Win 2003 SP2 Dynamic DNS update.

Luiz Angelo Daros de Luca luizluca at gmail.com
Tue Aug 24 17:08:04 MDT 2010 

I use this commands (and it work)

/usr/kerberos/bin/kinit -k -c 60 -t '/etc/krb5.keytab' 'machine$'
nsupdate -g

Check using wireshark if there is really a kerberos handshake. Also,
check in windows events for more information.

Cheers,

---
     Luiz Angelo Daros de Luca, Me.
            luizluca at gmail.com



2010/8/16 Patrik Martinsson <Patrik.Martinsson at smhi.se>:
> Hello,
>
> Thanks for the reply.
>
> I did realize a couple of hours after I sent my mail that to tell 'net ads
> register dns' to make use of my keytab you specify the -P option,
> however, even with this flag the dynamic update fails.
>
> I've spent a couple of hours this morning trying with nsupdate as you
> suggested, no luck there either.
> This is how i tried it,
>
> # To create a machineaccount in AD.
> 'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX
> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6" -U
> foo%bar'
>
> # Do the nsupdate,
> 'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
> => "Check your Kerberos ticket, it may have expired."
>
> Hmm, i thought that the nsupdate command would automatically do an kinit for
> me here, but that doesn't seem to be the case, anyhow here's what i did
> then.
>
> # Get the ticket,
> 'kinit -k  host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
> # Everything OK, i now got the ticket.
>
> # Check it,
> 'klist'
>
> => Ticket cache: FILE:/tmp/krb5cc_0
> => Default principal: host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
> => Valid starting     Expires            Service principal
> => 08/16/10 11:00:41  08/16/10 21:00:41  krbtgt/XX.XXXX.XX at XX.XXXX.XX
> =>     renew until 08/17/10 11:00:41
>
> # Do the nsupdate,
> 'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
>
> => ; TSIG error with server: tsig verify failure
> => update failed: REFUSED
>
> # If i know check the my tickets again it looks like this,
> 'klist'
> => Ticket cache: FILE:/tmp/krb5cc_0
> => Default principal: host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
> => Valid starting     Expires            Service principal
> => 08/16/10 11:00:41  08/16/10 21:00:41  krbtgt/XX.XXXX.XX at XX.XXXX.XX
> =>     renew until 08/17/10 11:00:41
> => 08/16/10 11:03:40  08/16/10 21:00:41  DNS/XXXX.XX.XX.XX at XX.XXXX.XX
> =>    renew until 08/17/10 11:00:41
>
> Hmm, to be honest I'm clueless here. I'm running out of suggestions.
> All i want to do is to allow my linuxclients to update a secure zone in dns
> (win 2003), however that seems nearly impossible.
> We have 3 servers (dns/ad) that are replicated, i don't know if that has
> something to do with it, unfortunately nor does the windows sysadmins.
>
> /Patrik Martinsson,
> Sweden.
>
>
>
>
>
>
>
>
>
>
>
>
> On 08/14/2010 09:57 PM, Luiz Angelo Daros de Luca wrote:
>>
>> Hello,
>>
>> You asked samba to use system keytab. This keytab will store your
>> computer's account "password". Using this keytab and with the correct
>> realm configuration (i guess yours is correct), you can successfully
>> authenticate as a computer with AD (using kinit) without user
>> interaction. After that, use the good old nsupdate program that you
>> were previously using (nsupdate -g). You need a nsupdate compiled with
>> gssapi support and from a recent release.
>>
>> If you are using a single computer account to update all dns entries
>> (like inside the dhcp server), you will need to put your computer's
>> account inside a group named DNSUpdateProxy.
>>
>> I hope this helps. I think that samba could implement a "keep dns
>> sync" option that, using computer account, checks and update dns for
>> every reboot.
>>
>> Cheers,
>>
>> ---
>>      Luiz Angelo Daros de Luca, Me.
>>             luizluca at gmail.com
>>
>>
>>
>> 2010/8/9 Patrik Martinsson<Patrik.Martinsson at smhi.se>:
>>
>>>
>>> Hello everyone,
>>>
>>> I'm having some deep issues with dynamic dns updates and figure I would
>>> give
>>> this list a try, I know this is more of a devel list, but I figured my
>>> problem is on quite deep technical level so it would fit here, hope you
>>> don't mind.
>>>
>>> Here's my setup,
>>>
>>> We have Windows 2003 SP2 AD/DNS/DHCP server.
>>> We have a zone for clients that only allows signed dns updates, today
>>> only
>>> Windows clients are in this zone, now I want to put linuxclients in here
>>> too.
>>> Before we had another zone that allowed insecure dynamic updates and
>>> there
>>> would all our linuxclients go, and on every connect/dhcp lease they would
>>> manually, through scripts update their dnsentry (with nsupdate).
>>> Kerberos is configures on all our clients and at logon time a user will
>>> get
>>> a ticket.
>>> Hope that is enough on the background setup...?
>>>
>>> So, here's the case.
>>> I've setup samba on the clients, I've successfully got it to create a
>>> machineaccount in the AD, and thereafter it actually updates the dns with
>>> an
>>> entry as expected.
>>> This I'm doing with following command,
>>> 'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX
>>> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6"
>>> -U
>>> foo%bar'
>>>
>>> Important note :
>>>  Sometimes though, this commands partly fails, saying this,
>>>  Using short domain name -- XXXX
>>>  Joined 'CLIENT' to realm 'xx.xxxx.xx'
>>>  [2010/08/09 15:04:59.082626,  0]
>>> libads/kerberos.c:333(ads_kinit_password)
>>>    kerberos_kinit_password CLIENT$@XX.XXXX.XX failed: Client not found in
>>> Kerberos database
>>>  DNS update failed!
>>>
>>> I dont understand why it does this only sometimes and not always, and as
>>> far
>>> as i can see, everything is normal (machineaccount is created and keytab
>>> is
>>> written).
>>>
>>> HOWEVER, and this is my problem,
>>> If I, after the dns record beeing deleted from the dns (If the dns server
>>> doesnt get any updates on the record it will eventually delete it) try to
>>> update the dnsrecord manually with following command,
>>> 'net ads dns register -Ufoo%bar'
>>> I always end up with
>>> 'DNS update failed!'
>>>
>>> So, I started digging in the source and found out that it's failing
>>> somewhere in the signing part of utils/net_dns.c, digged deeper and ended
>>> up
>>> in libaddns/dnsgss.c, here i added some prints in hope of detecting where
>>> it
>>> would fail, and strangly enough (at least for me, but I'm no expert) it
>>> failed at different places for every time i ran it. When 'net' queries
>>> our
>>> dns for nameservers the DNS responds with 5 nameservers (dig NS xx @xx),
>>> which could explain why it fails differently, depending on which
>>> nameserver
>>> that comes first in the list, however these servers should be replicated
>>> and
>>> look the same,  AND even if i run the command multiple times and I for
>>> sure
>>> knows 'net' tries to update the same DNS, it fails differently (I added
>>> prints in net that tells me which DNS it actually tries to update so i
>>> would
>>> know for sure).
>>>
>>> Here's what im talking about,
>>> First run of, 'net ads dns register -Ufoo%bar' it fails here,
>>>
>>> libaddns/dnsgss.c @163,
>>> if ((major != GSS_S_COMPLETE)&&
>>>            (major != GSS_S_CONTINUE_NEEDED)) {
>>>            d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
>>>            return ERROR_DNS_GSS_ERROR;
>>>        }
>>>
>>> Next time i run it AND it tries to update the SAME DNS as before, (a
>>> couple
>>> of times later because the NS list is in random order), if fails here,
>>>
>>> libaddns/dnsgss.c @191,
>>> if ((resp->num_additionals != 1) ||
>>>                (resp->num_answers == 0) ||
>>>                (resp->answers[0]->type != QTYPE_TKEY)) {
>>>                  d_printf("\nFAILED @DNS_ID/KEY\n");
>>>                err = ERROR_DNS_INVALID_MESSAGE;
>>>                goto error;
>>> }
>>>
>>> And here I'm stuck, hoping for some help, tips, pointers etc.
>>>
>>>
>>> One question that comes to my mind is that, after doing the 'net join'
>>> command, i got a keytab with a host/client as user-principle which is
>>> cool,
>>> however when doing the net dns register command, shouldn't that be using
>>> that keytab file ? As I wrote earlier i use the '-U'-flag to specify a
>>> user/password rather then using the host keytab entry...But maybe I'm
>>> mistaken here, I'm really new to kerberos and to be honest I find it
>>> _very_
>>> hard and confusing at the moment, but maybe the picture will clear later
>>> on....
>>>
>>>
>>> Here's my configfiles,
>>> # /etc/samba/smb.conf
>>> realm = XX.XXXX.XX
>>> security = ADS
>>> encrypt passwords = yes
>>> workgroup = XXXX
>>> kerberos method = secrets and keytab
>>>
>>> # /etc/krb5.conf
>>> [libdefaults]
>>>  default_realm = XX.XXXX.XX
>>>  clockskew = 300
>>>  dns_lookup_realm = false # I've tried with both true/false here.
>>>  dns_lookup_kdc = false
>>>  forwardable = true
>>>  allow_weak_crypto = true
>>>
>>> [realms]
>>>  XX.XXXX.XX = {
>>>    default_domain = xx.xxxx.xx
>>>    kdc = xx.xxxx.xx
>>>    admin_server = xx.xxxx.xx
>>>  }
>>>
>>> [domain_realm]
>>>  .ad.smhi.se = XX.XXXX.XX
>>>  .smhi.se = XX.XXXX.XX
>>>
>>> Anyway, I know this is a long email and a lot of questions, but I hope
>>> that
>>> somebody could clear things up for me.
>>>
>>> Best regards,
>>> Patrik Martinsson, Sweden.
>>>
>>>
>

More information about the samba-technical mailing list