Win 2003 SP2 Dynamic DNS update.
Patrik Martinsson
Patrik.Martinsson at smhi.se
Mon Aug 30 05:11:43 MDT 2010
Hello,
Thanks for your help and suggestions.
I've actually managed to use /source4/scripting/bin/nsupdate-gss instead.
This is a wonderful Perl-script, and with some modifications, fits my
needs perfectly.
On every client, when a network interface is brought up and the dns is
reachable we will use this Perl-script to dynamically update our signed
zones, this will also be executed when the dhcp-lease gets renewed.
Thanks again everybody.
/Patrik Martinsson,
Sweden.
On 08/26/2010 12:25 PM, Sam Liddicott wrote:
> Here's what I use, it's a bit longer than that; it will update dns and
> reverse dns.
>
> Note: It can't update dns if a dns record already exists created by a
> previous machine account of the same name - i.e. if you re-join the
> domain you may need to delete the old dns records as administrator.
>
> "--password-file=/dev/stdin" isn't needed if you are using mit kerberos.
>
> If you are using heimdal kerberos for kinit, there's a bug in bind 9.7
> that may cause nsupdate to give the error: "failed to generate random
> block"
>
> You can provide the IP address as $1 or it will try to guess it.
>
> #! /bin/sh
>
> IP=${1:-`ip addr \
> | sed -e '/^[0-9]/{s/^[0-9]*: *//;s/:.*//;x;d};/^ *inet/{s/^ .*inet
> *//;s/\/.*//;H;x;s/\n/=/;p};d' \
> | sort | head -1 | sed -e 's/.*=//'`}
>
> # RIP is reverse IP
> RIP=`echo $IP | tr . "\n" | tac | tr "\n" .`in-addr.arpa.
>
> TTL=${2:-86400}
>
> SELF=`hostname | tr a-z A-Z`
> DOMAIN=`sed -ne '/^ *\[/{/globals/!q};/realm/{s/.*= *//;p}'
> /etc/samba/smb.conf | tr A-Z a-z`
>
> net machinepw "$SELF"'$' | kinit --password-file=/dev/stdin -l 60s
> $SELF || exit 1
>
> trap "kdestroy" 0
>
> nsupdate -g <<UPDATE || exit 1
> update delete $SELF.$DOMAIN A
> update add $SELF.$DOMAIN $TTL A $IP
> send
> UPDATE
>
> nsupdate -g <<UPDATE || exit 1
> update delete $RIP PTR
> update add $RIP $TTL PTR $SELF.$DOMAIN
> send
> UPDATE
>
>
>
> On 25/08/10 00:08, Luiz Angelo Daros de Luca wrote:
>> I use this commands (and it work)
>>
>> /usr/kerberos/bin/kinit -k -c 60 -t '/etc/krb5.keytab' 'machine$'
>> nsupdate -g
>>
>> Check using wireshark if there is really a kerberos handshake. Also,
>> check in windows events for more information.
>>
>> Cheers,
>>
>> ---
>> Luiz Angelo Daros de Luca, Me.
>> luizluca at gmail.com
>>
>>
>>
>> 2010/8/16 Patrik Martinsson<Patrik.Martinsson at smhi.se>:
>>
>>> Hello,
>>>
>>> Thanks for the reply.
>>>
>>> I did realize a couple of hours after I sent my mail that to tell 'net ads
>>> register dns' to make use of my keytab you specify the -P option,
>>> however, even with this flag the dynamic update fails.
>>>
>>> I've spent a couple of hours this morning trying with nsupdate as you
>>> suggested, no luck there either.
>>> This is how i tried it,
>>>
>>> # To create a machineaccount in AD.
>>> 'net ads joincreateupn=host/$HOSTNAME at XX.XXXX.XX
>>> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6" -U
>>> foo%bar'
>>>
>>> # Do the nsupdate,
>>> 'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
>>> => "Check your Kerberos ticket, it may have expired."
>>>
>>> Hmm, i thought that the nsupdate command would automatically do an kinit for
>>> me here, but that doesn't seem to be the case, anyhow here's what i did
>>> then.
>>>
>>> # Get the ticket,
>>> 'kinit -khost/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
>>> # Everything OK, i now got the ticket.
>>>
>>> # Check it,
>>> 'klist'
>>>
>>> => Ticket cache:FILE:/tmp/krb5cc_0
>>> => Default principal:host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
>>> => Valid starting Expires Service principal
>>> => 08/16/10 11:00:41 08/16/10 21:00:41krbtgt/XX.XXXX.XX at XX..XXXX.XX
>>> => renew until 08/17/10 11:00:41
>>>
>>> # Do the nsupdate,
>>> 'echo -e "update add $HOSTNAME 3600 A $MYIP\nsend" | /usr/bin/nsupdate -g'
>>>
>>> => ; TSIG error with server: tsig verify failure
>>> => update failed: REFUSED
>>>
>>> # If i know check the my tickets again it looks like this,
>>> 'klist'
>>> => Ticket cache:FILE:/tmp/krb5cc_0
>>> => Default principal:host/clientcomputer.xx.xxxx.xx at XX.XXXX.XX'
>>> => Valid starting Expires Service principal
>>> => 08/16/10 11:00:41 08/16/10 21:00:41krbtgt/XX.XXXX.XX at XX..XXXX.XX
>>> => renew until 08/17/10 11:00:41
>>> => 08/16/10 11:03:40 08/16/10 21:00:41DNS/XXXX.XX.XX.XX at XX..XXXX.XX
>>> => renew until 08/17/10 11:00:41
>>>
>>> Hmm, to be honest I'm clueless here. I'm running out of suggestions.
>>> All i want to do is to allow my linuxclients to update a secure zone in dns
>>> (win 2003), however that seems nearly impossible.
>>> We have 3 servers (dns/ad) that are replicated, i don't know if that has
>>> something to do with it, unfortunately nor does the windows sysadmins.
>>>
>>> /Patrik Martinsson,
>>> Sweden.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 08/14/2010 09:57 PM, Luiz Angelo Daros de Luca wrote:
>>>
>>>> Hello,
>>>>
>>>> You asked samba to use system keytab. This keytab will store your
>>>> computer's account "password". Using this keytab and with the correct
>>>> realm configuration (i guess yours is correct), you can successfully
>>>> authenticate as a computer with AD (using kinit) without user
>>>> interaction. After that, use the good old nsupdate program that you
>>>> were previously using (nsupdate -g). You need a nsupdate compiled with
>>>> gssapi support and from a recent release.
>>>>
>>>> If you are using a single computer account to update all dns entries
>>>> (like inside the dhcp server), you will need to put your computer's
>>>> account inside a group named DNSUpdateProxy.
>>>>
>>>> I hope this helps. I think that samba could implement a "keep dns
>>>> sync" option that, using computer account, checks and update dns for
>>>> every reboot.
>>>>
>>>> Cheers,
>>>>
>>>> ---
>>>> Luiz Angelo Daros de Luca, Me.
>>>> luizluca at gmail.com
>>>>
>>>>
>>>>
>>>> 2010/8/9 Patrik Martinsson<Patrik.Martinsson at smhi.se>:
>>>>
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I'm having some deep issues with dynamic dns updates and figure I would
>>>>> give
>>>>> this list a try, I know this is more of a devel list, but I figured my
>>>>> problem is on quite deep technical level so it would fit here, hope you
>>>>> don't mind.
>>>>>
>>>>> Here's my setup,
>>>>>
>>>>> We have Windows 2003 SP2 AD/DNS/DHCP server.
>>>>> We have a zone for clients that only allows signed dns updates, today
>>>>> only
>>>>> Windows clients are in this zone, now I want to put linuxclients in here
>>>>> too.
>>>>> Before we had another zone that allowed insecure dynamic updates and
>>>>> there
>>>>> would all our linuxclients go, and on every connect/dhcp lease they would
>>>>> manually, through scripts update their dnsentry (with nsupdate).
>>>>> Kerberos is configures on all our clients and at logon time a user will
>>>>> get
>>>>> a ticket.
>>>>> Hope that is enough on the background setup...?
>>>>>
>>>>> So, here's the case.
>>>>> I've setup samba on the clients, I've successfully got it to create a
>>>>> machineaccount in the AD, and thereafter it actually updates the dns with
>>>>> an
>>>>> entry as expected.
>>>>> This I'm doing with following command,
>>>>> 'net ads joincreateupn=host/$HOSTNAME at XX.XXXX.XX
>>>>> createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation" osVer="6"
>>>>> -U
>>>>> foo%bar'
>>>>>
>>>>> Important note :
>>>>> Sometimes though, this commands partly fails, saying this,
>>>>> Using short domain name -- XXXX
>>>>> Joined 'CLIENT' to realm 'xx.xxxx.xx'
>>>>> [2010/08/09 15:04:59.082626, 0]
>>>>> libads/kerberos.c:333(ads_kinit_password)
>>>>> kerberos_kinit_passwordCLIENT$@XX.XXXX.XX failed: Client not found in
>>>>> Kerberos database
>>>>> DNS update failed!
>>>>>
>>>>> I dont understand why it does this only sometimes and not always, and as
>>>>> far
>>>>> as i can see, everything is normal (machineaccount is created and keytab
>>>>> is
>>>>> written).
>>>>>
>>>>> HOWEVER, and this is my problem,
>>>>> If I, after the dns record beeing deleted from the dns (If the dns server
>>>>> doesnt get any updates on the record it will eventually delete it) try to
>>>>> update the dnsrecord manually with following command,
>>>>> 'net ads dns register -Ufoo%bar'
>>>>> I always end up with
>>>>> 'DNS update failed!'
>>>>>
>>>>> So, I started digging in the source and found out that it's failing
>>>>> somewhere in the signing part of utils/net_dns.c, digged deeper and ended
>>>>> up
>>>>> in libaddns/dnsgss.c, here i added some prints in hope of detecting where
>>>>> it
>>>>> would fail, and strangly enough (at least for me, but I'm no expert) it
>>>>> failed at different places for every time i ran it. When 'net' queries
>>>>> our
>>>>> dns for nameservers the DNS responds with 5 nameservers (dig NS xx @xx),
>>>>> which could explain why it fails differently, depending on which
>>>>> nameserver
>>>>> that comes first in the list, however these servers should be replicated
>>>>> and
>>>>> look the same, AND even if i run the command multiple times and I for
>>>>> sure
>>>>> knows 'net' tries to update the same DNS, it fails differently (I added
>>>>> prints in net that tells me which DNS it actually tries to update so i
>>>>> would
>>>>> know for sure).
>>>>>
>>>>> Here's what im talking about,
>>>>> First run of, 'net ads dns register -Ufoo%bar' it fails here,
>>>>>
>>>>> libaddns/dnsgss.c @163,
>>>>> if ((major != GSS_S_COMPLETE)&&
>>>>> (major != GSS_S_CONTINUE_NEEDED)) {
>>>>> d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
>>>>> return ERROR_DNS_GSS_ERROR;
>>>>> }
>>>>>
>>>>> Next time i run it AND it tries to update the SAME DNS as before, (a
>>>>> couple
>>>>> of times later because the NS list is in random order), if fails here,
>>>>>
>>>>> libaddns/dnsgss.c @191,
>>>>> if ((resp->num_additionals != 1) ||
>>>>> (resp->num_answers == 0) ||
>>>>> (resp->answers[0]->type != QTYPE_TKEY)) {
>>>>> d_printf("\nFAILED @DNS_ID/KEY\n");
>>>>> err = ERROR_DNS_INVALID_MESSAGE;
>>>>> goto error;
>>>>> }
>>>>>
>>>>> And here I'm stuck, hoping for some help, tips, pointers etc.
>>>>>
>>>>>
>>>>> One question that comes to my mind is that, after doing the 'net join'
>>>>> command, i got a keytab with a host/client as user-principle which is
>>>>> cool,
>>>>> however when doing the net dns register command, shouldn't that be using
>>>>> that keytab file ? As I wrote earlier i use the '-U'-flag to specify a
>>>>> user/password rather then using the host keytab entry...But maybe I'm
>>>>> mistaken here, I'm really new to kerberos and to be honest I find it
>>>>> _very_
>>>>> hard and confusing at the moment, but maybe the picture will clear later
>>>>> on....
>>>>>
>>>>>
>>>>> Here's my configfiles,
>>>>> # /etc/samba/smb.conf
>>>>> realm = XX.XXXX.XX
>>>>> security = ADS
>>>>> encrypt passwords = yes
>>>>> workgroup = XXXX
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> # /etc/krb5.conf
>>>>> [libdefaults]
>>>>> default_realm = XX.XXXX.XX
>>>>> clockskew = 300
>>>>> dns_lookup_realm = false # I've tried with both true/false here..
>>>>> dns_lookup_kdc = false
>>>>> forwardable = true
>>>>> allow_weak_crypto = true
>>>>>
>>>>> [realms]
>>>>> XX.XXXX.XX = {
>>>>> default_domain = xx.xxxx.xx
>>>>> kdc = xx.xxxx.xx
>>>>> admin_server = xx.xxxx.xx
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .ad.smhi.se = XX.XXXX.XX
>>>>> .smhi.se = XX.XXXX.XX
>>>>>
>>>>> Anyway, I know this is a long email and a lot of questions, but I hope
>>>>> that
>>>>> somebody could clear things up for me.
>>>>>
>>>>> Best regards,
>>>>> Patrik Martinsson, Sweden.
>>>>>
>>>>>
>>>>>
>
>
> --
> [FSF Associate Member #2325]
> <http://www.fsf.org/register_form?referrer=2325>
More information about the samba-technical
mailing list