The DDNS setup from the wiki uses the keytab of the seperate "Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" you have to Check this one not the one which BIND uses. Regards Am 16.05.2018 um 12:45 schrieb Rowland Penny via samba:> On Wed, 16 May 2018 12:32:52 +0200 Stefan Kania via samba > <samba at lists.samba.org> wrote: > >> It's me again :-) Now we have DDNS with DHCP running but we have >> a problem on one of our two DCs. Btw we used the setup and the >> script from wiki. Doing a "dhclient" on a host we are getting the >> following messages: ------------- Mai 16 12:13:28 samba41 >> dhcpd[3961]: Commit: IP: 192.168.0.249 DHCID: 1:50:5b:5d:1c:ab:aa >> Name: horst Mai 16 12:13:28 samba41 dhcpd[3961]: >> execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns.sh Mai 16 >> 12:13:28 samba41 dhcpd[3961]: execute_statement argv[1] = add Mai >> 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[2] = >> 192.168.0.249 Mai 16 12:13:28 samba41 dhcpd[3961]: >> execute_statement argv[3] = 1:50:5b:5d:1c:ab:aa Mai 16 12:13:28 >> samba41 dhcpd[3961]: execute_statement argv[4] = horst Mai 16 >> 12:13:28 samba41 root[7505]: DHCP-DNS Update failed: 11 Mai 16 >> 12:13:28 samba41 dhcpd[3961]: execute: >> /etc/dhcp/bin/dhcp-dyndns.sh exit status 2816 ------------- >> >> We then tried to create the entry with the script: >> ---------------- /etc/dhcp/bin/dhcp-dyndns.sh "add" >> 192.168.225.60 1:50:5b:5d:1c:ab:aa horst . . . >> 3160958102.sig-samba41.example.net. 0 ANY TKEY gss-tsig. 0 0 3 >> BADKEY 0 0 >> >> dns_tkey_negotiategss: TKEY is unacceptable ---------------- >> >> Then we checked with: ----------- samba_dnsupdate --verbose >> ----------- Everything is fine, no error about the unacceptable >> TKEY >> >> We did everything from: >> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable >> >> >>- deleted the dns.keytab>> - deleted the dns-samba41 user - run "samba_upgradedns >> --dns-backend=BIND9_DLZ" >> >> We checked the permissions of all files. We checked the bind9 >> config for the TKEY line. Everything is ok. The update works on >> the second DC without any error about the key. It's only one ADDC >> that makes the problem. The only differences we found was that >> the username on the working ADDC is in capital letters >> (CN=dns-SAMBA42) and on the non working ADDC in small letter >> (CN=dns-samba41). But on both systems it's the same inside the >> dns.keytab. (small =non working | capital = working). >> >> Any help? >> >> Stefan >> > > Have you set up 'failover' ? The records belong to whoever creates > them, so if one DC creates them, then the other cannot. > > Rowland >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
@Rowland The tip with the Server who created the entry was good, but not our problem. We tried it with different hosts on both systems @Christian I know but at some point you try everything ;-) We fixed it the Microsoft-way by rebooting both DCs after the reboot everything was fine :-) Am 16.05.2018 um 12:57 schrieb Christian Naumer via samba:> The DDNS setup from the wiki uses the keytab of the seperate > > "Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" > > you have to Check this one not the one which BIND uses. > > Regards > > > Am 16.05.2018 um 12:45 schrieb Rowland Penny via samba: >> On Wed, 16 May 2018 12:32:52 +0200 Stefan Kania via samba >> <samba at lists.samba.org> wrote: >> >>> It's me again :-) Now we have DDNS with DHCP running but we have >>> a problem on one of our two DCs. Btw we used the setup and the >>> script from wiki. Doing a "dhclient" on a host we are getting the >>> following messages: ------------- Mai 16 12:13:28 samba41 >>> dhcpd[3961]: Commit: IP: 192.168.0.249 DHCID: 1:50:5b:5d:1c:ab:aa >>> Name: horst Mai 16 12:13:28 samba41 dhcpd[3961]: >>> execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns.sh Mai 16 >>> 12:13:28 samba41 dhcpd[3961]: execute_statement argv[1] = add Mai >>> 16 12:13:28 samba41 dhcpd[3961]: execute_statement argv[2] = >>> 192.168.0.249 Mai 16 12:13:28 samba41 dhcpd[3961]: >>> execute_statement argv[3] = 1:50:5b:5d:1c:ab:aa Mai 16 12:13:28 >>> samba41 dhcpd[3961]: execute_statement argv[4] = horst Mai 16 >>> 12:13:28 samba41 root[7505]: DHCP-DNS Update failed: 11 Mai 16 >>> 12:13:28 samba41 dhcpd[3961]: execute: >>> /etc/dhcp/bin/dhcp-dyndns.sh exit status 2816 ------------- >>> >>> We then tried to create the entry with the script: >>> ---------------- /etc/dhcp/bin/dhcp-dyndns.sh "add" >>> 192.168.225.60 1:50:5b:5d:1c:ab:aa horst . . . >>> 3160958102.sig-samba41.example.net. 0 ANY TKEY gss-tsig. 0 0 3 >>> BADKEY 0 0 >>> >>> dns_tkey_negotiategss: TKEY is unacceptable ---------------- >>> >>> Then we checked with: ----------- samba_dnsupdate --verbose >>> ----------- Everything is fine, no error about the unacceptable >>> TKEY >>> >>> We did everything from: >>> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable >>> >>> >>> > - deleted the dns.keytab >>> - deleted the dns-samba41 user - run "samba_upgradedns >>> --dns-backend=BIND9_DLZ" >>> >>> We checked the permissions of all files. We checked the bind9 >>> config for the TKEY line. Everything is ok. The update works on >>> the second DC without any error about the key. It's only one ADDC >>> that makes the problem. The only differences we found was that >>> the username on the working ADDC is in capital letters >>> (CN=dns-SAMBA42) and on the non working ADDC in small letter >>> (CN=dns-samba41). But on both systems it's the same inside the >>> dns.keytab. (small =non working | capital = working). >>> >>> Any help? >>> >>> Stefan >>> >> >> Have you set up 'failover' ? The records belong to whoever creates >> them, so if one DC creates them, then the other cannot. >> >> Rowland >> >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180516/d293cad2/signature.sig>
On Wed, 16 May 2018 12:57:31 +0200 Christian Naumer via samba <samba at lists.samba.org> wrote:> The DDNS setup from the wiki uses the keytab of the seperate > > "Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" > > you have to Check this one not the one which BIND uses. >How did I get that wrong, yes the script uses 'dhcpduser' to run nsupdate, so it should work on both DCs, provided they are set up correctly, but you should still setup 'failover', or both DCs will try to respond ;-) Rowland
On Wed, 16 May 2018 13:25:41 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> @Rowland The tip with the Server who created the entry was good, but > not our problem. We tried it with different hosts on both systems > @Christian I know but at some point you try everything ;-) > We fixed it the Microsoft-way by rebooting both DCs after the reboot > everything was fine :-) >Ah yes, the old 'if it doesn't work, kick it' repair method ;-) Rowland