>>             if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>                 echo "DHCP-DNS: adding records for $ip 
>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>                 exit 1
>>             fi
>>         fi
>>     else
>>         TXTRRS=";"
>>     fi
>>
>>     _KERBEROS
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> update delete $name.$domain $RRTTL A
>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
>> update add $name.$domain $RRTTL A $ip
>> send
>> UPDATE
>> result1=$?
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> zone 0.168.192.in-addr.arpa
>> update delete $ptr $RRTTL PTR
>> update add $ptr $RRTTL PTR $name.$domain
>> send
>> UPDATE
>> result2=$?
>> ;;
>> delete)
>>      if [ "$TXTRRS" = "YES" ]; then
>>         TXTRRS=""
>>         if [ -n "$RRTXTOLD" ]; then
>>             if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>                 echo "DHCP-DNS: removing records for $ip 
>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>                 exit 1
>>             fi
>>         else
>>             TXTRRS=";"
>>         fi
>>      else
>>        TXTRRS=";"
>>      fi
>>
>>      _KERBEROS
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> update delete $name.$domain $RRTTL A
>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>> send
>> UPDATE
>> result1=$?
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> update delete $ptr $RRTTL PTR
>> send
>> UPDATE
>> result2=$?
>> ;;
>> *)
>> echo "Invalid action specified"
>> exit 103
>> ;;
>> esac
>>
>> result="$result1$result2"
>>
>> if [ "$result" != "00" ]; then
>>     echo "DHCP-DNS Update failed: $result"
>>     logger "DHCP-DNS Update failed: $result"
>> else
>>    echo "DHCP-DNS Update succeeded"
>>    logger "DHCP-DNS Update succeeded"
>> fi
>>
>> exit $result
>
> Sep  3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21 
> (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep  3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to 
> 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep  3 19:27:12 homebase named[22720]: client 192.168.192.21#36919 
> (0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN'
> denied
>
> Oops, Looks like I have acl problems in named.  That I know how to fix...
>
>
>

This will be it for tonight...

Sep  3 20:35:30 homebase dhcpd: DHCPDISCOVER from 02:97:09:02:23:a2 
(cubieboard2) via eth0
Sep  3 20:35:31 homebase dhcpd: DHCPOFFER on 192.168.192.21 to 
02:97:09:02:23:a2 (cubieboard2) via eth0
Sep  3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 17: 
/var/log/dyndns.log: Permission denied
Sep  3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 49: 
which: command not found

# ls -ls /var/log/dy*
0 -rw-r--r-- 1 root dhcpd 0 Sep  3 20:27 /var/log/dyndns.log

# grep dhc /etc/passwd
dhcpd:x:177:177:DHCP server:/:/sbin/nologin

# systemctl status dhcpd
dhcpd.service - DHCPv4 Server Daemon
    Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled)
    Active: active (running) since Thu 2015-09-03 15:58:44 EDT; 4h 46min ago
      Docs: man:dhcpd(8)
            man:dhcpd.conf(5)
  Main PID: 22993 (dhcpd)
    Status: "Dispatching packets..."
    CGroup: /system.slice/dhcpd.service
            └─22993 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user 
dhcpd -group dhcpd ...

So why does the script figure no log file and then tries to 'touch' it?

Sep  3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 62: 
which: command not found
Sep  3 20:35:31 homebase dhcpd: Internet Systems Consortium DHCP Server 
4.2.5
Sep  3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems 
Consortium.
Sep  3 20:35:31 homebase dhcpd: All rights reserved.
Sep  3 20:35:31 homebase dhcpd: For info, please visit 
https://www.isc.org/software/dhcp/
Sep  3 20:35:31 homebase dhcpd: (current) UNIX password: Internet 
Systems Consortium DHCP Server 4.2.5
Sep  3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems 
Consortium.
Sep  3 20:35:31 homebase dhcpd: All rights reserved.
Sep  3 20:35:31 homebase dhcpd: For info, please visit 
https://www.isc.org/software/dhcp/
Sep  3 20:35:31 homebase dhcpd: unable to create icmp socket: Operation 
not permitted
Sep  3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf: 
Permission denied
Sep  3 20:35:31 homebase dhcpd: This version of ISC DHCP is based on the 
release available
Sep  3 20:35:31 homebase dhcpd: on ftp.isc.org.  Features have been 
added and other changes
Sep  3 20:35:31 homebase dhcpd: have been made to the base software 
release in order to make
Sep  3 20:35:31 homebase dhcpd: it work better with this distribution.
Sep  3 20:35:31 homebase dhcpd: Please report for this software via the 
CentOS Bugs Database:
Sep  3 20:35:31 homebase dhcpd: http://bugs.centos.org/
Sep  3 20:35:31 homebase dhcpd: unable to create icmp socket: Operation 
not permitted
Sep  3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf: 
Permission denied
Sep  3 20:35:31 homebase dhcpd:

Huh?  Is it restarting dhcpd?  And why now complaining about permissions 
for /etc/dhcp/dhcpd.conf; it opened it earlier?  It is created 
root:root, not root:dhcpd.

Sep  3 20:35:33 homebase dhcpd: passwd: Authentication token 
manipulation error
Sep  3 20:35:33 homebase dhcpd: No dhcp user exists, need to create it 
first.. exiting.
Sep  3 20:35:33 homebase dhcpd: you can do this by typing the following 
commands
Sep  3 20:35:33 homebase dhcpd: Administrator at home.htt
Sep  3 20:35:33 homebase dhcpd: user create dhcpd 
--description="Unprivileged user for DNS updates via ISC DHCP server"
Sep  3 20:35:33 homebase dhcpd: user setexpiry dhcpd --noexpiry
Sep  3 20:35:33 homebase dhcpd: group addmembers DnsAdmins dhcpd
Sep  3 20:35:33 homebase dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh 
exit status 256

So what is needed here for the user?  And where is it being created?  Is 
this in kerberos?  Is there a separate kerberos daemon with sernet?

Sep  3 20:35:34 homebase dhcpd: Wrote 1 leases to leases file.
Sep  3 20:35:34 homebase dhcpd: DHCPREQUEST for 192.168.192.21 
(192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
Sep  3 20:35:34 homebase dhcpd: DHCPACK on 192.168.192.21 to 
02:97:09:02:23:a2 (cubieboard2) via eth0
Sep  3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 17: 
/var/log/dyndns.log: Permission denied
Sep  3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 49: 
which: command not found

Looks like it is looping around again...  Same set of messages as the 
first set.

Please help here.  thanks.


On 09/03/2015 08:27 PM, Robert Moskowitz wrote:
> I am reading through the script and see some things I did not change...
>
> Will do that and try again.  As well as create the log file manually.
>
> On 09/03/2015 07:47 PM, Robert Moskowitz wrote:
>> First I am having a couple challenges with your script here:
>>
>> On 09/03/2015 02:43 PM, Rowland Penny wrote:
>>>
>>> I thought that might be your next question, I wrote it, based on 
>>> what I found here:
>>>
>>>
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>>>
>>>
>>> #!/bin/bash
>>>
>>> # /usr/local/sbin/dhcp-dyndns.sh
>>> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
>>> # Version: 0.8.3 (includes TXTRR records)
>>> # Updated with suggestions from L. v. Belle louis at van-belle.nl
>>> # method to check for valid kerberos ticket changed
>>>
>>> LOG="/var/log/dyndns.log"
>>
>>> if [ -f /var/log/dyndns.log ]; then
>>>     :
>>> else
>>>     touch /var/log/dyndns.log
>>> fi
>>
>> Of course this file did not exist, and the 'touch' command
failed on
>> permissions.
>>
>> I assume dhcpd is running this script as user dhcpd, group dhcpd, so 
>> I don't see how it can create the file.  I have to create it and
set
>> the owner to root:dhcpd
>>
>>
>>>
>>> exec >> $LOG 2>&1
>>
>> Then this line fails and soforth.
>>
>>>
>>> ## CONFIGURATION ##
>>>
>>> # Samba 4 realm, change this to YOUR realm.
>>> SETREALM=EXAMPLE.COM
>>> ## define the dhcp user that will be used for the Dynamic updates
to
>>> samba4
>>> ## this will create a Principal like : user at realm
>>> SETDHCPUSER=dhcpduser
>>> # DNS domain, change this to YOUR dns domain
>>> domain=example.com
>>> # TXT RRs (rfc4701)
>>> # Set to YES to use TXT RRs
>>> TXTRRS="NO"
>>> # Additional nsupdate flags (-g already applied), e.g.
"-d" for debug
>>> #NSUPDFLAGS="-d"
>>> # DNS nameserver
>>> ns=127.0.0.1
>>> #
>>> ## Do not change anything below here
>>> # Kerberos principal
>>> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
>>> # Kerberos keytab
>>> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
>>> # Default DNS resource records TTL
>>> RRTTL="3600"
>>>
>>> # krbcc ticket cache
>>> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>>>
>>> ## Command locations, with full paths it speeds up processing.
>>> ## ( tested on Ubuntu 14.04, Debian 7.5 )
>>> CMDSORT="$(which sort)"
>>> CMDAWK="$(which awk)"
>>> CMDHEAD="$(which head)"
>>> CMDECHO="$(which echo)"
>>> CMDDATE="$(which date)"
>>> CMDKINIT="$(which kinit)"
>>> CMDKLIST="$(which klist)"
>>> CMDGREP="$(which grep)"
>>> CMDGETENT="$(which getent)"
>>> CMDSAMBATOOL="$(which samba-tool)"
>>> CMDCHOWN="$(which chown)"
>>> CMDCHMOD="$(which chmod)"
>>> CMDHOST="$(which host)"
>>> CMDNSUPDATE="$(which nsupdate)"
>>>
>>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP}
"${SETDHCPUSER}")
>>
>> Sep  3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 
>> 64: dhcpduser: command not found
>> Sep  3 19:27:09 homebase dhcpd: (current) UNIX password: passwd: 
>> Authentication token manipulation error
>> Sep  3 19:27:09 homebase dhcpd: No dhcp user exists, need to create 
>> it first.. exiting.
>> Sep  3 19:27:09 homebase dhcpd: you can do this by typing the 
>> following commands
>> Sep  3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM
>> Sep  3 19:27:09 homebase dhcpd: user create dhcpduser 
>> --description="Unprivileged user for DNS updates via ISC DHCP
server"
>> Sep  3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
>> Sep  3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
>> Sep  3 19:27:09 homebase dhcpd: execute: 
>> /usr/local/sbin/dhcp-dyndns.sh exit status 256
>>
>> Is this what I need to do.  That is create the dhcpduser?  There is 
>> no 'user' command.  Is this 'adduser'?
>>
>>> if [ -z "${TESTUSER}" ]; then
>>>     echo "No dhcp user exists, need to create it first..
exiting."
>>>     echo "you can do this by typing the following
commands"
>>>     echo "${CMDKINIT} Administrator@${SETREALM}"
>>>     echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} 
>>> --description=\"Unprivileged user for DNS updates via ISC DHCP
>>> server\""
>>>     echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER}
--noexpiry"
>>>     echo "${CMDSAMBATOOL} group addmembers DnsAdmins
${SETDHCPUSER}"
>>>     exit 1
>>> fi
>>>
>>> # Check for Kerberos keytab
>>> if [ -f "${SETDHCPKEYTAB}" ]; then
>>>     :
>>> else
>>>     echo "Required keytab ${SETDHCPKEYTAB} not found, it needs
to be
>>> created."
>>>     echo "Use the following commands as root"
>>>     echo "${CMDSAMBATOOL} domain exportkeytab 
>>> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>>>     testos=$(uname -a | grep 'Debian')
>>>     if [ -z "$testos" ]; then
>>>         echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>>>         echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>>>     fi
>>>     exit 1
>>> fi
>>>
>>> ## VARIABLES ##
>>>
>>> # Variables supplied by dhcpd.conf
>>> action=$1
>>> ip=$2
>>> DHCID=$3
>>> name=${4%%.*}
>>>
>>> usage()
>>> {
>>> echo "USAGE:"
>>> echo "  `basename $0` add ip-address dhcid|mac-address
hostname"
>>> echo "  `basename $0` delete ip-address
dhcid|mac-address"
>>> }
>>>
>>> _KERBEROS () {
>>> # get current time as a number
>>> test=$(${CMDDATE} +%d'-'%m'-'%y'
'%H':'%M':'%S)
>>>
>>> # Check for valid kerberos ticket
>>> echo "$test [dyndns] : Running check for valid kerberos
ticket"
>>> klist -c "$KRB5CCNAME" -s
>>> if [ "$?" != "0" ]; then
>>>     echo "$test [dyndns] : Getting new ticket, old one has
expired"
>>>     kinit -F -k -t "${SETDHCPKEYTAB}" -c
"$KRB5CCNAME"
>>> "${SETPRINCIPAL}"
>>>     if [ "$?" != "0" ]; then
>>>         echo "$test [dyndns] : dhcpd kinit for dynamic DNS
failed"
>>>         exit 1;
>>>     fi
>>> else
>>>     echo "$test [dyndns] : New ticket not required, old one
still
>>> valid"
>>> fi
>>>
>>> }
>>>
>>> # Exit if no ip address or mac-address
>>> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
>>>     usage
>>>     exit 1
>>> fi
>>>
>>> # Exit if no computer name supplied, unless the action is
'delete'
>>> if [ "$name" = "" ]; then
>>>     if [ "$action" = "delete" ]; then
>>>         name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK}
'{print $NF}' |
>>> ${CMDAWK} -F '.' '{print $1}')
>>>     else
>>>         usage
>>>         exit 1;
>>>     fi
>>> fi
>>>
>>> # Set PTR address
>>> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print 
>>>
$4"."$3"."$2"."$1".in-addr.arpa"}')
>>>
>>> # Create RRTXT record
>>> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
>>> RRTXT="000101${RRTXT%% *}"
>>> # extract txt record, if there is one
>>> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n
'/descriptive
>>> text/s/^.*[[:space:]]descriptive
text[[:space:]]*"\(.*\)"$/\1/p')
>>>
>>> ## ${CMDNSUPDATE} ##
>>>
>>> case "$action" in
>>> add)
>>>     if [ "$TXTRRS" = "YES" ]; then
>>>         TXTRRS=""
>>>         # if string is not null
>>>         if [ -n "$RRTXTOLD" ]; then
>>>             # if old RRTXT is not the same as $RRTXT then exit
>>>             if [ "$RRTXT" != "$RRTXTOLD" ];
then
>>>                 echo "DHCP-DNS: adding records for $ip 
>>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>>                 exit 1
>>>             fi
>>>         fi
>>>     else
>>>         TXTRRS=";"
>>>     fi
>>>
>>>     _KERBEROS
>>>
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> update delete $name.$domain $RRTTL A
>>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>>> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
>>> update add $name.$domain $RRTTL A $ip
>>> send
>>> UPDATE
>>> result1=$?
>>>
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> zone 0.168.192.in-addr.arpa
>>> update delete $ptr $RRTTL PTR
>>> update add $ptr $RRTTL PTR $name.$domain
>>> send
>>> UPDATE
>>> result2=$?
>>> ;;
>>> delete)
>>>      if [ "$TXTRRS" = "YES" ]; then
>>>         TXTRRS=""
>>>         if [ -n "$RRTXTOLD" ]; then
>>>             if [ "$RRTXT" != "$RRTXTOLD" ];
then
>>>                 echo "DHCP-DNS: removing records for $ip 
>>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>>                 exit 1
>>>             fi
>>>         else
>>>             TXTRRS=";"
>>>         fi
>>>      else
>>>        TXTRRS=";"
>>>      fi
>>>
>>>      _KERBEROS
>>>
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> update delete $name.$domain $RRTTL A
>>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>>> send
>>> UPDATE
>>> result1=$?
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> update delete $ptr $RRTTL PTR
>>> send
>>> UPDATE
>>> result2=$?
>>> ;;
>>> *)
>>> echo "Invalid action specified"
>>> exit 103
>>> ;;
>>> esac
>>>
>>> result="$result1$result2"
>>>
>>> if [ "$result" != "00" ]; then
>>>     echo "DHCP-DNS Update failed: $result"
>>>     logger "DHCP-DNS Update failed: $result"
>>> else
>>>    echo "DHCP-DNS Update succeeded"
>>>    logger "DHCP-DNS Update succeeded"
>>> fi
>>>
>>> exit $result
>>
>> Sep  3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21 
>> (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
>> Sep  3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to 
>> 02:97:09:02:23:a2 (cubieboard2) via eth0
>> Sep  3 19:27:12 homebase named[22720]: client 192.168.192.21#36919 
>> (0.centos.pool.ntp.org): query (cache)
'0.centos.pool.ntp.org/A/IN'
>> denied
>>
>> Oops, Looks like I have acl problems in named.  That I know how to 
>> fix...
>>
>>
>>
>
>