Win 2003 SP2 Dynamic DNS update.

Patrik Martinsson Patrik.Martinsson at smhi.se
Mon Aug 9 07:09:45 MDT 2010 

Hello everyone,

I'm having some deep issues with dynamic dns updates and figure I would 
give this list a try, I know this is more of a devel list, but I figured 
my problem is on quite deep technical level so it would fit here, hope 
you don't mind.

Here's my setup,

We have Windows 2003 SP2 AD/DNS/DHCP server.
We have a zone for clients that only allows signed dns updates, today 
only Windows clients are in this zone, now I want to put linuxclients in 
here too.
Before we had another zone that allowed insecure dynamic updates and 
there would all our linuxclients go, and on every connect/dhcp lease 
they would manually, through scripts update their dnsentry (with nsupdate).
Kerberos is configures on all our clients and at logon time a user will 
get a ticket.
Hope that is enough on the background setup...?

So, here's the case.
I've setup samba on the clients, I've successfully got it to create a 
machineaccount in the AD, and thereafter it actually updates the dns 
with an entry as expected.
This I'm doing with following command,
'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX 
createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" 
osVer="6" -U foo%bar'

Important note :
   Sometimes though, this commands partly fails, saying this,
   Using short domain name -- XXXX
   Joined 'CLIENT' to realm 'xx.xxxx.xx'
   [2010/08/09 15:04:59.082626,  0] 
libads/kerberos.c:333(ads_kinit_password)
     kerberos_kinit_password CLIENT$@XX.XXXX.XX failed: Client not found 
in Kerberos database
   DNS update failed!

I dont understand why it does this only sometimes and not always, and as 
far as i can see, everything is normal (machineaccount is created and 
keytab is written).

HOWEVER, and this is my problem,
If I, after the dns record beeing deleted from the dns (If the dns 
server doesnt get any updates on the record it will eventually delete 
it) try to update the dnsrecord manually with following command,
'net ads dns register -Ufoo%bar'
I always end up with
'DNS update failed!'

So, I started digging in the source and found out that it's failing 
somewhere in the signing part of utils/net_dns.c, digged deeper and 
ended up in libaddns/dnsgss.c, here i added some prints in hope of 
detecting where it would fail, and strangly enough (at least for me, but 
I'm no expert) it failed at different places for every time i ran it. 
When 'net' queries our dns for nameservers the DNS responds with 5 
nameservers (dig NS xx @xx), which could explain why it fails 
differently, depending on which nameserver that comes first in the list, 
however these servers should be replicated and look the same,  AND even 
if i run the command multiple times and I for sure knows 'net' tries to 
update the same DNS, it fails differently (I added prints in net that 
tells me which DNS it actually tries to update so i would know for sure).

Here's what im talking about,
First run of, 'net ads dns register -Ufoo%bar' it fails here,

libaddns/dnsgss.c @163,
if ((major != GSS_S_COMPLETE) &&
             (major != GSS_S_CONTINUE_NEEDED)) {
             d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
             return ERROR_DNS_GSS_ERROR;
         }

Next time i run it AND it tries to update the SAME DNS as before, (a 
couple of times later because the NS list is in random order), if fails 
here,

libaddns/dnsgss.c @191,
if ((resp->num_additionals != 1) ||
                 (resp->num_answers == 0) ||
                 (resp->answers[0]->type != QTYPE_TKEY)) {
                   d_printf("\nFAILED @DNS_ID/KEY\n");
                 err = ERROR_DNS_INVALID_MESSAGE;
                 goto error;
}

And here I'm stuck, hoping for some help, tips, pointers etc.


One question that comes to my mind is that, after doing the 'net join' 
command, i got a keytab with a host/client as user-principle which is 
cool, however when doing the net dns register command, shouldn't that be 
using that keytab file ? As I wrote earlier i use the '-U'-flag to 
specify a user/password rather then using the host keytab entry...But 
maybe I'm mistaken here, I'm really new to kerberos and to be honest I 
find it _very_ hard and confusing at the moment, but maybe the picture 
will clear later on....


Here's my configfiles,
# /etc/samba/smb.conf
realm = XX.XXXX.XX
security = ADS
encrypt passwords = yes
workgroup = XXXX
kerberos method = secrets and keytab

# /etc/krb5.conf
[libdefaults]
   default_realm = XX.XXXX.XX
   clockskew = 300
   dns_lookup_realm = false # I've tried with both true/false here.
   dns_lookup_kdc = false
   forwardable = true
   allow_weak_crypto = true

[realms]
   XX.XXXX.XX = {
     default_domain = xx.xxxx.xx
     kdc = xx.xxxx.xx
     admin_server = xx.xxxx.xx
   }

[domain_realm]
   .ad.smhi.se = XX.XXXX.XX
   .smhi.se = XX.XXXX.XX

Anyway, I know this is a long email and a lot of questions, but I hope 
that somebody could clear things up for me.

Best regards,
Patrik Martinsson, Sweden.

More information about the samba-technical mailing list