samba - Jan 2019 - samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates

On Thu, 10 Jan 2019 22:23:41 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:
>  
> 
>     On Thursday, January 10, 2019 2:56 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote: 
> 
>  
> >Uncomment line 10, adjust it for prefix if Samba isn't in
/usr/local and then try again.
> Here it is with script properly configured.
> Regarding the later lines having to do with the script, I clearly don't
know what exactly is causing them. But surely they are all
> somehow part of this update process?
> 
> Jan 10 15:46:23 dc01 dhcpd[1208]: Commit: IP: 172.20.10.165 DHCID:
1:d4:be:d9:22:9f:7d Name: mgmt01
> Jan 10 15:46:23 dc01 dhcpd[1208]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
> Jan 10 15:46:23 dc01 dhcpd[1208]: execute_statement argv[1] = add
> Jan 10 15:46:23 dc01 dhcpd[1208]: execute_statement argv[2] = 172.20.10.165
> Jan 10 15:46:23 dc01 dhcpd[1208]: execute_statement argv[3] =
1:d4:be:d9:22:9f:7d
> Jan 10 15:46:23 dc01 dhcpd[1208]: execute_statement argv[4] = mgmt01
The above lines are from dhcpd.conf, where it is trying to run dhcp-dyndns.sh
> Jan 10 15:46:23 dc01 sh[1208]: Reply from SOA query:
> Jan 10 15:46:23 dc01 sh[1208]: ;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id:  65508
> Jan 10 15:46:23 dc01 sh[1208]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 0
> Jan 10 15:46:23 dc01 sh[1208]: ;; QUESTION SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: ;mgmt01.corp.<DOMAIN>.com. IN       
SOA
> Jan 10 15:46:23 dc01 sh[1208]: ;; AUTHORITY SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: corp.<DOMAIN>.com. 0        IN       
SOA dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 38 900 600
86400 3600
> Jan 10 15:46:23 dc01 sh[1208]: Found zone name: corp.<DOMAIN>.com
> Jan 10 15:46:23 dc01 sh[1208]: The master is: dc01.corp.<DOMAIN>.com
> Jan 10 15:46:23 dc01 sh[1208]: start_gssrequest
> Jan 10 15:46:23 dc01 sh[1208]: send_gssrequest
> Jan 10 15:46:23 dc01 sh[1208]: Outgoing update query:
> Jan 10 15:46:23 dc01 sh[1208]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id: 22388
> Jan 10 15:46:23 dc01 sh[1208]: ;; flags:; QUESTION: 1, ANSWER: 0,
AUTHORITY: 0, ADDITIONAL: 1
> Jan 10 15:46:23 dc01 sh[1208]: ;; QUESTION SECTION:
> Jan 10 15:46:23 dc01 sh[1208]:
;3756749263.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 10 15:46:23 dc01 sh[1208]: ;; ADDITIONAL SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: 3756749263.sig-dc01.corp.<DOMAIN>.com.
0 ANY TKEY        gss-tsig. 1547156783 1547156783 3 NOERROR 1397
>
YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIFSmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOo
> Jan 10 15:46:23 dc01 sh[1208]: recvmsg reply from GSS-TSIG query
> Jan 10 15:46:23 dc01 sh[1208]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:  22388
> Jan 10 15:46:23 dc01 sh[1208]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 0
> Jan 10 15:46:23 dc01 sh[1208]: ;; QUESTION SECTION:
> Jan 10 15:46:23 dc01 sh[1208]:
;3756749263.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 10 15:46:23 dc01 sh[1208]: ;; ANSWER SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: 3756749263.sig-dc01.corp.<DOMAIN>.com.
0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
> Jan 10 15:46:23 dc01 sh[1208]: dns_tkey_gssnegotiate: TKEY is unacceptable
> Jan 10 15:46:23 dc01 sh[1208]: Reply from SOA query:
> Jan 10 15:46:23 dc01 sh[1208]: ;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id:   9273
> Jan 10 15:46:23 dc01 sh[1208]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 0
> Jan 10 15:46:23 dc01 sh[1208]: ;; QUESTION SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: ;165.10.20.172.in-addr.arpa.       
IN        SOA
> Jan 10 15:46:23 dc01 sh[1208]: ;; AUTHORITY SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: 10.20.172.in-addr.arpa.        0        IN
SOA dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 2 900 600
86400 3600
> Jan 10 15:46:23 dc01 sh[1208]: Found zone name: 10.20.172.in-addr.arpa
> Jan 10 15:46:23 dc01 sh[1208]: The master is: dc01.corp.<DOMAIN>.com
> Jan 10 15:46:23 dc01 sh[1208]: start_gssrequest
> Jan 10 15:46:23 dc01 sh[1208]: send_gssrequest
> Jan 10 15:46:23 dc01 sh[1208]: Outgoing update query:
> Jan 10 15:46:23 dc01 sh[1208]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id: 58152
> Jan 10 15:46:23 dc01 sh[1208]: ;; flags:; QUESTION: 1, ANSWER: 0,
AUTHORITY: 0, ADDITIONAL: 1
> Jan 10 15:46:23 dc01 sh[1208]: ;; QUESTION SECTION:
> Jan 10 15:46:23 dc01 sh[1208]:
;2065761415.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 10 15:46:23 dc01 sh[1208]: ;; ADDITIONAL SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: 2065761415.sig-dc01.corp.<DOMAIN>.com.
0 ANY TKEY        gss-tsig. 1547156783 1547156783 3 NOERROR 1396
>
YIIFcAYGKwYBBQUCoIIFZDCCBWCgDTALBgkqhkiG9xIBAgKiggVNBIIFSWCCBUUGCSqGSIb3EgECAgEAboIFNDCCBTCgAwIBBaEDAgEOo
> Jan 10 15:46:23 dc01 sh[1208]: recvmsg reply from GSS-TSIG query
> Jan 10 15:46:23 dc01 sh[1208]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:  58152
> Jan 10 15:46:23 dc01 sh[1208]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 0
> Jan 10 15:46:23 dc01 sh[1208]: ;; QUESTION SECTION:
> Jan 10 15:46:23 dc01 sh[1208]:
;2065761415.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 10 15:46:23 dc01 sh[1208]: ;; ANSWER SECTION:
> Jan 10 15:46:23 dc01 sh[1208]: 2065761415.sig-dc01.corp.<DOMAIN>.com.
0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
> Jan 10 15:46:23 dc01 sh[1208]: dns_tkey_gssnegotiate: TKEY is unacceptable
I have no idea where the above is coming from, but it isn't from the dhcp
scripts.
> Jan 10 15:46:23 dc01 dhcpd[1208]:
> execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816
The above line shows that dhcp-dyndns.sh is failing, turn on debug in the script
to find out why.
> Jan 10 15:46:23 dc01 dhcpd[1208]: DHCPREQUEST for 172.20.10.165 from
d4:be:d9:22:9f:7d (mgmt01) via eno1
> Jan 10 15:46:23 dc01 dhcpd[1208]: DHCPACK on 172.20.10.165 to
d4:be:d9:22:9f:7d (mgmt01) via eno1
The above two lines are from dhcpd
 
Rowland

On Friday, January 11, 2019 3:14 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
 
>
 >I have no idea where the above is coming from, but it isn't from the
dhcp scripts.
>
I don't know what to tell you, Rowland. The previous logs were with the -d
option in place, and those extra lines were what was added as a result of the -d
option.

Here is what the logs show WITHOUT the -d option:

Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
1:d4:be:d9:22:9f:7d Name: mgmt01
Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add
Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] =
1:d4:be:d9:22:9f:7d
Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[4] = mgmt01
Jan 11 10:00:36 dc01 sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 11 10:00:36 dc01 sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 11 10:00:36 dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit
status 2816
Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364 (secs) under 25%
threshold, reply with unaltered, existing lease for 172.20.10.165
Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for 172.20.10.165 from
d4:be:d9:22:9f:7d (mgmt01) via eno1
Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to d4:be:d9:22:9f:7d
(mgmt01) via eno1

and here is the same/similar transaction WITH the -d option, showing the mystery
lines being added:

Jan 11 09:54:32 dc01 dhcpd[1181]: Commit: IP: 172.20.10.165 DHCID:
1:d4:be:d9:22:9f:7d Name: mgmt01
Jan 11 09:54:32 dc01 dhcpd[1181]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jan 11 09:54:32 dc01 dhcpd[1181]: execute_statement argv[1] = add
Jan 11 09:54:32 dc01 dhcpd[1181]: execute_statement argv[2] = 172.20.10.165
Jan 11 09:54:32 dc01 dhcpd[1181]: execute_statement argv[3] =
1:d4:be:d9:22:9f:7d
Jan 11 09:54:32 dc01 dhcpd[1181]: execute_statement argv[4] = mgmt01
Jan 11 09:54:32 dc01 sh[1181]: Reply from SOA query:
Jan 11 09:54:32 dc01 sh[1181]: ;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id:  11079
Jan 11 09:54:32 dc01 sh[1181]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 0
Jan 11 09:54:32 dc01 sh[1181]: ;; QUESTION SECTION:
Jan 11 09:54:32 dc01 sh[1181]: ;mgmt01.corp.<DOMAIN>.com.               
IN        SOA
Jan 11 09:54:32 dc01 sh[1181]: ;; AUTHORITY SECTION:
Jan 11 09:54:32 dc01 sh[1181]: corp.<DOMAIN>.com.                0       
IN        SOA        dc01.corp.<DOMAIN>.com.
hostmaster.corp.<DOMAIN>.com. 38 900 600 86400 3600
Jan 11 09:54:32 dc01 sh[1181]: Found zone name: corp.<DOMAIN>.com
Jan 11 09:54:32 dc01 sh[1181]: The master is: dc01.corp.<DOMAIN>.com
Jan 11 09:54:32 dc01 sh[1181]: start_gssrequest
Jan 11 09:54:32 dc01 sh[1181]: send_gssrequest
Jan 11 09:54:32 dc01 sh[1181]: Outgoing update query:
Jan 11 09:54:32 dc01 sh[1181]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:   1846
Jan 11 09:54:32 dc01 sh[1181]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1
Jan 11 09:54:32 dc01 sh[1181]: ;; QUESTION SECTION:
Jan 11 09:54:32 dc01 sh[1181]: ;4182804529.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 11 09:54:32 dc01 sh[1181]: ;; ADDITIONAL SECTION:
Jan 11 09:54:32 dc01 sh[1181]: 4182804529.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 1547222072 1547222072 3 NOERROR 1397
YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF
SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOo
Jan 11 09:54:32 dc01 sh[1181]: recvmsg reply from GSS-TSIG query
Jan 11 09:54:32 dc01 sh[1181]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:   1846
Jan 11 09:54:32 dc01 sh[1181]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 0
Jan 11 09:54:32 dc01 sh[1181]: ;; QUESTION SECTION:
Jan 11 09:54:32 dc01 sh[1181]: ;4182804529.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 11 09:54:32 dc01 sh[1181]: ;; ANSWER SECTION:
Jan 11 09:54:32 dc01 sh[1181]: 4182804529.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 11 09:54:32 dc01 sh[1181]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 11 09:54:32 dc01 sh[1181]: Reply from SOA query:
Jan 11 09:54:32 dc01 sh[1181]: ;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id:  30544
Jan 11 09:54:32 dc01 sh[1181]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 0
Jan 11 09:54:32 dc01 sh[1181]: ;; QUESTION SECTION:
Jan 11 09:54:32 dc01 sh[1181]: ;165.10.20.172.in-addr.arpa.        IN        SOA
Jan 11 09:54:32 dc01 sh[1181]: ;; AUTHORITY SECTION:
Jan 11 09:54:32 dc01 sh[1181]: 10.20.172.in-addr.arpa.        0        IN       
SOA        dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 2
900 600 86400 3600
Jan 11 09:54:32 dc01 sh[1181]: Found zone name: 10.20.172.in-addr.arpa
Jan 11 09:54:32 dc01 sh[1181]: The master is: dc01.corp.<DOMAIN>.com
Jan 11 09:54:32 dc01 sh[1181]: start_gssrequest
Jan 11 09:54:32 dc01 sh[1181]: send_gssrequest
Jan 11 09:54:32 dc01 sh[1181]: Outgoing update query:
Jan 11 09:54:32 dc01 sh[1181]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:  37632
Jan 11 09:54:32 dc01 sh[1181]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1
Jan 11 09:54:32 dc01 sh[1181]: ;; QUESTION SECTION:
Jan 11 09:54:32 dc01 sh[1181]: ;1779289402.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 11 09:54:32 dc01 sh[1181]: ;; ADDITIONAL SECTION:
Jan 11 09:54:32 dc01 sh[1181]: 1779289402.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 1547222072 1547222072 3 NOERROR 1397
YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF
SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOo
Jan 11 09:54:32 dc01 sh[1181]: recvmsg reply from GSS-TSIG query
Jan 11 09:54:32 dc01 sh[1181]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:  37632
Jan 11 09:54:32 dc01 sh[1181]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 0
Jan 11 09:54:32 dc01 sh[1181]: ;; QUESTION SECTION:
Jan 11 09:54:32 dc01 sh[1181]: ;1779289402.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 11 09:54:32 dc01 sh[1181]: ;; ANSWER SECTION:
Jan 11 09:54:32 dc01 sh[1181]: 1779289402.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 11 09:54:32 dc01 sh[1181]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 11 09:54:32 dc01 dhcpd[1181]: execute: /usr/local/bin/dhcp-dyndns.sh exit
status 2816
Jan 11 09:54:32 dc01 dhcpd[1181]: DHCPREQUEST for 172.20.10.165 from
d4:be:d9:22:9f:7d via eno1
Jan 11 09:54:32 dc01 dhcpd[1181]: DHCPACK on 172.20.10.165 to d4:be:d9:22:9f:7d
(mgmt01) via eno1


I appreciate the likelihood that this is some other issue on my part, but am a
bit stuck on this (especially as this all worked in the "bad" system).


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:
>  
> 
>     On Friday, January 11, 2019 3:14 AM, Rowland Penny via samba
> <samba at lists.samba.org> wrote: 
> >
>  >I have no idea where the above is coming from, but it isn't from
>  >the dhcp scripts.
> >
> 
> I don't know what to tell you, Rowland. The previous logs were with
> the -d option in place, and those extra lines were what was added as
> a result of the -d option.
> 
> Here is what the logs show WITHOUT the -d option:
> 
> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] >
1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36
> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status
> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364
> (secs) under 25% threshold, reply with unaltered, existing lease for
> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for
> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11
> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to
> d4:be:d9:22:9f:7d (mgmt01) via eno1
> 
This shows the script is being run with the correct data, but for some
reason, your kerberos key isn't correct

What is in your ticket ?

Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:

Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
11/01/19 10:12:50  11/01/19 20:12:50  krbtgt/SAMDOM.EXAMPLE.COM at
SAMDOM.EXAMPLE.COM
	renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at
SAMDOM.EXAMPLE.COM
	renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 

And running 'ktutil' produces this:

root at dc4:~# ktutil
ktutil:  rkt /etc/dhcpduser.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1             dhcpduser at SAMDOM.EXAMPLE.COM
   2    1             dhcpduser at SAMDOM.EXAMPLE.COM
   3    1             dhcpduser at SAMDOM.EXAMPLE.COM
   4    1             dhcpduser at SAMDOM.EXAMPLE.COM
   5    1             dhcpduser at SAMDOM.EXAMPLE.COM
ktutil:  q

I would delete the ticket and keytab, recreate the keytab and then try
again.

Rowland