Win 2003 SP2 Dynamic DNS update.

Sat Aug 14 13:57:48 MDT 2010

Hello,

You asked samba to use system keytab. This keytab will store your
computer's account "password". Using this keytab and with the correct
realm configuration (i guess yours is correct), you can successfully
authenticate as a computer with AD (using kinit) without user
interaction. After that, use the good old nsupdate program that you
were previously using (nsupdate -g). You need a nsupdate compiled with
gssapi support and from a recent release.

If you are using a single computer account to update all dns entries
(like inside the dhcp server), you will need to put your computer's
account inside a group named DNSUpdateProxy.

I hope this helps. I think that samba could implement a "keep dns
sync" option that, using computer account, checks and update dns for
every reboot.

Cheers,

---
     Luiz Angelo Daros de Luca, Me.
            luizluca at gmail.com

2010/8/9 Patrik Martinsson <Patrik.Martinsson at smhi.se>:
> Hello everyone,
>
> I'm having some deep issues with dynamic dns updates and figure I would give
> this list a try, I know this is more of a devel list, but I figured my
> problem is on quite deep technical level so it would fit here, hope you
> don't mind.
>
> Here's my setup,
>
> We have Windows 2003 SP2 AD/DNS/DHCP server.
> We have a zone for clients that only allows signed dns updates, today only
> Windows clients are in this zone, now I want to put linuxclients in here
> too.
> Before we had another zone that allowed insecure dynamic updates and there
> would all our linuxclients go, and on every connect/dhcp lease they would
> manually, through scripts update their dnsentry (with nsupdate).
> Kerberos is configures on all our clients and at logon time a user will get
> a ticket.
> Hope that is enough on the background setup...?
>
> So, here's the case.
> I've setup samba on the clients, I've successfully got it to create a
> machineaccount in the AD, and thereafter it actually updates the dns with an
> entry as expected.
> This I'm doing with following command,
> 'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX
> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6" -U
> foo%bar'
>
> Important note :
>  Sometimes though, this commands partly fails, saying this,
>  Using short domain name -- XXXX
>  Joined 'CLIENT' to realm 'xx.xxxx.xx'
>  [2010/08/09 15:04:59.082626,  0] libads/kerberos.c:333(ads_kinit_password)
>    kerberos_kinit_password CLIENT$@XX.XXXX.XX failed: Client not found in
> Kerberos database
>  DNS update failed!
>
> I dont understand why it does this only sometimes and not always, and as far
> as i can see, everything is normal (machineaccount is created and keytab is
> written).
>
> HOWEVER, and this is my problem,
> If I, after the dns record beeing deleted from the dns (If the dns server
> doesnt get any updates on the record it will eventually delete it) try to
> update the dnsrecord manually with following command,
> 'net ads dns register -Ufoo%bar'
> I always end up with
> 'DNS update failed!'
>
> So, I started digging in the source and found out that it's failing
> somewhere in the signing part of utils/net_dns.c, digged deeper and ended up
> in libaddns/dnsgss.c, here i added some prints in hope of detecting where it
> would fail, and strangly enough (at least for me, but I'm no expert) it
> failed at different places for every time i ran it. When 'net' queries our
> dns for nameservers the DNS responds with 5 nameservers (dig NS xx @xx),
> which could explain why it fails differently, depending on which nameserver
> that comes first in the list, however these servers should be replicated and
> look the same,  AND even if i run the command multiple times and I for sure
> knows 'net' tries to update the same DNS, it fails differently (I added
> prints in net that tells me which DNS it actually tries to update so i would
> know for sure).
>
> Here's what im talking about,
> First run of, 'net ads dns register -Ufoo%bar' it fails here,
>
> libaddns/dnsgss.c @163,
> if ((major != GSS_S_COMPLETE) &&
>            (major != GSS_S_CONTINUE_NEEDED)) {
>            d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
>            return ERROR_DNS_GSS_ERROR;
>        }
>
> Next time i run it AND it tries to update the SAME DNS as before, (a couple
> of times later because the NS list is in random order), if fails here,
>
> libaddns/dnsgss.c @191,
> if ((resp->num_additionals != 1) ||
>                (resp->num_answers == 0) ||
>                (resp->answers[0]->type != QTYPE_TKEY)) {
>                  d_printf("\nFAILED @DNS_ID/KEY\n");
>                err = ERROR_DNS_INVALID_MESSAGE;
>                goto error;
> }
>
> And here I'm stuck, hoping for some help, tips, pointers etc.
>
>
> One question that comes to my mind is that, after doing the 'net join'
> command, i got a keytab with a host/client as user-principle which is cool,
> however when doing the net dns register command, shouldn't that be using
> that keytab file ? As I wrote earlier i use the '-U'-flag to specify a
> user/password rather then using the host keytab entry...But maybe I'm
> mistaken here, I'm really new to kerberos and to be honest I find it _very_
> hard and confusing at the moment, but maybe the picture will clear later
> on....
>
>
> Here's my configfiles,
> # /etc/samba/smb.conf
> realm = XX.XXXX.XX
> security = ADS
> encrypt passwords = yes
> workgroup = XXXX
> kerberos method = secrets and keytab
>
> # /etc/krb5.conf
> [libdefaults]
>  default_realm = XX.XXXX.XX
>  clockskew = 300
>  dns_lookup_realm = false # I've tried with both true/false here.
>  dns_lookup_kdc = false
>  forwardable = true
>  allow_weak_crypto = true
>
> [realms]
>  XX.XXXX.XX = {
>    default_domain = xx.xxxx.xx
>    kdc = xx.xxxx.xx
>    admin_server = xx.xxxx.xx
>  }
>
> [domain_realm]
>  .ad.smhi.se = XX.XXXX.XX
>  .smhi.se = XX.XXXX.XX
>
> Anyway, I know this is a long email and a lot of questions, but I hope that
> somebody could clear things up for me.
>
> Best regards,
> Patrik Martinsson, Sweden.
>