On Thu, 2021-06-24 at 15:37 -0400, me at tdiehl.org
wrote:> Hi Rowland,
>
> On Thu, 24 Jun 2021, Rowland Penny via samba wrote:
>
> > On Thu, 2021-06-24 at 12:42 -0400, Tom Diehl via samba wrote:
> > > Hi Louis,
> > >
> > > On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:
> > >
> > > > Lookup how owns the DNS A record in the DNS.
> > >
> > > OK, how do I do that?
> > >
> > > > And, did you add dhcp-user into the windows groups DnsAdmins
> > > > and
> > > > DnsUpdateProxy for the servers running DHCP.
> > >
> > > The dhcpduser is part of the DnsAdmins group but was not a member
> > > of
> > > the DnsUpdateProxy.
> > > I added it to the DnsUpdateProxy group but no change.
> > >
> > > > This > >>>>>> exception - (5,
'WERR_ACCESS_DENIED')
> > > > Is just the message that, the user your using, doesnt have
> > > > rights
> > > > on that A record.
> > >
> > > I did not know there was an actual owner of a DNS record. Am I
> > > not
> > > understanding something?
> > >
> > > > > > Pre-authentication failed: Permission denied
while getting
> > > > Did you enable "Delegate to all service (only
kerberos)" on the
> > > > computer object running the DHCP
> > >
> > > "Delegate to all service (only kerberos)" was enabled
on the DC
> > > which
> > > is where dhcpd
> > > is running. I think that is the default.
> > >
> > > Regards,
> > >
> > >
> >
> > I think I might have found the problem, do you actually have the
> > keytab
> > /etc/dhcpduser.keytab ?
> >
> > Note: not 'did you create it', does it exist. I ask this
because I
> > have
> > got to this point on an almalinux8 DC and I cannot create it. The
> > samba-tool command appears to work, but no keytab is created.
>
> That is weird. I have not tried Almalinux yet.
>
> Here is what I have for the keytab:
>
> (pht-vdc1 pts5) # ktutil
> ktutil: read_kt /etc/dhcpduser.keytab
> ktutil: list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------
> ------------
> 1 2 dhcpduser at MYDOMAIN.COM
> 2 2 dhcpduser at MYDOMAIN.COM
> 3 2 dhcpduser at MYDOMAIN.COM
> ktutil:
> (pht-vdc1 pts5) #
>
> It looks correct to me. What say you?
>
> FWIW, I killed the keytab and re-created it. No joy!!
>
> Regards,
>
Forget, it was a cut and paste error :"-)
I now have the script working, but with errors, it doesn't seem to be
able to ignore the deletion of records that don't exist yet (to put it
another way, it tries to delete records that do not exist, something
that doesn't happen on Debian)
I will have a look at this tomorrow, it is nearly 9 PM here.
Rowland