Hi all, I have (mostly) struggled my may through the documentation found at: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records. But as I am on gentoo, the DHCP daemon is run by the unprivileged user dhcp, which did complicate the issue way more than I imagined. The documentation rightfully points out to adjust the permissions of the keytab, that is used as a replacement of a plaintext password within the access of the dhcp user. But here is the first nit: it is just as important to adjust the permissions of the ticket cache. If one tries the script after failing with the restricted dhcp user account as root user (which does succeed, if enough care had been taken!), then the ticket cache has the permissions root:root - and the resulting error message, when next trying is with the restricted user again, is not really helpful (as most Kerberos error messages seem to be, at least in the eye of an inexperienced user as I am one). Btw, at least on Gentoo these caches are named as /tmp/krb5cc_xxx, where xxx is the UID of the owner, i.e. on my system a cache for the dhcp user would be named krb5cc_300. I don't know, whether the effort is justified to do something like this in the script. But the documentation should incorporate a warning to check the permissions of that file, too. Especially as the cache is not discussed in the text. It just appears within the script. But even when having done all that stuff right, the script didn't run... -------------------------------------------------------------------------------------------------------- horus # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete 192.168.0.5 11:22:33:44:55:66 smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory) smb_krb5_context_init_basic failed (Not a directory) smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory) smb_krb5_context_init_basic failed (Not a directory) gensec_gssapi_start: smb_krb5_init_context failed (Not a directory) gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An invalid parameter was passed to a service or function.') smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory) smb_krb5_context_init_basic failed (Not a directory) smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory) smb_krb5_context_init_basic failed (Not a directory) gensec_gssapi_start: smb_krb5_init_context failed (Not a directory) gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor /0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An invalid parameter was passed to a service or function.') -------------------------------------------------------------------------------------------------------- After having found out, that 'normal' users could do the update, I finally modified /etc/passwd from -------------------------------------------------------------------------------------------------------- dhcp:x:300:300:user for dhcp daemon:/dev/null:/sbin/nologin -------------------------------------------------------------------------------------------------------- to -------------------------------------------------------------------------------------------------------- dhcp:x:300:300:user for dhcp daemon:/var/lib/dhcp:/sbin/nologin -------------------------------------------------------------------------------------------------------- where the dhcp user has rwx rights. The script no runs as -------------------------------------------------------------------------------------------------------- horus /etc # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete 192.168.41.65 50:3e:aa:01:6e:10 Record deleted successfully Record deleted successfully -------------------------------------------------------------------------------------------------------- So I would strongly suggest to add this hint to the documentation, too, as it may be pretty helpful for those trying get this running with a non-root dhcp user. Best regards Peter PS: Many thanks go out to Rowland for exploring this option - and giving us both that script and the notes on how to use it.
Good day I have sort of a similar question. I also wanted to setup dynamic DNS updates. And I found that the command net ads dns register -P updates the computer's DNS account, and to do that, it needs neither Kerberos nor something else, but instead uses the machine account to authenticate itself to AD. It does not, however, update the PTR record, unfortunately. I experimented a bit with this and found that it worked on my Samba DC even with secure DNS updates only, so if this is really true I propose to add a hook script for the DHCP client that is called whenever the DHCP lease expires, and will automatically update the DNS. I was even thinking about adding this command to crontab and calling it every hour. I have not yet tested this with an unprivileged account, though, but I cannot understand why this shouldn't work, as it uses the computer account to athenticate. So if it really works with net ads dns register -P why should someone even bother with complicated scripts? just let each client do its own DNS update, as the Windows clients do? The really awesome stuff would be if it even worked for the PTR record too. Thanks, best Tobias On Wed, 13 Dec 2023, 00:42 Peter Serbe via samba, <samba at lists.samba.org> wrote:> Hi all, > > I have (mostly) struggled my may through the documentation found at: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records. > > But as I am on gentoo, the DHCP daemon is run by the unprivileged user > dhcp, which did complicate the issue way more than I imagined. The > documentation rightfully points out to adjust the permissions of the > keytab, that is used as a replacement of a plaintext password within the > access of the dhcp user. But here is the first nit: it is just as important > to adjust the permissions of the ticket cache. If one tries the script > after failing with the restricted dhcp user account as root user (which > does succeed, if enough care had been taken!), then the ticket cache has > the permissions root:root - and the resulting error message, when next > trying is with the restricted user again, is not really helpful (as most > Kerberos error messages seem to be, at least in the eye of an inexperienced > user as I am one). > Btw, at least on Gentoo these caches are named as /tmp/krb5cc_xxx, where > xxx is the UID of the owner, i.e. on my system a cache for the dhcp user > would be named krb5cc_300. I don't know, whether the effort is justified to > do something like this in the script. But the documentation should > incorporate a warning to check the permissions of that file, too. > Especially as the cache is not discussed in the text. It just appears > within the script. > > But even when having done all that stuff right, the script didn't run... > > > -------------------------------------------------------------------------------------------------------- > horus # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete > 192.168.0.5 11:22:33:44:55:66 > smb_krb5_init_context_common: Krb5 context initialization failed (Not a > directory) > smb_krb5_context_init_basic failed (Not a directory) > smb_krb5_init_context_common: Krb5 context initialization failed (Not a > directory) > smb_krb5_context_init_basic failed (Not a directory) > gensec_gssapi_start: smb_krb5_init_context failed (Not a directory) > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO > negTokenInit request > Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER > Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor > ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/0x00000005,localaddress=192.168.0.2] > NT_STATUS_INVALID_PARAMETER > ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An > invalid parameter was passed to a service or function.') > smb_krb5_init_context_common: Krb5 context initialization failed (Not a > directory) > smb_krb5_context_init_basic failed (Not a directory) > smb_krb5_init_context_common: Krb5 context initialization failed (Not a > directory) > smb_krb5_context_init_basic failed (Not a directory) > gensec_gssapi_start: smb_krb5_init_context failed (Not a directory) > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO > negTokenInit request > Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER > Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor > ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor > /0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER > ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An > invalid parameter was passed to a service or function.') > > -------------------------------------------------------------------------------------------------------- > > After having found out, that 'normal' users could do the update, I finally > modified /etc/passwd from > > > -------------------------------------------------------------------------------------------------------- > dhcp:x:300:300:user for dhcp daemon:/dev/null:/sbin/nologin > > -------------------------------------------------------------------------------------------------------- > > to > > > -------------------------------------------------------------------------------------------------------- > dhcp:x:300:300:user for dhcp daemon:/var/lib/dhcp:/sbin/nologin > > -------------------------------------------------------------------------------------------------------- > > where the dhcp user has rwx rights. The script no runs as > > > -------------------------------------------------------------------------------------------------------- > horus /etc # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete > 192.168.41.65 50:3e:aa:01:6e:10 > Record deleted successfully > Record deleted successfully > > -------------------------------------------------------------------------------------------------------- > > So I would strongly suggest to add this hint to the documentation, too, as > it may be pretty helpful for those trying get this running with a non-root > dhcp user. > > Best regards > Peter > > PS: > Many thanks go out to Rowland for exploring this option - and giving us > both that script and the notes on how to use it. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, 13 Dec 2023 00:16:58 +0100 (CET) Peter Serbe via samba <samba at lists.samba.org> wrote:> Hi all, > > I have (mostly) struggled my may through the documentation found at: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records. > > But as I am on gentoo, the DHCP daemon is run by the unprivileged > user dhcp, which did complicate the issue way more than I imagined. > The documentation rightfully points out to adjust the permissions of > the keytab, that is used as a replacement of a plaintext password > within the access of the dhcp user. But here is the first nit: it is > just as important to adjust the permissions of the ticket cache. If > one tries the script after failing with the restricted dhcp user > account as root user (which does succeed, if enough care had been > taken!), then the ticket cache has the permissions root:root - and > the resulting error message, when next trying is with the restricted > user again, is not really helpful (as most Kerberos error messages > seem to be, at least in the eye of an inexperienced user as I am > one). Btw, at least on Gentoo these caches are named as > /tmp/krb5cc_xxx, where xxx is the UID of the owner, i.e. on my system > a cache for the dhcp user would be named krb5cc_300. I don't know, > whether the effort is justified to do something like this in the > script. But the documentation should incorporate a warning to check > the permissions of that file, too. Especially as the cache is not > discussed in the text. It just appears within the script. > > But even when having done all that stuff right, the script didn't > run... > > -------------------------------------------------------------------------------------------------------- > horus # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete > 192.168.0.5 11:22:33:44:55:66 smb_krb5_init_context_common: Krb5 > context initialization failed (Not a directory) > smb_krb5_context_init_basic failed (Not a directory) > smb_krb5_init_context_common: Krb5 context initialization failed (Not > a directory) smb_krb5_context_init_basic failed (Not a directory) > gensec_gssapi_start: smb_krb5_init_context failed (Not a directory) > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO > negTokenInit request Failed to start GENSEC client mechanism (null): > NT_STATUS_INVALID_PARAMETER Failed to bind to uuid > xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor > ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/0x00000005,localaddress=192.168.0.2] > NT_STATUS_INVALID_PARAMETER ERROR: Connecting to DNS RPC server horus > failed with (3221225485, 'An invalid parameter was passed to a > service or function.') smb_krb5_init_context_common: Krb5 context > initialization failed (Not a directory) smb_krb5_context_init_basic > failed (Not a directory) smb_krb5_init_context_common: Krb5 context > initialization failed (Not a directory) smb_krb5_context_init_basic > failed (Not a directory) gensec_gssapi_start: smb_krb5_init_context > failed (Not a directory) gensec_spnego_create_negTokenInit_step: > Failed to setup SPNEGO negTokenInit request Failed to start GENSEC > client mechanism (null): NT_STATUS_INVALID_PARAMETER Failed to bind > to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor > ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor > /0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER > ERROR: Connecting to DNS RPC server horus failed with (3221225485, > 'An invalid parameter was passed to a service or function.') > -------------------------------------------------------------------------------------------------------- > > After having found out, that 'normal' users could do the update, I > finally modified /etc/passwd from > > -------------------------------------------------------------------------------------------------------- > dhcp:x:300:300:user for dhcp daemon:/dev/null:/sbin/nologin > -------------------------------------------------------------------------------------------------------- > > to > > -------------------------------------------------------------------------------------------------------- > dhcp:x:300:300:user for dhcp daemon:/var/lib/dhcp:/sbin/nologin > -------------------------------------------------------------------------------------------------------- > > where the dhcp user has rwx rights. The script no runs as > > -------------------------------------------------------------------------------------------------------- > horus /etc # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete > 192.168.41.65 50:3e:aa:01:6e:10 Record deleted successfully > Record deleted successfully > -------------------------------------------------------------------------------------------------------- > > So I would strongly suggest to add this hint to the documentation, > too, as it may be pretty helpful for those trying get this running > with a non-root dhcp user. > > Best regards > Peter > > PS: > Many thanks go out to Rowland for exploring this option - and giving > us both that script and the notes on how to use it. >I have never heard of the script being run on Gentoo before, I am glad you got it to work. I will add updating the wiki page to my to-do list. Rowland