Win 2003 SP2 Dynamic DNS update.

Sam Liddicott sam at liddicott.com
Thu Aug 26 04:34:20 MDT 2010 

  [Something weird going on, I got a moderator message from 
samba-technical - trying again more carefully]

Here's what I use, it's a bit longer than that; it will update dns and 
reverse dns.

Note: It can't update dns if a dns record already exists created by a 
previous machine account of the same name - i.e. if you re-join the 
domain you may need to delete the old dns records as administrator.

"--password-file=/dev/stdin" isn't needed if you are using mit kerberos.

If you are using heimdal kerberos for kinit, there's a bug in bind 9.7 
that may cause nsupdate to give the error: "failed to generate random block"

You can provide the IP address as $1 or it will try to guess it.

#! /bin/sh

IP=${1:-`ip addr \
   | sed -e '/^[0-9]/{s/^[0-9]*: *//;s/:.*//;x;d};/^ *inet/{s/^ .*inet 
*//;s/\/.*//;H;x;s/\n/=/;p};d' \
   | sort | head -1 | sed -e 's/.*=//'`}

# RIP is reverse IP
RIP=`echo $IP | tr . "\n" | tac | tr "\n" .`in-addr.arpa.

TTL=${2:-86400}

SELF=`hostname | tr a-z A-Z`
DOMAIN=`sed -ne '/^ *\[/{/globals/!q};/realm/{s/.*= *//;p}' 
/etc/samba/smb.conf | tr A-Z a-z`

net machinepw "$SELF"'$' | kinit --password-file=/dev/stdin -l 60s $SELF 
|| exit 1

trap "kdestroy" 0

nsupdate -g <<UPDATE || exit 1
update delete $SELF.$DOMAIN A
update add $SELF.$DOMAIN $TTL A $IP
send
UPDATE

nsupdate -g <<UPDATE || exit 1
update delete $RIP PTR
update add $RIP $TTL PTR $SELF.$DOMAIN
send
UPDATE



On 25/08/10 00:08, Luiz Angelo Daros de Luca wrote:
> I use this commands (and it work)
>
> /usr/kerberos/bin/kinit -k -c 60 -t '/etc/krb5.keytab' 'machine$'
> nsupdate -g
>
> Check using wireshark if there is really a kerberos handshake. Also,
> check in windows events for more information.
>
> Cheers,
>
> ---
>       Luiz Angelo Daros de Luca, Me.
>              luizluca at gmail.com
>
>
>
> 2010/8/16 Patrik Martinsson<Patrik.Martinsson at smhi.se>:
>> Hello,
>>
>> Thanks for the reply.
>>
>> I did realize a couple of hours after I sent my mail that to tell 'net ads
>> register dns' to make use of my keytab you specify the -P option,
>> however, even with this flag the dynamic update fails.
>>
>> I've spent a couple of hours this morning trying with nsupdate as you
>> suggested, no luck there either.
>> This is how i tried it,
>>
>> # To create a machineaccount in AD.
>> 'net ads joincreateupn=host/$HOSTNAME at XX.XXXX.XX
>> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6" -U
>> foo%bar'
>>
>> # Do the nsupdate,
>> 'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
>> =>  "Check your Kerberos ticket, it may have expired."
>>
>> Hmm, i thought that the nsupdate command would automatically do an kinit for
>> me here, but that doesn't seem to be the case, anyhow here's what i did
>> then.
>>
>> # Get the ticket,
>> 'kinit -khost/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
>> # Everything OK, i now got the ticket.
>>
>> # Check it,
>> 'klist'
>>
>> =>  Ticket cache:FILE:/tmp/krb5cc_0
>> =>  Default principal:host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
>> =>  Valid starting     Expires            Service principal
>> =>  08/16/10 11:00:41  08/16/10 21:00:41krbtgt/XX.XXXX.XX at XX..XXXX.XX
>> =>       renew until 08/17/10 11:00:41
>>
>> # Do the nsupdate,
>> 'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
>>
>> =>  ; TSIG error with server: tsig verify failure
>> =>  update failed: REFUSED
>>
>> # If i know check the my tickets again it looks like this,
>> 'klist'
>> =>  Ticket cache:FILE:/tmp/krb5cc_0
>> =>  Default principal:host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
>> =>  Valid starting     Expires            Service principal
>> =>  08/16/10 11:00:41  08/16/10 21:00:41krbtgt/XX.XXXX.XX at XX..XXXX.XX
>> =>       renew until 08/17/10 11:00:41
>> =>  08/16/10 11:03:40  08/16/10 21:00:41DNS/XXXX.XX.XX.XX at XX..XXXX.XX
>> =>      renew until 08/17/10 11:00:41
>>
>> Hmm, to be honest I'm clueless here. I'm running out of suggestions.
>> All i want to do is to allow my linuxclients to update a secure zone in dns
>> (win 2003), however that seems nearly impossible.
>> We have 3 servers (dns/ad) that are replicated, i don't know if that has
>> something to do with it, unfortunately nor does the windows sysadmins.
>>
>> /Patrik Martinsson,
>> Sweden.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 08/14/2010 09:57 PM, Luiz Angelo Daros de Luca wrote:
>>> Hello,
>>>
>>> You asked samba to use system keytab. This keytab will store your
>>> computer's account "password". Using this keytab and with the correct
>>> realm configuration (i guess yours is correct), you can successfully
>>> authenticate as a computer with AD (using kinit) without user
>>> interaction. After that, use the good old nsupdate program that you
>>> were previously using (nsupdate -g). You need a nsupdate compiled with
>>> gssapi support and from a recent release.
>>>
>>> If you are using a single computer account to update all dns entries
>>> (like inside the dhcp server), you will need to put your computer's
>>> account inside a group named DNSUpdateProxy.
>>>
>>> I hope this helps. I think that samba could implement a "keep dns
>>> sync" option that, using computer account, checks and update dns for
>>> every reboot.
>>>
>>> Cheers,
>>>
>>> ---
>>>       Luiz Angelo Daros de Luca, Me.
>>>              luizluca at gmail.com
>>>
>>>
>>>
>>> 2010/8/9 Patrik Martinsson<Patrik.Martinsson at smhi.se>:
>>>
>>>> Hello everyone,
>>>>
>>>> I'm having some deep issues with dynamic dns updates and figure I would
>>>> give
>>>> this list a try, I know this is more of a devel list, but I figured my
>>>> problem is on quite deep technical level so it would fit here, hope you
>>>> don't mind.
>>>>
>>>> Here's my setup,
>>>>
>>>> We have Windows 2003 SP2 AD/DNS/DHCP server.
>>>> We have a zone for clients that only allows signed dns updates, today
>>>> only
>>>> Windows clients are in this zone, now I want to put linuxclients in here
>>>> too.
>>>> Before we had another zone that allowed insecure dynamic updates and
>>>> there
>>>> would all our linuxclients go, and on every connect/dhcp lease they would
>>>> manually, through scripts update their dnsentry (with nsupdate).
>>>> Kerberos is configures on all our clients and at logon time a user will
>>>> get
>>>> a ticket.
>>>> Hope that is enough on the background setup...?
>>>>
>>>> So, here's the case.
>>>> I've setup samba on the clients, I've successfully got it to create a
>>>> machineaccount in the AD, and thereafter it actually updates the dns with
>>>> an
>>>> entry as expected.
>>>> This I'm doing with following command,
>>>> 'net ads joincreateupn=host/$HOSTNAME at XX.XXXX.XX
>>>> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6"
>>>> -U
>>>> foo%bar'
>>>>
>>>> Important note :
>>>>   Sometimes though, this commands partly fails, saying this,
>>>>   Using short domain name -- XXXX
>>>>   Joined 'CLIENT' to realm 'xx.xxxx.xx'
>>>>   [2010/08/09 15:04:59.082626,  0]
>>>> libads/kerberos.c:333(ads_kinit_password)
>>>>     kerberos_kinit_passwordCLIENT$@XX.XXXX.XX  failed: Client not found in
>>>> Kerberos database
>>>>   DNS update failed!
>>>>
>>>> I dont understand why it does this only sometimes and not always, and as
>>>> far
>>>> as i can see, everything is normal (machineaccount is created and keytab
>>>> is
>>>> written).
>>>>
>>>> HOWEVER, and this is my problem,
>>>> If I, after the dns record beeing deleted from the dns (If the dns server
>>>> doesnt get any updates on the record it will eventually delete it) try to
>>>> update the dnsrecord manually with following command,
>>>> 'net ads dns register -Ufoo%bar'
>>>> I always end up with
>>>> 'DNS update failed!'
>>>>
>>>> So, I started digging in the source and found out that it's failing
>>>> somewhere in the signing part of utils/net_dns.c, digged deeper and ended
>>>> up
>>>> in libaddns/dnsgss.c, here i added some prints in hope of detecting where
>>>> it
>>>> would fail, and strangly enough (at least for me, but I'm no expert) it
>>>> failed at different places for every time i ran it. When 'net' queries
>>>> our
>>>> dns for nameservers the DNS responds with 5 nameservers (dig NS xx @xx),
>>>> which could explain why it fails differently, depending on which
>>>> nameserver
>>>> that comes first in the list, however these servers should be replicated
>>>> and
>>>> look the same,  AND even if i run the command multiple times and I for
>>>> sure
>>>> knows 'net' tries to update the same DNS, it fails differently (I added
>>>> prints in net that tells me which DNS it actually tries to update so i
>>>> would
>>>> know for sure).
>>>>
>>>> Here's what im talking about,
>>>> First run of, 'net ads dns register -Ufoo%bar' it fails here,
>>>>
>>>> libaddns/dnsgss.c @163,
>>>> if ((major != GSS_S_COMPLETE)&&
>>>>             (major != GSS_S_CONTINUE_NEEDED)) {
>>>>             d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
>>>>             return ERROR_DNS_GSS_ERROR;
>>>>         }
>>>>
>>>> Next time i run it AND it tries to update the SAME DNS as before, (a
>>>> couple
>>>> of times later because the NS list is in random order), if fails here,
>>>>
>>>> libaddns/dnsgss.c @191,
>>>> if ((resp->num_additionals != 1) ||
>>>>                 (resp->num_answers == 0) ||
>>>>                 (resp->answers[0]->type != QTYPE_TKEY)) {
>>>>                   d_printf("\nFAILED @DNS_ID/KEY\n");
>>>>                 err = ERROR_DNS_INVALID_MESSAGE;
>>>>                 goto error;
>>>> }
>>>>
>>>> And here I'm stuck, hoping for some help, tips, pointers etc.
>>>>
>>>>
>>>> One question that comes to my mind is that, after doing the 'net join'
>>>> command, i got a keytab with a host/client as user-principle which is
>>>> cool,
>>>> however when doing the net dns register command, shouldn't that be using
>>>> that keytab file ? As I wrote earlier i use the '-U'-flag to specify a
>>>> user/password rather then using the host keytab entry...But maybe I'm
>>>> mistaken here, I'm really new to kerberos and to be honest I find it
>>>> _very_
>>>> hard and confusing at the moment, but maybe the picture will clear later
>>>> on....
>>>>
>>>>
>>>> Here's my configfiles,
>>>> # /etc/samba/smb.conf
>>>> realm = XX.XXXX.XX
>>>> security = ADS
>>>> encrypt passwords = yes
>>>> workgroup = XXXX
>>>> kerberos method = secrets and keytab
>>>>
>>>> # /etc/krb5.conf
>>>> [libdefaults]
>>>>   default_realm = XX.XXXX.XX
>>>>   clockskew = 300
>>>>   dns_lookup_realm = false # I've tried with both true/false here..
>>>>   dns_lookup_kdc = false
>>>>   forwardable = true
>>>>   allow_weak_crypto = true
>>>>
>>>> [realms]
>>>>   XX.XXXX.XX = {
>>>>     default_domain = xx.xxxx.xx
>>>>     kdc = xx.xxxx.xx
>>>>     admin_server = xx.xxxx.xx
>>>>   }
>>>>
>>>> [domain_realm]
>>>>   .ad.smhi.se = XX.XXXX.XX
>>>>   .smhi.se = XX.XXXX.XX
>>>>
>>>> Anyway, I know this is a long email and a lot of questions, but I hope
>>>> that
>>>> somebody could clear things up for me.
>>>>
>>>> Best regards,
>>>> Patrik Martinsson, Sweden.
>>>>
>>>>


-- 
[FSF Associate Member #2325] 
<http://www.fsf.org/register_form?referrer=2325>

More information about the samba-technical mailing list