Hi Rowland,
On Thu, 24 Jun 2021, Rowland Penny via samba wrote:
> On Thu, 2021-06-24 at 12:42 -0400, Tom Diehl via samba wrote:
>> Hi Louis,
>>
>> On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:
>>
>>> Lookup how owns the DNS A record in the DNS.
>>
>> OK, how do I do that?
>>
>>> And, did you add dhcp-user into the windows groups DnsAdmins and
>>> DnsUpdateProxy for the servers running DHCP.
>>
>> The dhcpduser is part of the DnsAdmins group but was not a member of
>> the DnsUpdateProxy.
>> I added it to the DnsUpdateProxy group but no change.
>>
>>> This > >>>>>> exception - (5,
'WERR_ACCESS_DENIED')
>>> Is just the message that, the user your using, doesnt have rights
>>> on that A record.
>>
>> I did not know there was an actual owner of a DNS record. Am I not
>> understanding something?
>>
>>>>> Pre-authentication failed: Permission denied while getting
>>> Did you enable "Delegate to all service (only kerberos)"
on the
>>> computer object running the DHCP
>>
>> "Delegate to all service (only kerberos)" was enabled on the
DC which
>> is where dhcpd
>> is running. I think that is the default.
>>
>> Regards,
>>
>>
>
> I think I might have found the problem, do you actually have the keytab
> /etc/dhcpduser.keytab ?
>
> Note: not 'did you create it', does it exist. I ask this because I
have
> got to this point on an almalinux8 DC and I cannot create it. The
> samba-tool command appears to work, but no keytab is created.
That is weird. I have not tried Almalinux yet.
Here is what I have for the keytab:
(pht-vdc1 pts5) # ktutil
ktutil: read_kt /etc/dhcpduser.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 dhcpduser at MYDOMAIN.COM
2 2 dhcpduser at MYDOMAIN.COM
3 2 dhcpduser at MYDOMAIN.COM
ktutil:
(pht-vdc1 pts5) #
It looks correct to me. What say you?
FWIW, I killed the keytab and re-created it. No joy!!
Regards,
--
Tom me at tdiehl.org