samba - Oct 2017 - bind9 and isc-dhcp-Server for dynamic DNS-updates Error

Hi Rowland, I have not another dhcp server. dnsmasq is not configured.

I think the problem may be permissions. Which distribution linux do you use,
Ubuntu?
I was tracing the script code dhcp-dyndns.sh, when the execution on the first
line fails

Is correct this instructions in Debian:
 chown root:root  /etc/dhcp/dhcpduser.keytab
 chmod 400  /etc/dhcp/dhcpduser.keytab


----- Mensaje original -----
De: "samba" <samba at lists.samba.org>
Para: "samba" <samba at lists.samba.org>
Enviados: Sábado, 7 de Octubre 2017 18:19:59
Asunto: Re: [Samba] bind9 and isc-dhcp-Server for dynamic DNS-updates Error

On Sat, 7 Oct 2017 17:51:27 -0400 (CDT)
Siovel Rodríguez Morales <siovel at softel.cu> wrote:
> This is my named.conf
> options {
>                 directory "/var/cache/bind";
>                 notify no;
>                 empty-zones-enable no;
>                 auth-nxdomain yes;
>                 listen-on-v6 { none; };
>                 forwarders { 192.168.10.3; 10.0.0.3; };
>                 allow-query { 127.0.0.1/32; 192.168.16.0/24; };
>                 allow-recursion { 127.0.0.1/32; 192.168.16.0/24; };
>                 tkey-gssapi-keytab
> "/usr/local/samba/private/dns.keytab"; };
> 
> I remove the comment sign '#'
> NSUPDFLAGS="-d"
> 
> But the logs are the same:
> Oct  7 17:44:38 samba467 dhcpd: DHCPREQUEST for 192.168.16.38 from
> 08:00:27:e7:0a:66 (omtest) via eth0 Oct  7 17:44:38 samba467 dhcpd:
> DHCPACK on 192.168.16.38 to 08:00:27:e7:0a:66 (omtest) via eth0 Oct
> 7 17:44:55 samba467 dhcpd: Commit: IP: 192.168.16.37 DHCID:
> 1:0:c:29:e5:43:bf Name: ubuntu Oct  7 17:44:55 samba467 dhcpd:
> execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns.sh Oct  7
> 17:44:55 samba467 dhcpd: execute_statement argv[1] = add Oct  7
> 17:44:55 samba467 dhcpd: execute_statement argv[2] = 192.168.16.37
> Oct  7 17:44:55 samba467 dhcpd: execute_statement argv[3] >
1:0:c:29:e5:43:bf Oct  7 17:44:55 samba467 dhcpd: execute_statement
> argv[4] = ubuntu Oct  7 17:44:55 samba467 dhcpd:
> execute: /etc/dhcp/bin/dhcp-dyndns.sh exit status 256
> 
> 
These are my named.conf files:

/etc/bind/named.conf 

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;
        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

/etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";

/etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

/etc/default/bind9 

# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind -4"

Removing the '#' should make dnsupdate be a lot more verbous, but it
doesn't seem to be outputting anything, when it works correctly you
should see something like this in syslog:

Oct  7 06:36:51 dc1.example.com dhcpd: DHCPREQUEST for 192.168.0.88 from
ec:08:6b:0c:cb:c2 (devstation) via eth0
Oct  7 06:36:51 dc1.example.com dhcpd: DHCPACK on 192.168.0.88 to
ec:08:6b:0c:cb:c2 (devstation) via eth0
Oct  7 06:51:36 dc1.example.com dhcpd: Commit: IP: 192.168.0.88 DHCID:
1:ec:8:6b:c:cb:c2 Name: devstation
Oct  7 06:51:36 dc1.example.com dhcpd: execute_statement argv[0] =
/etc/dhcp/bin/dhcp-dyndns.sh
Oct  7 06:51:36 dc1.example.com dhcpd: execute_statement argv[1] = add
Oct  7 06:51:36 dc1.example.com dhcpd: execute_statement argv[2] = 192.168.0.88
Oct  7 06:51:36 dc1.example.com dhcpd: execute_statement argv[3] =
1:ec:8:6b:c:cb:c2
Oct  7 06:51:36 dc1.example.com dhcpd: execute_statement argv[4] = devstation
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: starting transaction on
zone samdom.example.com
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=devstation.samdom.example.com
tcpaddr=127.0.0.1 type=A
key=3046387417.sig-dc1.example.com.samdom.example.com/160/0
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=devstation.samdom.example.com
tcpaddr=127.0.0.1 type=A
key=3046387417.sig-dc1.example.com.samdom.example.com/160/0
Oct  7 06:51:37 dc1.example.com named[26110]: client 127.0.0.1#44121/key
dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE':
deleting rrset at 'devstation.samdom.example.com' A
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: subtracted rdataset
devstation.samdom.example.com
'devstation.samdom.example.com.#0113600#011IN#011A#011192.168.0.88'
Oct  7 06:51:37 dc1.example.com named[26110]: client 127.0.0.1#44121/key
dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE':
adding an RR at 'devstation.samdom.example.com' A
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: added rdataset
devstation.samdom.example.com
'devstation.samdom.example.com.#0113600#011IN#011A#011192.168.0.88'
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: committed transaction
on zone samdom.example.com
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: starting transaction on
zone 0.168.192.in-addr.arpa
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=88.0.168.192.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR
key=1661100354.sig-dc1.example.com.samdom.example.com/160/0
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=88.0.168.192.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR
key=1661100354.sig-dc1.example.com.samdom.example.com/160/0
Oct  7 06:51:37 dc1.example.com named[26110]: client 127.0.0.1#36142/key
dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone
'0.168.192.in-addr.arpa/NONE': deleting rrset at
'88.0.168.192.in-addr.arpa' PTR
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: subtracted rdataset
88.0.168.192.in-addr.arpa
'88.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011devstation.samdom.example.com.'
Oct  7 06:51:37 dc1.example.com named[26110]: client 127.0.0.1#36142/key
dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone
'0.168.192.in-addr.arpa/NONE': adding an RR at
'88.0.168.192.in-addr.arpa' PTR
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: added rdataset
88.0.168.192.in-addr.arpa
'88.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011devstation.samdom.example.com.'
Oct  7 06:51:37 dc1.example.com named[26110]: samba_dlz: committed transaction
on zone 0.168.192.in-addr.arpa
Oct  7 06:51:37 dc1.example.com root: DHCP-DNS Update succeeded

Just another thought, there isn't another dhcp server on the same
network is there ?

and yet another thought, the clients name seems to be 'ubuntu' , have
you turned of dnsmasq in Network-Manager ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Sat, 7 Oct 2017 20:08:26 -0400 (CDT)
Siovel Rodríguez Morales <siovel at softel.cu> wrote:
> Hi Rowland, I have not another dhcp server. dnsmasq is not configured.
No, do you have a line in /etc/Network-Manager/Network-Manager.conf
with 'dnsmasq' in it ?
If so, comment it out and restart Network-Manager

What is in /etc/hosts and /etc/resolv.conf ?
> 
> I think the problem may be permissions. Which distribution linux do
> you use, Ubuntu? I was tracing the script code dhcp-dyndns.sh, when
> the execution on the first line fails
You could be right, is apparmor running ?
I use Devuan
> 
> Is correct this instructions in Debian:
>  chown root:root  /etc/dhcp/dhcpduser.keytab
>  chmod 400  /etc/dhcp/dhcpduser.keytab
> 
It is correct on Devuan, so should be correct on debian, but check who
runs DHCP on your system.

I will send you a script to replace the /etc/dhcp/bin/dhcp-dyndns.sh.
It is the same as the one on the wikipage, but it will output
information to a text file in /tmp: /tmp/Update.txt
It also has '-d' hardcoded.

If you can try this script and then send me /tmp/Update.txt and
anything relevant from /var/log/syslog, I will see if I can work out
what is going wrong.

Rowland

Hi Rowland, I resolve the problem partially. 

The problem was due to the fact that I do not have winbind installed because
Samba 4, Bind9 and isc-dhcp-server are on the same server.
I commented on these lines in the script dhcp-dyndns.sh and it worked (on commit
and on release but not on expiry )
#TESTUSER=$(wbinfo -u | grep dhcpduser)
#if [ -z "${TESTUSER}" ]; then
#    echo "No AD dhcp user exists, need to create it first.. exiting."
#    echo "you can do this by typing the following commands"
#    echo "kinit Administrator@${REALM}"
#    echo "samba-tool user create dhcpduser --random-password
--description=\"Unprivileged user for DNS updates via ISC DHCP
server\""
#    echo "samba-tool user setexpiry dhcpduser --noexpiry"
#    echo "samba-tool group addmembers DnsAdmins dhcpduser"
#    exit 1
#else
#    echo "TESTUSER: ${TESTUSER}" >> /tmp/Update.txt
#fi

Now when an IP address expires, the dns is not update. I execute manually the
script and don't work
/etc/dhcp/bin/dhcp-dyndns.sh delete 192.168.16.37  0              

This is the /tmp/Update.txt  file

DOMAIN: sco.cu
REALM: SCO.CU
KRB5CCNAME: /tmp/dhcp-dyndns.cc
Keytab exists
ACTION: delete
IP: 192.168.16.37
DHCID: 
NAME: 0

This is the /var/log/syslog
Oct  8 17:22:35 samba467 dhcpd: Expired: IP: 192.168.16.37
Oct  8 17:22:35 samba467 dhcpd: execute_statement argv[0] =
/etc/dhcp/bin/dhcp-dyndns.sh
Oct  8 17:22:35 samba467 dhcpd: execute_statement argv[1] = delete
Oct  8 17:22:35 samba467 dhcpd: execute_statement argv[2] = 192.168.16.37
Oct  8 17:22:35 samba467 dhcpd: execute_statement argv[3] Oct  8 17:22:35
samba467 dhcpd: execute_statement argv[4] = 0
Oct  8 17:22:35 samba467 dhcpd: execute: /etc/dhcp/bin/dhcp-dyndns.sh exit
status 256


Maybe these lines should be commented:
# Exit if no ip address or mac-address
if [ -z "${ip}" ] || [ -z "${DHCID}" ]; then
    usage
    exit 1
fi


Thanks for the valuable help,
  

----- Mensaje original -----
De: "samba" <samba at lists.samba.org>
Para: "samba" <samba at lists.samba.org>
Enviados: Domingo, 8 de Octubre 2017 4:36:24
Asunto: Re: [Samba] bind9 and isc-dhcp-Server for dynamic DNS-updates Error

On Sat, 7 Oct 2017 20:08:26 -0400 (CDT)
Siovel Rodríguez Morales <siovel at softel.cu> wrote:
> Hi Rowland, I have not another dhcp server. dnsmasq is not configured.
No, do you have a line in /etc/Network-Manager/Network-Manager.conf
with 'dnsmasq' in it ?
If so, comment it out and restart Network-Manager

What is in /etc/hosts and /etc/resolv.conf ?
> 
> I think the problem may be permissions. Which distribution linux do
> you use, Ubuntu? I was tracing the script code dhcp-dyndns.sh, when
> the execution on the first line fails
You could be right, is apparmor running ?
I use Devuan
> 
> Is correct this instructions in Debian:
>  chown root:root  /etc/dhcp/dhcpduser.keytab
>  chmod 400  /etc/dhcp/dhcpduser.keytab
> 
It is correct on Devuan, so should be correct on debian, but check who
runs DHCP on your system.

I will send you a script to replace the /etc/dhcp/bin/dhcp-dyndns.sh.
It is the same as the one on the wikipage, but it will output
information to a text file in /tmp: /tmp/Update.txt
It also has '-d' hardcoded.

If you can try this script and then send me /tmp/Update.txt and
anything relevant from /var/log/syslog, I will see if I can work out
what is going wrong.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba