samba - Aug 2023 - Configure DHCP to update DNS records problem

Hello all,

After several days of working on this, I'm stuck. Hopefully someone can
point out what I'm missing here.

I'm working with this script to dynamically update my Samba AD DC DNS: 

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records

Short of it: 

The script does not update the DNS records due to samba-tool failing for some
unknown reason.

Long of it: 

1. As seen below, the script runs as the dhcpd user. 
2. samba-tool executes fine using kerberos when su'ed as the dhcpd user. 
3. However, the samba-tool calls inside the script fail. 

Notes: 

1. I've added a few additional logger lines for my own debugging sanity. 
2. The DHCP server runs on a separate box from the AD DC server. 
3. I'm using a user map entry to map the AD user 'dhcpduser' to the
system user 'dhcpd'.

Version info: 

root at S1:/etc/dhcp (master)# lsb_release -a 
No LSB modules are available. 
Distributor ID: Ubuntu 
Description: Ubuntu 14.04.6 LTS 
Release: 14.04 
Codename: trusty 
root at S1:/etc/dhcp (master)# samba-tool -V 
4.3.11-Ubuntu 
root at S1:/etc/dhcp (master)# /usr/sbin/dhcpd --version 
isc-dhcpd-4.2.4 


Relevant syslog entries: 

Aug 2 10:22:53 S1 dhcpd: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[1] = add 
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[2] = 192.168.x.x 
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[3] = b8:41:a4:xx:xx:xx 
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[4] = iPhone 
Aug 2 10:22:54 S1 logger: 02-08-23 10:22:54 [dyndns] : Running check for valid
kerberos ticket
Aug 2 10:22:54 S1 logger: I am uid=105(dhcpd) gid=111(dhcpd) groups=111(dhcpd) 
Aug 2 10:22:54 S1 logger: /usr/bin/samba-tool dns query dc1.foo.bar foo.bar
iPhone A -k yes
Aug 2 10:22:55 S1 logger: Results: 0 
Aug 2 10:22:55 S1 logger: A_REC:
Aug 2 10:22:55 S1 logger: 'A' record changed, updating record. 
Aug 2 10:22:55 S1 logger: /usr/bin/samba-tool dns delete dc1.foo.bar foo.bar
iPhone A -k yes
Aug 2 10:22:55 S1 logger: /usr/bin/samba-tool dns add dc1.foo.bar foo.bar iPhone
A 192.168.x.x -k yes
Aug 2 10:22:56 S1 logger: /usr/bin/samba-tool dns zonelist dc1.foo.bar -k yes
--reverse
Aug 2 10:22:56 S1 logger: ReverseZones: 
Aug 2 10:22:57 S1 logger: No reverse zone found, not updating 
Aug 2 10:22:57 S1 logger: RESULTS: 2:2:0:0 
Aug 2 10:22:57 S1 logger: count: 1 
Aug 2 10:22:57 S1 logger: DHCP-DNS add failed: 2:2:0:0 
Aug 2 10:22:57 S1 dhcpd: execute: /usr/local/bin/dhcp-dyndns.sh exit status 256 


root at S1:/etc/dhcp (master)# ps -ef | egrep -i samba-tool 
dhcpd 13461 13460 0 10:21 ? 00:00:00 /usr/bin/python2.7 /usr/bin/samba-tool dns
zonelist dc1.foo.bar -k yes --reverse


root at S1:/etc/dhcp (master)# su dhcpd 
dhcpd at S1:/etc/dhcp$ id 
uid=105(dhcpd) gid=111(dhcpd) groups=111(dhcpd) 
dhcpd at S1:/etc/dhcp$ /usr/bin/python2.7 /usr/bin/samba-tool dns zonelist
dc1.foo.bar -k yes --reverse
6 zone(s) found 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 
dhcpd at S1:/etc/dhcp$ exit

Kind regards,
Chris

On 02/08/2023 17:14, Chris Nighswonger via samba wrote:
> Hello all,
> 
> After several days of working on this, I'm stuck. Hopefully someone can
point out what I'm missing here.
> 
> I'm working with this script to dynamically update my Samba AD DC DNS:
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
> 
> Short of it:
> 
> The script does not update the DNS records due to samba-tool failing for
some unknown reason.
> 
> Long of it:
> 
> 1. As seen below, the script runs as the dhcpd user.
> 2. samba-tool executes fine using kerberos when su'ed as the dhcpd
user.
> 3. However, the samba-tool calls inside the script fail.
> 
> Notes:
> 
> 1. I've added a few additional logger lines for my own debugging
sanity.
> 2. The DHCP server runs on a separate box from the AD DC server.
> 3. I'm using a user map entry to map the AD user 'dhcpduser' to
the system user 'dhcpd'.
> 
> Version info:
> 
> root at S1:/etc/dhcp (master)# lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description: Ubuntu 14.04.6 LTS
> Release: 14.04
> Codename: trusty
> root at S1:/etc/dhcp (master)# samba-tool -V
> 4.3.11-Ubuntu
> root at S1:/etc/dhcp (master)# /usr/sbin/dhcpd --version
> isc-dhcpd-4.2.4
> 
> 
> Relevant syslog entries:
> 
> Aug 2 10:22:53 S1 dhcpd: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
> Aug 2 10:22:53 S1 dhcpd: execute_statement argv[1] = add
> Aug 2 10:22:53 S1 dhcpd: execute_statement argv[2] = 192.168.x.x
> Aug 2 10:22:53 S1 dhcpd: execute_statement argv[3] = b8:41:a4:xx:xx:xx
> Aug 2 10:22:53 S1 dhcpd: execute_statement argv[4] = iPhone
> Aug 2 10:22:54 S1 logger: 02-08-23 10:22:54 [dyndns] : Running check for
valid kerberos ticket
> Aug 2 10:22:54 S1 logger: I am uid=105(dhcpd) gid=111(dhcpd)
groups=111(dhcpd)
> Aug 2 10:22:54 S1 logger: /usr/bin/samba-tool dns query dc1.foo.bar foo.bar
iPhone A -k yes
> Aug 2 10:22:55 S1 logger: Results: 0
> Aug 2 10:22:55 S1 logger: A_REC:
> Aug 2 10:22:55 S1 logger: 'A' record changed, updating record.
> Aug 2 10:22:55 S1 logger: /usr/bin/samba-tool dns delete dc1.foo.bar
foo.bar iPhone A -k yes
> Aug 2 10:22:55 S1 logger: /usr/bin/samba-tool dns add dc1.foo.bar foo.bar
iPhone A 192.168.x.x -k yes
> Aug 2 10:22:56 S1 logger: /usr/bin/samba-tool dns zonelist dc1.foo.bar -k
yes --reverse
> Aug 2 10:22:56 S1 logger: ReverseZones:
> Aug 2 10:22:57 S1 logger: No reverse zone found, not updating
> Aug 2 10:22:57 S1 logger: RESULTS: 2:2:0:0
> Aug 2 10:22:57 S1 logger: count: 1
> Aug 2 10:22:57 S1 logger: DHCP-DNS add failed: 2:2:0:0
> Aug 2 10:22:57 S1 dhcpd: execute: /usr/local/bin/dhcp-dyndns.sh exit status
256
> 
> 
> root at S1:/etc/dhcp (master)# ps -ef | egrep -i samba-tool
> dhcpd 13461 13460 0 10:21 ? 00:00:00 /usr/bin/python2.7 /usr/bin/samba-tool
dns zonelist dc1.foo.bar -k yes --reverse
> 
> 
> root at S1:/etc/dhcp (master)# su dhcpd
> dhcpd at S1:/etc/dhcp$ id
> uid=105(dhcpd) gid=111(dhcpd) groups=111(dhcpd)
> dhcpd at S1:/etc/dhcp$ /usr/bin/python2.7 /usr/bin/samba-tool dns zonelist
dc1.foo.bar -k yes --reverse
> 6 zone(s) found
> 
> pszZoneName : x.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.foo.bar
> 
> pszZoneName : x.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.foo.bar
> 
> pszZoneName : x.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.foo.bar
> 
> pszZoneName : x.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.foo.bar
> 
> pszZoneName : x.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.foo.bar
> 
> pszZoneName : x.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.foo.bar
> dhcpd at S1:/etc/dhcp$ exit
> 
> Kind regards,
> Chris
> 
Why do you have 6 reverse zones called 'x.168.192.in-addr.arpa ' ?

If the 'x' is a redacted number, why redact it and why not just use one 
reverse zone: 168.192.in-addr.arpa

However, the main question is: Why are you still using a dead OS, Ubuntu 
14.04 went EOL in 2019 and Samba EOL'd 4.3.11 in 2017.

I am sorry, but I cannot help with this, your setup is just too old.

Rowland

In the off chance that someone else is in a position of forced usage of an older
system, here is the solution that worked for me:

Change line 134 to read

KTYPE="--kerberos=yes"

I'm not a shell guru, but my guess is that something was choking on the
space in "-k yes". Maybe due to age.

Thanks to Rowland for the script and for making me determined to make it work
for my use-case.

Kind regards,
Chris


----- Original Message -----
From: "samba" <samba at lists.samba.org>
To: "samba" <samba at lists.samba.org>
Sent: Wednesday, August 2, 2023 12:14:58 PM
Subject: [Samba] Configure DHCP to update DNS records problem

Hello all,

After several days of working on this, I'm stuck. Hopefully someone can
point out what I'm missing here.

I'm working with this script to dynamically update my Samba AD DC DNS: 

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records

Short of it: 

The script does not update the DNS records due to samba-tool failing for some
unknown reason.

Long of it: 

1. As seen below, the script runs as the dhcpd user. 
2. samba-tool executes fine using kerberos when su'ed as the dhcpd user. 
3. However, the samba-tool calls inside the script fail. 

Notes: 

1. I've added a few additional logger lines for my own debugging sanity. 
2. The DHCP server runs on a separate box from the AD DC server. 
3. I'm using a user map entry to map the AD user 'dhcpduser' to the
system user 'dhcpd'.

Version info: 

root at S1:/etc/dhcp (master)# lsb_release -a 
No LSB modules are available. 
Distributor ID: Ubuntu 
Description: Ubuntu 14.04.6 LTS 
Release: 14.04 
Codename: trusty 
root at S1:/etc/dhcp (master)# samba-tool -V 
4.3.11-Ubuntu 
root at S1:/etc/dhcp (master)# /usr/sbin/dhcpd --version 
isc-dhcpd-4.2.4 


Relevant syslog entries: 

Aug 2 10:22:53 S1 dhcpd: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[1] = add 
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[2] = 192.168.x.x 
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[3] = b8:41:a4:xx:xx:xx 
Aug 2 10:22:53 S1 dhcpd: execute_statement argv[4] = iPhone 
Aug 2 10:22:54 S1 logger: 02-08-23 10:22:54 [dyndns] : Running check for valid
kerberos ticket
Aug 2 10:22:54 S1 logger: I am uid=105(dhcpd) gid=111(dhcpd) groups=111(dhcpd) 
Aug 2 10:22:54 S1 logger: /usr/bin/samba-tool dns query dc1.foo.bar foo.bar
iPhone A -k yes
Aug 2 10:22:55 S1 logger: Results: 0 
Aug 2 10:22:55 S1 logger: A_REC:
Aug 2 10:22:55 S1 logger: 'A' record changed, updating record. 
Aug 2 10:22:55 S1 logger: /usr/bin/samba-tool dns delete dc1.foo.bar foo.bar
iPhone A -k yes
Aug 2 10:22:55 S1 logger: /usr/bin/samba-tool dns add dc1.foo.bar foo.bar iPhone
A 192.168.x.x -k yes
Aug 2 10:22:56 S1 logger: /usr/bin/samba-tool dns zonelist dc1.foo.bar -k yes
--reverse
Aug 2 10:22:56 S1 logger: ReverseZones: 
Aug 2 10:22:57 S1 logger: No reverse zone found, not updating 
Aug 2 10:22:57 S1 logger: RESULTS: 2:2:0:0 
Aug 2 10:22:57 S1 logger: count: 1 
Aug 2 10:22:57 S1 logger: DHCP-DNS add failed: 2:2:0:0 
Aug 2 10:22:57 S1 dhcpd: execute: /usr/local/bin/dhcp-dyndns.sh exit status 256 


root at S1:/etc/dhcp (master)# ps -ef | egrep -i samba-tool 
dhcpd 13461 13460 0 10:21 ? 00:00:00 /usr/bin/python2.7 /usr/bin/samba-tool dns
zonelist dc1.foo.bar -k yes --reverse


root at S1:/etc/dhcp (master)# su dhcpd 
dhcpd at S1:/etc/dhcp$ id 
uid=105(dhcpd) gid=111(dhcpd) groups=111(dhcpd) 
dhcpd at S1:/etc/dhcp$ /usr/bin/python2.7 /usr/bin/samba-tool dns zonelist
dc1.foo.bar -k yes --reverse
6 zone(s) found 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 

pszZoneName : x.168.192.in-addr.arpa 
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY 
Version : 50 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.foo.bar 
dhcpd at S1:/etc/dhcp$ exit

Kind regards,
Chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba