Win 2003 SP2 Dynamic DNS update.

Patrik Martinsson Patrik.Martinsson at smhi.se
Mon Aug 16 03:15:18 MDT 2010


Hello,

Thanks for the reply.

I did realize a couple of hours after I sent my mail that to tell 'net 
ads register dns' to make use of my keytab you specify the -P option,
however, even with this flag the dynamic update fails.

I've spent a couple of hours this morning trying with nsupdate as you 
suggested, no luck there either.
This is how i tried it,

# To create a machineaccount in AD.
'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX 
createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" 
osVer="6" -U foo%bar'

# Do the nsupdate,
'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
=> "Check your Kerberos ticket, it may have expired."

Hmm, i thought that the nsupdate command would automatically do an kinit 
for me here, but that doesn't seem to be the case, anyhow here's what i 
did then.

# Get the ticket,
'kinit -k  host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
# Everything OK, i now got the ticket.

# Check it,
'klist'

=> Ticket cache: FILE:/tmp/krb5cc_0
=> Default principal: host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
=> Valid starting     Expires            Service principal
=> 08/16/10 11:00:41  08/16/10 21:00:41  krbtgt/XX.XXXX.XX at XX.XXXX.XX
=>     renew until 08/17/10 11:00:41

# Do the nsupdate,
'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'

=> ; TSIG error with server: tsig verify failure
=> update failed: REFUSED

# If i know check the my tickets again it looks like this,
'klist'
=> Ticket cache: FILE:/tmp/krb5cc_0
=> Default principal: host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
=> Valid starting     Expires            Service principal
=> 08/16/10 11:00:41  08/16/10 21:00:41  krbtgt/XX.XXXX.XX at XX.XXXX.XX
=>     renew until 08/17/10 11:00:41
=> 08/16/10 11:03:40  08/16/10 21:00:41  DNS/XXXX.XX.XX.XX at XX.XXXX.XX
=>    renew until 08/17/10 11:00:41

Hmm, to be honest I'm clueless here. I'm running out of suggestions.
All i want to do is to allow my linuxclients to update a secure zone in 
dns (win 2003), however that seems nearly impossible.
We have 3 servers (dns/ad) that are replicated, i don't know if that has 
something to do with it, unfortunately nor does the windows sysadmins.

/Patrik Martinsson,
Sweden.












On 08/14/2010 09:57 PM, Luiz Angelo Daros de Luca wrote:
> Hello,
>
> You asked samba to use system keytab. This keytab will store your
> computer's account "password". Using this keytab and with the correct
> realm configuration (i guess yours is correct), you can successfully
> authenticate as a computer with AD (using kinit) without user
> interaction. After that, use the good old nsupdate program that you
> were previously using (nsupdate -g). You need a nsupdate compiled with
> gssapi support and from a recent release.
>
> If you are using a single computer account to update all dns entries
> (like inside the dhcp server), you will need to put your computer's
> account inside a group named DNSUpdateProxy.
>
> I hope this helps. I think that samba could implement a "keep dns
> sync" option that, using computer account, checks and update dns for
> every reboot.
>
> Cheers,
>
> ---
>       Luiz Angelo Daros de Luca, Me.
>              luizluca at gmail.com
>
>
>
> 2010/8/9 Patrik Martinsson<Patrik.Martinsson at smhi.se>:
>    
>> Hello everyone,
>>
>> I'm having some deep issues with dynamic dns updates and figure I would give
>> this list a try, I know this is more of a devel list, but I figured my
>> problem is on quite deep technical level so it would fit here, hope you
>> don't mind.
>>
>> Here's my setup,
>>
>> We have Windows 2003 SP2 AD/DNS/DHCP server.
>> We have a zone for clients that only allows signed dns updates, today only
>> Windows clients are in this zone, now I want to put linuxclients in here
>> too.
>> Before we had another zone that allowed insecure dynamic updates and there
>> would all our linuxclients go, and on every connect/dhcp lease they would
>> manually, through scripts update their dnsentry (with nsupdate).
>> Kerberos is configures on all our clients and at logon time a user will get
>> a ticket.
>> Hope that is enough on the background setup...?
>>
>> So, here's the case.
>> I've setup samba on the clients, I've successfully got it to create a
>> machineaccount in the AD, and thereafter it actually updates the dns with an
>> entry as expected.
>> This I'm doing with following command,
>> 'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX
>> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6" -U
>> foo%bar'
>>
>> Important note :
>>   Sometimes though, this commands partly fails, saying this,
>>   Using short domain name -- XXXX
>>   Joined 'CLIENT' to realm 'xx.xxxx.xx'
>>   [2010/08/09 15:04:59.082626,  0] libads/kerberos.c:333(ads_kinit_password)
>>     kerberos_kinit_password CLIENT$@XX.XXXX.XX failed: Client not found in
>> Kerberos database
>>   DNS update failed!
>>
>> I dont understand why it does this only sometimes and not always, and as far
>> as i can see, everything is normal (machineaccount is created and keytab is
>> written).
>>
>> HOWEVER, and this is my problem,
>> If I, after the dns record beeing deleted from the dns (If the dns server
>> doesnt get any updates on the record it will eventually delete it) try to
>> update the dnsrecord manually with following command,
>> 'net ads dns register -Ufoo%bar'
>> I always end up with
>> 'DNS update failed!'
>>
>> So, I started digging in the source and found out that it's failing
>> somewhere in the signing part of utils/net_dns.c, digged deeper and ended up
>> in libaddns/dnsgss.c, here i added some prints in hope of detecting where it
>> would fail, and strangly enough (at least for me, but I'm no expert) it
>> failed at different places for every time i ran it. When 'net' queries our
>> dns for nameservers the DNS responds with 5 nameservers (dig NS xx @xx),
>> which could explain why it fails differently, depending on which nameserver
>> that comes first in the list, however these servers should be replicated and
>> look the same,  AND even if i run the command multiple times and I for sure
>> knows 'net' tries to update the same DNS, it fails differently (I added
>> prints in net that tells me which DNS it actually tries to update so i would
>> know for sure).
>>
>> Here's what im talking about,
>> First run of, 'net ads dns register -Ufoo%bar' it fails here,
>>
>> libaddns/dnsgss.c @163,
>> if ((major != GSS_S_COMPLETE)&&
>>             (major != GSS_S_CONTINUE_NEEDED)) {
>>             d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
>>             return ERROR_DNS_GSS_ERROR;
>>         }
>>
>> Next time i run it AND it tries to update the SAME DNS as before, (a couple
>> of times later because the NS list is in random order), if fails here,
>>
>> libaddns/dnsgss.c @191,
>> if ((resp->num_additionals != 1) ||
>>                 (resp->num_answers == 0) ||
>>                 (resp->answers[0]->type != QTYPE_TKEY)) {
>>                   d_printf("\nFAILED @DNS_ID/KEY\n");
>>                 err = ERROR_DNS_INVALID_MESSAGE;
>>                 goto error;
>> }
>>
>> And here I'm stuck, hoping for some help, tips, pointers etc.
>>
>>
>> One question that comes to my mind is that, after doing the 'net join'
>> command, i got a keytab with a host/client as user-principle which is cool,
>> however when doing the net dns register command, shouldn't that be using
>> that keytab file ? As I wrote earlier i use the '-U'-flag to specify a
>> user/password rather then using the host keytab entry...But maybe I'm
>> mistaken here, I'm really new to kerberos and to be honest I find it _very_
>> hard and confusing at the moment, but maybe the picture will clear later
>> on....
>>
>>
>> Here's my configfiles,
>> # /etc/samba/smb.conf
>> realm = XX.XXXX.XX
>> security = ADS
>> encrypt passwords = yes
>> workgroup = XXXX
>> kerberos method = secrets and keytab
>>
>> # /etc/krb5.conf
>> [libdefaults]
>>   default_realm = XX.XXXX.XX
>>   clockskew = 300
>>   dns_lookup_realm = false # I've tried with both true/false here.
>>   dns_lookup_kdc = false
>>   forwardable = true
>>   allow_weak_crypto = true
>>
>> [realms]
>>   XX.XXXX.XX = {
>>     default_domain = xx.xxxx.xx
>>     kdc = xx.xxxx.xx
>>     admin_server = xx.xxxx.xx
>>   }
>>
>> [domain_realm]
>>   .ad.smhi.se = XX.XXXX.XX
>>   .smhi.se = XX.XXXX.XX
>>
>> Anyway, I know this is a long email and a lot of questions, but I hope that
>> somebody could clear things up for me.
>>
>> Best regards,
>> Patrik Martinsson, Sweden.
>>
>>      


More information about the samba-technical mailing list