samba - Jan 2019 - samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates

On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
  
> There doesn't seem to be anything really wrong there,the only really
> difference between your named.conf and mine is that I have:
> 
>     dnssec-validation no;
>     dnssec-enable no;
>     dnssec-lookaside no;
>     listen-on-v6 { none; };
>     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> 
> as well.> 
> 
> Rowland
> 
Thank you. I am going back to bare metal, and we'll see where it ends up. I
will leave script intact as presented in WIki.
Are you going to change it today per comment on other thread at
https://lists.samba.org/archive/samba/2019-January/220369.html ?

On Fri, 11 Jan 2019 20:12:17 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:
>  
> 
>     On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote: 
> > There doesn't seem to be anything really wrong there,the only
really
> > difference between your named.conf and mine is that I have:
> > 
> >     dnssec-validation no;
> >     dnssec-enable no;
> >     dnssec-lookaside no;
> >     listen-on-v6 { none; };
> >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > 
> > as well.> 
> > 
> > Rowland
> > 
> Thank you. I am going back to bare metal, and we'll see where it ends
> up. I will leave script intact as presented in WIki. Are you going to
> change it today per comment on other thread at
> https://lists.samba.org/archive/samba/2019-January/220369.html ?
> 
> 
>    
I have considered this, My dhcp server is working perfectly after the
changes, but I decided (because you are having problems) not to change
the wiki yet. I know there is nothing wrong with the present scripts
and I may introduce an error if I do change them now, I don't think I
will, but it is better safe than sorry.

Rowland

On Friday, January 11, 2019 2:21 PM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
  
> > > 
> >    On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba
> > <samba at lists.samba.org> wrote: 
> > > There doesn't seem to be anything really wrong there,the only
really
> > > difference between your named.conf and mine is that I have:
> > > 
> > >     dnssec-validation no;
> > >     dnssec-enable no;
> > >     dnssec-lookaside no;
> > >     listen-on-v6 { none; };
> > >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > > 
> > > as well.> 
> > > 
> > > Rowland
> > > 
> > Thank you. I am going back to bare metal, and we'll see where it
ends
> > up. I will leave script intact as presented in WIki. Are you going to
> > change it today per comment on other thread at
> > https://lists.samba.org/archive/samba/2019-January/220369.html ?
> > 
> > 
> >    
> 
> I have considered this, My dhcp server is working perfectly after the
> changes, but I decided (because you are having problems) not to change
> the wiki yet. I know there is nothing wrong with the present scripts
> and I may introduce an error if I do change them now, I don't think I
> will, but it is better safe than sorry.> 
Rowland,
I have completely rebuilt this, testing extensively along the way. All
"appeared" fine through installation of DCHP (without dynamic
updates), and upon introduction of the update script the errors returned.
Two additional observations, though, at this point.
(1) As a last check, I commented out the script calls in the dhcpd.conf file,
and then set the network adapted on my domain joined Win 10 management
workstation to register its own DNS. THIS FAILED, as shown in the BIND logs:
Jan 12 17:23:01 dc01 named[1109]: samba_dlz: starting transaction on zone
corp.<DOMAIN>.com
Jan 12 17:23:01 dc01 named[1109]: client @0x7f87bc028a50 172.20.10.165#54313:
update 'corp.<DOMAIN>.com/IN' denied
Jan 12 17:23:01 dc01 named[1109]: samba_dlz: cancelling transaction on zone
corp.<DOMAIN>.com

(2) In an attempt to try to understand at least the nature of the error messages
I used journactl to grep out more detailed messages associated with the dhcpd
process. I am including that dialog at the end of this post. First, though, I am
wondering if you wouldn't ming looking at the isc.org bug tracker at:
https://bugs.isc.org/Public/Bug/Display.html?id=46086
In particular, at
https://bugs.isc.org/Public/Bug/Display.html?id=46086#txn-496516
you will find a dialog that is the spitting image of error messages that I am
getting. Whether this is the script (I don't think it is), dhcpd, bind9,
krb5, samba_dlz (note first comment regarding failure to perform dynamic updates
from the domain joined machine), or something else, I am hoping that your
experience will point me in the direction of figuring out what is going wrong.
Although I think I have very faithfully followed the Wiki and official guidance,
I would be happy to find a stupid mistake on my part. On the other hand, I am
not finding where I have made any departure.
Here is the output of the journalctl -b | grep 2402 (omitting server dhcpd
startup):
Jan 12 15:01:22 dc01 dhcpd[2402]: Commit: IP: 172.20.10.165 DHCID:
1:d4:be:d9:22:9f:7d Name: mgmt01
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[1] = add
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[2] = 172.20.10.165
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[3] =
1:d4:be:d9:22:9f:7d
Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[4] = mgmt01
Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id:  57445
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;mgmt01.corp.<DOMAIN>.com.               
IN        SOA
Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
Jan 12 15:01:22 dc01 sh[2402]: corp.<DOMAIN>.com.                0       
IN        SOA        dc01.corp.<DOMAIN>.com.
hostmaster.corp.<DOMAIN>.com. 20 900 600 86400 3600
Jan 12 15:01:22 dc01 sh[2402]: Found zone name: corp.<DOMAIN>.com
Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:    525
Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;3835165544.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 3835165544.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 1547326882 1547326882 3 NOERROR 1397
YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF
SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg
AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg
AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg
AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv
98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6
vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT
RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv
QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa
RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc
bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN
Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz
tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7
K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL
t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN
miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w
EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X
pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2
FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc
BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh
LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7
mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1
HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu
Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu
7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W
HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4
LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw
1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHje4jcNkyR
L3BtTFOr35zzpxfW9BM5nMEjbH5R+UtagN9ahwTy2T7A8wC3jYOsG8Lw
RuCKU/+IOag9LOgJ6xiDTt51TO4DuK+suSlIPbkaqcxOS8e0VBAOmeJy
tSydV7cII6fkZOqQiywSG0vbsF1F+Yr5O3pQtbdv4XvJ/+qGyt0n+mZA
EiiB0GuCtYBTZk0Hi87R+fymMCKEJv0Zfc51gNYvTYmtKRyC/HWxaBIY
rdj3OGZfyCcdOKACT3OItCk0BisrGXEXGhDEzqDXZEffHrsuNrjkdPmE bRH24L58VcEBAfs= 0
Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:    525
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;3835165544.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 3835165544.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
status: NXDOMAIN, id:  59301
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;165.10.20.172.in-addr.arpa.        IN        SOA
Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 10.20.172.in-addr.arpa.        0        IN       
SOA        dc01.corp.<DOMAIN>.com. hostmaster.corp.<DOMAIN>.com. 2
900 600 86400 3600
Jan 12 15:01:22 dc01 sh[2402]: Found zone name: 10.20.172.in-addr.arpa
Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:  10987
Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;1551722865.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 1547326882 1547326882 3 NOERROR 1397
YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF
SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg
AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg
AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg
AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv
98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6
vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT
RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv
QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa
RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc
bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN
Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz
tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7
K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL
t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN
miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w
EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X
pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2
FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc
BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh
LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7
mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1
HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu
Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu
7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W
HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4
LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw
1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHj8A+H/HqI
uJGQ1BkC2aHoH2Z8wK5kko2Z03RMxyxdfV0NeXI4aOmNRk4R6A/9oguR
2k7/rkz7RuJhgHXaZuPZ3qiz3lSHQMBY3QYGJxcDPNvCeIldBChe+Krj
zV96NBNWnl/V9Cax85a1nvktOk9zffA7TpncQq06bvVWn2NnZxkKkxcv
ZdNrRha8MrszSHtObY/PPjb7wEOSPAM5C27QOrXsyZr2BopPtWAXiuRV
g6oHW+5kwNhB4ZRq3ccQxj8jEnZ8jX4t6Px4avee/GeyIGVXhQKwCYFQ fJ94W9DktWCMQ2w= 0
Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
status: NOERROR, id:  10987
Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 0
Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
Jan 12 15:01:22 dc01 sh[2402]: ;1551722865.sig-dc01.corp.<DOMAIN>.com.
ANY        TKEY
Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable
Jan 12 15:01:22 dc01 dhcpd[2402]: execute: /usr/local/bin/dhcp-dyndns.sh exit
status 2816
Jan 12 15:01:22 dc01 dhcpd[2402]: reuse_lease: lease age 3321 (secs) under 25%
threshold, reply with unaltered, existing lease for 172.20.10.165
Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPREQUEST for 172.20.10.165 from
d4:be:d9:22:9f:7d (mgmt01) via eno1
Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPACK on 172.20.10.165 to d4:be:d9:22:9f:7d
(mgmt01) via eno1




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

>From last logs. All i still see is : 
Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0
ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable 

Referring to :
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

Are  you using bind, yes, then check again for these options in bind global
config.
    dnssec-enable no;
    auth-nxdomain yes;    
    empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";


And set this in krb5.conf of the DC's.
; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

And change in smb.conf
interfaces = lo eno1 
To 
interfaces = 127.0.0.1 172.20.10.130

>AppArmor is running, with dhcpd, named and ntpd in Complain mode; in any
case, no violations are being logged as DENIED
Test with AppArmor disabled. 

Last, what are the rights on the keytab files. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Billy Bob via samba
> Verzonden: zondag 13 januari 2019 0:56
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] samba_dnsupdate options: 
> --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
> 
>  
> 
>     On Friday, January 11, 2019 2:21 PM, Rowland Penny via 
> samba <samba at lists.samba.org> wrote:
>   
> > > > 
> > >    On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba
> > > <samba at lists.samba.org> wrote: 
> > > > There doesn't seem to be anything really wrong 
> there,the only really
> > > > difference between your named.conf and mine is that I have:
> > > > 
> > > >     dnssec-validation no;
> > > >     dnssec-enable no;
> > > >     dnssec-lookaside no;
> > > >     listen-on-v6 { none; };
> > > >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > > > 
> > > > as well.> 
> > > > 
> > > > Rowland
> > > > 
> > > Thank you. I am going back to bare metal, and we'll see 
> where it ends
> > > up. I will leave script intact as presented in WIki. Are 
> you going to
> > > change it today per comment on other thread at
> > > https://lists.samba.org/archive/samba/2019-January/220369.html ?
> > > 
> > > 
> > >    
> > 
> > I have considered this, My dhcp server is working perfectly 
> after the
> > changes, but I decided (because you are having problems) 
> not to change
> > the wiki yet. I know there is nothing wrong with the present scripts
> > and I may introduce an error if I do change them now, I 
> don't think I
> > will, but it is better safe than sorry.> 
> 
> Rowland,
> I have completely rebuilt this, testing extensively along the 
> way. All "appeared" fine through installation of DCHP 
> (without dynamic updates), and upon introduction of the 
> update script the errors returned.
> Two additional observations, though, at this point.
> (1) As a last check, I commented out the script calls in the 
> dhcpd.conf file, and then set the network adapted on my 
> domain joined Win 10 management workstation to register its 
> own DNS. THIS FAILED, as shown in the BIND logs:
> Jan 12 17:23:01 dc01 named[1109]: samba_dlz: starting 
> transaction on zone corp.<DOMAIN>.com
> Jan 12 17:23:01 dc01 named[1109]: client @0x7f87bc028a50 
> 172.20.10.165#54313: update 'corp.<DOMAIN>.com/IN' denied
> Jan 12 17:23:01 dc01 named[1109]: samba_dlz: cancelling 
> transaction on zone corp.<DOMAIN>.com
> 
> (2) In an attempt to try to understand at least the nature of 
> the error messages I used journactl to grep out more detailed 
> messages associated with the dhcpd process. I am including 
> that dialog at the end of this post. First, though, I am 
> wondering if you wouldn't ming looking at the isc.org bug tracker at:
> https://bugs.isc.org/Public/Bug/Display.html?id=46086
> In particular, at
> https://bugs.isc.org/Public/Bug/Display.html?id=46086#txn-496516
> you will find a dialog that is the spitting image of error 
> messages that I am getting. Whether this is the script (I 
> don't think it is), dhcpd, bind9, krb5, samba_dlz (note first 
> comment regarding failure to perform dynamic updates from the 
> domain joined machine), or something else, I am hoping that 
> your experience will point me in the direction of figuring 
> out what is going wrong.
> Although I think I have very faithfully followed the Wiki and 
> official guidance, I would be happy to find a stupid mistake 
> on my part. On the other hand, I am not finding where I have 
> made any departure.
> Here is the output of the journalctl -b | grep 2402 (omitting 
> server dhcpd startup):
> Jan 12 15:01:22 dc01 dhcpd[2402]: Commit: IP: 172.20.10.165 
> DHCID: 1:d4:be:d9:22:9f:7d Name: mgmt01
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[0] = 
> /usr/local/bin/dhcp-dyndns.sh
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[1] = add
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[2] = 
> 172.20.10.165
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[3] = 
> 1:d4:be:d9:22:9f:7d
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[4] = mgmt01
> Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NXDOMAIN, id:  57445
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 
> 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: ;mgmt01.corp.<DOMAIN>.com.     
           IN        SOA
> Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: corp.<DOMAIN>.com.             
>    0        IN        SOA        dc01.corp.<DOMAIN>.com. 
> hostmaster.corp.<DOMAIN>.com. 20 900 600 86400 3600
> Jan 12 15:01:22 dc01 sh[2402]: Found zone name: corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:    525
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, 
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 1547326882 1547326882 3 NOERROR 1397 
> YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF 
> SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg 
> AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg 
> AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg 
> AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv 
> 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6 
> vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT 
> RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv 
> QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa 
> RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc 
> bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN 
> Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz 
> tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7 
> K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL 
> t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN 
> miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w 
> EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X 
> pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2 
> FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc 
> BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh 
> LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7 
> mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1 
> HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu 
> Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu 
> 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W 
> HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4 
> LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw 
> 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHje4jcNkyR 
> L3BtTFOr35zzpxfW9BM5nMEjbH5R+UtagN9ahwTy2T7A8wC3jYOsG8Lw 
> RuCKU/+IOag9LOgJ6xiDTt51TO4DuK+suSlIPbkaqcxOS8e0VBAOmeJy 
> tSydV7cII6fkZOqQiywSG0vbsF1F+Yr5O3pQtbdv4XvJ/+qGyt0n+mZA 
> EiiB0GuCtYBTZk0Hi87R+fymMCKEJv0Zfc51gNYvTYmtKRyC/HWxaBIY 
> rdj3OGZfyCcdOKACT3OItCk0BisrGXEXGhDEzqDXZEffHrsuNrjkdPmE 
> bRH24L58VcEBAfs= 0
> Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:    525
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, 
> ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 0 0 3 BADKEY 0  0
> Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is 
> unacceptable
> Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NXDOMAIN, id:  59301
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 
> 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: ;165.10.20.172.in-addr.arpa.   
     IN        SOA
> Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 10.20.172.in-addr.arpa.        
> 0        IN        SOA        dc01.corp.<DOMAIN>.com. 
> hostmaster.corp.<DOMAIN>.com. 2 900 600 86400 3600
> Jan 12 15:01:22 dc01 sh[2402]: Found zone name: 10.20.172.in-addr.arpa
> Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:  10987
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, 
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 1547326882 1547326882 3 NOERROR 1397 
> YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF 
> SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg 
> AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg 
> AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg 
> AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv 
> 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6 
> vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT 
> RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv 
> QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa 
> RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc 
> bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN 
> Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz 
> tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7 
> K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL 
> t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN 
> miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w 
> EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X 
> pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2 
> FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc 
> BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh 
> LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7 
> mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1 
> HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu 
> Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu 
> 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W 
> HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4 
> LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw 
> 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHj8A+H/HqI 
> uJGQ1BkC2aHoH2Z8wK5kko2Z03RMxyxdfV0NeXI4aOmNRk4R6A/9oguR 
> 2k7/rkz7RuJhgHXaZuPZ3qiz3lSHQMBY3QYGJxcDPNvCeIldBChe+Krj 
> zV96NBNWnl/V9Cax85a1nvktOk9zffA7TpncQq06bvVWn2NnZxkKkxcv 
> ZdNrRha8MrszSHtObY/PPjb7wEOSPAM5C27QOrXsyZr2BopPtWAXiuRV 
> g6oHW+5kwNhB4ZRq3ccQxj8jEnZ8jX4t6Px4avee/GeyIGVXhQKwCYFQ 
> fJ94W9DktWCMQ2w= 0
> Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:  10987
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, 
> ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 0 0 3 BADKEY 0  0
> Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is 
> unacceptable
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute: 
> /usr/local/bin/dhcp-dyndns.sh exit status 2816
> Jan 12 15:01:22 dc01 dhcpd[2402]: reuse_lease: lease age 3321 
> (secs) under 25% threshold, reply with unaltered, existing 
> lease for 172.20.10.165
> Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPREQUEST for 
> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1
> Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPACK on 172.20.10.165 to 
> d4:be:d9:22:9f:7d (mgmt01) via eno1
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>    
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>