thr3ads.net - samba - [Samba] DDNS with bind9 and isc-dhcp-server [Aug 2018]

If this information is useful, please help other people find it:
Share via:

Stefan Kania

2018-Aug-15 20:02 UTC

[Samba] DDNS with bind9 and isc-dhcp-server

Hello List, Hello Rowland :-)
again I'm having problems with the DDNS. I did it as shown in the wiki.
I took all teh scripts from the wiki the dhcp-dyndns.sh is Version: 0.8.9
I configured everything including the failover. When I start the two
DHCP-Server everything is perfect. I see the right messages in the log,
the two DHCP-Servers are talking to each other. When a Client ask for an
IP-adresse he get's one. BUT the DNS-Update is not working. Here is the
result from the log:
--------------------

Aug 15 21:27:51 sambabuch dhcpd[572]: Commit: IP: 192.168.56.221 DHCID:
1:8:0:27:7b:f1:f2 Name: linux-client
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[0]
/etc/dhcp/bin/dhcp-dyndns.sh
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[1] = add
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[2] 192.168.56.221
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[3]
1:8:0:27:7b:f1:f2
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[4] linux-client
Aug 15 21:27:51 sambabuch root[671]: 15-08-18 21:27:51 [dyndns] :
Getting new ticket, old one has expired
Aug 15 21:27:51 sambabuch root[674]: 15-08-18 21:27:51 [dyndns] : dhcpd
kinit for dynamic DNS failed
Aug 15 21:27:51 sambabuch dhcpd[572]: execute:
/etc/dhcp/bin/dhcp-dyndns.sh exit status 256
Aug 15 21:27:51 sambabuch dhcpd[572]: DHCPREQUEST for 192.168.56.221
from 08:00:27:7b:f1:f2 (linux-client) via enp0s8
Aug 15 21:27:51 sambabuch dhcpd[572]: DHCPACK on 192.168.56.221 to
08:00:27:7b:f1:f2 (linux-client) via enp0s8
--------------------

I saw there is a problem with the kerberos ticket so I checked with:
---------------------
root at sambabuch:~# klist -c /tmp/dhcp-dyndns.cc
klist: No ticket file: /tmp/dhcp-dyndns.cc
---------------------

Then I executed the part of the script step by step
---------------------
root at sambabuch:~# domain=$(hostname -d)
root at sambabuch:~# REALM=$(echo ${domain^^})
root at sambabuch:~# echo $REALM
EXAMPLE.NET
root at sambabuch:~# SETPRINCIPAL="dhcpduser@${REALM}"
root at sambabuch:~# echo $SETPRINCIPAL
dhcpduser at EXAMPLE.NET
root at sambabuch:~# kinit -F -k -t /etc/dhcpduser.keytab -c
/tmp/dhcp-dyndns.cc "${SETPRINCIPAL}"
root at sambabuch:~# klist -c /tmp/dhcp-dyndns.cc
Credentials cache: FILE:/tmp/dhcp-dyndns.cc
        Principal: dhcpduser at EXAMPLE.NET

  Issued                Expires               Principal
Aug 15 21:40:17 2018  Aug 16 07:40:17 2018  krbtgt/EXAMPLE.NET at EXAMPLE.NET

---------------------

Then I restarted the client, I'm getting the following messages:
---------------------Aug 15 21:43:29 sambabuch dhcpd[572]: Commit: IP:
192.168.56.221 DHCID: 1:8:0:27:7b:f1:f2 Name: linux-client
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[0]
/etc/dhcp/bin/dhcp-dyndns.sh
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[1] = add
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[2] 192.168.56.221
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[3]
1:8:0:27:7b:f1:f2
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[4] linux-client
Aug 15 21:43:29 sambabuch named[506]: client 127.0.0.1#38287/key
dhcpduser\@EXAMPLE.NET: updating zone '168.192.IN-ADDR.ARPA/IN': update
failed: not authoritative for update zone (NOTAUTH)
Aug 15 21:43:29 sambabuch root[766]: DHCP-DNS Update failed: 22
Aug 15 21:43:29 sambabuch dhcpd[572]: execute:
/etc/dhcp/bin/dhcp-dyndns.sh exit status 5632
Aug 15 21:43:29 sambabuch dhcpd[572]: reuse_lease: lease age 88 (secs)
under 25% threshold, reply with unaltered, existing lease for 192.168.56.221
Aug 15 21:43:29 sambabuch dhcpd[572]: DHCPREQUEST for 192.168.56.221
from 08:00:27:7b:f1:f2 (linux-client) via enp0s8
Aug 15 21:43:29 sambabuch dhcpd[572]: DHCPACK on 192.168.56.221 to
08:00:27:7b:f1:f2 (linux-client) via enp0s8

---------------------
And now I don't know where to look.



Here is my dhcpd.conf from the secondary
---------------------
authoritative;
ddns-update-style none;

# Start failover Konfiguration
failover peer "dhcp-failover" {
  secondary;
  address sambabuch-02.example.net;
  peer address sambabuch.example.net;
  max-response-delay 60;
  max-unacked-updates 10;
  load balance max seconds 3;
}
# End failover configuration

subnet 192.168.56.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.56.255;
  option time-offset 0;
#  option routers 192.168.0.1;
  option domain-name "example.net";
  option domain-name-servers 192.168.56.31, 192.168.56.32;
  option netbios-name-servers 192.168.56.11;
  option ntp-servers 192.168.0.31, 192.168.56.32;
  pool {
    failover peer "dhcp-failover"; # Add for failover
    max-lease-time 1800; # 30 minutes
    range 192.168.56.220 192.168.56.239;
  }
}

on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-",
leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ",
ClientDHCID, " Name: ",
ClientName));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP,
ClientDHCID,
ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP,
ClientDHCID);
}

on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually
receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP,
"", "0");
}

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
          secret
VeKKfYgBBx6i1KJZGUZBb5/hprxWUtquYc6eMMA9ucff5//4bnWJ+JcRJ70A6H6Q2dn67EbyTmeMigbdZ6JS1w==;
}
---------------------


And from the master
---------------------
authoritative;
ddns-update-style none;


#Start failover configuration
failover peer "dhcp-failover" {
  primary;
  address sambabuch.example.net;
  peer address sambabuch-02.example.net;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  split 128;
  load balance max seconds 3;
}
# End failover configuration


subnet 192.168.56.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.56.255;
  option time-offset 0;
#  option routers 192.168.0.1;
  option domain-name "example.net";
  option domain-name-servers 192.168.56.31, 192.168.56.32;
  option netbios-name-servers 192.168.56.11;
  option ntp-servers 192.168.56.31, 192.168.56.32;
  pool {
                failover peer "dhcp-failover"; # Add for failover
    max-lease-time 1800; # 30 minutes
    range 192.168.56.220 192.168.56.239;
  }
}

on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-",
leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ",
ClientDHCID, " Name: ",
ClientName));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP,
ClientDHCID,
ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP,
ClientDHCID);
}

on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually
receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP,
"", "0");
}

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
                      secret
VeKKfYgBBx6i1KJZGUZBb5/hprxWUtquYc6eMMA9ucff5//4bnWJ+JcRJ70A6H6Q2dn67EbyTmeMigbdZ6JS1w==;
}
---------------------

Permissions:
root at sambabuch:~# ls -l /etc/dhcp/bin/dhcp-dyndns.sh
-rwxr-xr-x 1 root root 4065 Aug 13 21:14 /etc/dhcp/bin/dhcp-dyndns.sh

root at sambabuch:~# ls -l /etc/dhcpduser.keytab
-r-------- 1 root root 337 Aug 15 21:05 /etc/dhcpduser.keytab

As always, any help is welcome :-)

Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180815/18ef3292/signature.sig>

Rowland Penny

2018-Aug-15 20:26 UTC

head link

[Samba] DDNS with bind9 and isc-dhcp-server

On Wed, 15 Aug 2018 22:02:42 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hello List, Hello Rowland :-)
> again I'm having problems with the DDNS. I did it as shown in the
> wiki. I took all teh scripts from the wiki the dhcp-dyndns.sh is
> Version: 0.8.9 I configured everything including the failover. When I
> start the two DHCP-Server everything is perfect. I see the right
> messages in the log, the two DHCP-Servers are talking to each other.
> When a Client ask for an IP-adresse he get's one. BUT the DNS-Update
> is not working. Here is the result from the log:
> --------------------
> 
> Aug 15 21:27:51 sambabuch dhcpd[572]: Commit: IP: 192.168.56.221
> DHCID: 1:8:0:27:7b:f1:f2 Name: linux-client
> Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[0] >
/etc/dhcp/bin/dhcp-dyndns.sh
> Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[1] = add
> Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[2] >
192.168.56.221
> Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[3] >
1:8:0:27:7b:f1:f2
> Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[4] >
linux-client
> Aug 15 21:27:51 sambabuch root[671]: 15-08-18 21:27:51 [dyndns] :
> Getting new ticket, old one has expired
> Aug 15 21:27:51 sambabuch root[674]: 15-08-18 21:27:51 [dyndns] :
> dhcpd kinit for dynamic DNS failed
> Aug 15 21:27:51 sambabuch dhcpd[572]: execute:
> /etc/dhcp/bin/dhcp-dyndns.sh exit status 256
> Aug 15 21:27:51 sambabuch dhcpd[572]: DHCPREQUEST for 192.168.56.221
> from 08:00:27:7b:f1:f2 (linux-client) via enp0s8
> Aug 15 21:27:51 sambabuch dhcpd[572]: DHCPACK on 192.168.56.221 to
> 08:00:27:7b:f1:f2 (linux-client) via enp0s8
> --------------------
> 
OK, it should look similar to this:

Aug 15 21:14:19 dc3 dhcpd: Commit: IP: 192.168.0.59 DHCID: 1:cc:4e:ec:e9:c8:d3
Name: dhcp-192-168-0-59
Aug 15 21:14:19 dc3 dhcpd: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Aug 15 21:14:19 dc3 dhcpd: execute_statement argv[1] = add
Aug 15 21:14:19 dc3 dhcpd: execute_statement argv[2] = 192.168.0.59
Aug 15 21:14:19 dc3 dhcpd: execute_statement argv[3] = 1:cc:4e:ec:e9:c8:d3
Aug 15 21:14:19 dc3 dhcpd: execute_statement argv[4] = dhcp-192-168-0-59
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: starting transaction on zone
samdom.example.com
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=dhcp-192-168-0-59.samdom.example.com
tcpaddr=127.0.0.1 type=A key=2794253846.sig-dc3.samdom.example.com/160/0
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=dhcp-192-168-0-59.samdom.example.com
tcpaddr=127.0.0.1 type=A key=2794253846.sig-dc3.samdom.example.com/160/0
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: subtracted rdataset
dhcp-192-168-0-59.samdom.example.com
'dhcp-192-168-0-59.samdom.example.com.#0113600#011IN#011A#011192.168.0.59'
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: added rdataset
dhcp-192-168-0-59.samdom.example.com
'dhcp-192-168-0-59.samdom.example.com.#0113600#011IN#011A#011192.168.0.59'
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: committed transaction on zone
samdom.example.com
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: starting transaction on zone
0.168.192.in-addr.arpa
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=59.0.168.192.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR key=3218171095.sig-dc3.samdom.example.com/160/0
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: allowing update of
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=59.0.168.192.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR key=3218171095.sig-dc3.samdom.example.com/160/0
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: subtracted rdataset
59.0.168.192.in-addr.arpa
'59.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011dhcp-192-168-0-59.samdom.example.com.'
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: added rdataset
59.0.168.192.in-addr.arpa
'59.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011dhcp-192-168-0-59.samdom.example.com.'
Aug 15 21:14:19 dc3 named[19425]: samba_dlz: committed transaction on zone
0.168.192.in-addr.arpa
Aug 15 21:14:19 dc3 root: DHCP-DNS Update succeeded
Aug 15 21:14:20 dc3 dhcpd: DHCPREQUEST for 192.168.0.59 from cc:4e:ec:e9:c8:d3
via eth0
Aug 15 21:14:20 dc3 dhcpd: DHCPACK on 192.168.0.59 to cc:4e:ec:e9:c8:d3 via eth0

It looks like the update script is not running or failing somewhere.

What OS ?
What is in the named conf files ?

Rowland

Stefan Kania

2018-Aug-16 06:54 UTC

head link

[Samba] DDNS with bind9 and isc-dhcp-server

Good Morning,

Am 15.08.2018 um 22:26 schrieb Rowland Penny via samba:> It looks like the update script is not running or failing somewhere.
> 
> What OS ?It's a Debian 9 with Samba 4.8.3 from Louis. Bind9 is from the debian
repositories so its a 9.10.
If I join a Client (without DHCP and a fix IP-addresse) the DNS-Server
is updated so I can resolve the Client-IP.

If I do a:
-------------------
root at sambabuch:~# /etc/dhcp/bin/dhcp-dyndns.sh add 192.168.56.221
1:8:0:27:7b:f1:f2 linux-client
-------------------
I got a very long out put from DNS:
-------------------
...
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  35944
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; UPDATE SECTION:
linux-client.example.net. 0     ANY     A
linux-client.example.net. 3600  IN      A       192.168.56.221
...
Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  31600
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; UPDATE SECTION:
221.56.168.192.in-addr.arpa. 0  ANY     PTR
221.56.168.192.in-addr.arpa. 3600 IN    PTR     linux-client.example.net.
...
;; TSIG PSEUDOSECTION:
1525823762.sig-sambabuch.example.net. 0 ANY TSIG gss-tsig. 1534402054
300 28 BAQF//////8AAAAAIVrv+6o2Iki9h5Nlvd13Ag== 31600 NOERROR 0
-------------------
This looks good for me. But:
-------------------
root at sambabuch:~# host linux-client
Host linux-client not found: 3(NXDOMAIN)
root at sambabuch:~# host linux-client.example.net
Host linux-client.example.net not found: 3(NXDOMAIN)
-------------------
> What is in the named conf files ?Here the content of the named.conf.options
------------------
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses
replacing
        // the all-0's placeholder.

        forwarders {
                1.1.1.1;
        };
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

//=======================================================================       
// If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See
https://www.isc.org/bind-keys

//=======================================================================       
dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        allow-recursion { any; };
        allow-query { any; };
        allow-query-cache { any; };
};
------------------
And named.conf.local
------------------
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";

------------------
It must work, I had it working before, but now I can't find the problem :-(

Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180816/3011f0e5/signature.sig>

Reasonably Related Threads

Search for more maybe matching threads

samba - Aug 2018 - DDNS with bind9 and isc-dhcp-server

[Samba] DDNS with bind9 and isc-dhcp-server

[Samba] DDNS with bind9 and isc-dhcp-server

[Samba] DDNS with bind9 and isc-dhcp-server

Reasonably Related Threads