dhcp server with samba4 internal dns configuration

Daniele Dario d.dario76 at gmail.com
Thu Dec 20 04:06:11 MST 2012


Hi Adam,

On Wed, 2012-12-19 at 10:53 -0500, Adam Tauno Williams wrote:
> On Wed, 2012-12-19 at 14:44 +0100, Daniele Dario wrote:
> > Hi samba list,
> > I found this link
> > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ which spokes about a way to set up isc-dhcpd to perform ddns updates through bind or MS dns.
> > Is there someone in the list who can answer these questions please?
> 
> I'm looking down the barrel of much the same issue.  We have Samba 4
> with internal DNS, and workstation name registration works, but we need
> to register other names and we really need to capture the name
> registration events for other purposes [for one thing, maintaining a
> reverse lookup].
> 
> Generally I don't like the small of the content at the above link, it
> seems terribly hackish.  And what happens when the Kerberos ticket
> expires?
> 
> Anyway, if you turn anything up please post back to this tread, and if I
> find anything I'll do the same.
> 
> As an aside we have previously used WINS Hook for this purpose, but that
> is inoperable in Samba 4.
>   <https://lists.samba.org/archive/samba/2012-December/170572.html>
> 
> >      1. would it work also vs internal samba4 dns?
> >      2. would it update only records for hosts which can't do it by
> >         themselves (e.g. linux hosts)?
> >      3. reading the blog I found a script but I was not able to
> >         understand how it should be used: did someone use it and can
> >         point me in the right way?
> >      4. at the top of the blog there is an example to create the keytab
> >         that I don't understand: should I create a user dhcpduser in
> >         ADUC? with which grants? or ktutil would create a "private"
> >         keytab (not part of the AD one) and dhcpd + dns use it for auth?
> 
> 

I don't know how krb does it's job but from what I know kinit should
take care of the ticket renewal when it expires.

BTW I made some progress looking at the older comments in the blog:
      * create a new AD user using samba-tool user add dhcpduser
        --random-password --use-username-as-cn
      * set it's password to never expire using samba-tool user
        setexpiry --noexpiry dhcpduser
      * add the user to DnsAdmins and DnsUpdateProxy with samba-tool
        group addmembers DnsAdmins dhcpduser and samba-tool group
        addmembers DnsUpdateProxy dhcpduser
      * export the keytab with samba-tool domain
        exportkeytab /etc/dhcp/dhcpduser.keytab --principal=dhcpduser

At this point I tried to see if I can get the krb ticket
# export KRB5CCNAME=/tmp/dhcpd.krb5cc
# kinit -k -t /etc/dhcp/dhcpduser.keytab dhcpduser
# klist
Credentials cache: FILE:/tmp/dhcpd.krb5cc
        Principal: dhcpduser at SAITEL.LOC

  Issued           Expires          Principal
Dec 20 11:53:48  Dec 20 21:53:48  krbtgt/SAITEL.LOC at SAITEL.LOC

So it seems that I can get the ticket. Trying to manually run the update
script (adding debug messages for nsupdate) I get

# /etc/dhcp/dhcp-krbnsupdate.sh -d add 192.168.12.149 1:0:22:43:1b:9f:b2
alaska
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  27077
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;alaska.saitel.loc.		IN	SOA

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  21126
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;saitel.loc.			IN	SOA

;; ANSWER SECTION:
saitel.loc.		3600	IN	SOA	kdc02.saitel.loc. hostmaster.saitel.loc. 18 900
600 86400 0

Found zone name: saitel.loc
The master is: kdc02.saitel.loc
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38487
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;349974442.sig-kdc02.saitel.loc.	ANY	TKEY

;; ADDITIONAL SECTION:
349974442.sig-kdc02.saitel.loc.	0 ANY	TKEY	gss-tsig. 1356000917
1356000917 3 NOERROR 1278 YIIE
+gYGKwYBBQUCoIIE7jCCBOqgDTALBgkqhkiG9xIBAgKiggTXBIIE
02CCBM8GCSqGSIb3EgECAgEAboIEvjCCBLqgAwIBBaEDAgEOogcDBQAg
AAAAo4IDuGGCA7QwggOwoAMCAQWhDBsKU0FJVEVMLkxPQ6IiMCCgAwIB
AaEZMBcbA0ROUxsQa2RjMDIuc2FpdGVsLmxvY6OCA3UwggNxoAMCAReh
AwIBAaKCA2MEggNfab+ns7b5dD7favpFzpMJg/n4XicvpH3wG9kbZvik
myFBRoC9Eklw6/GyO9vfugLGFgDEDQXbecISjuMwzUPH7lCs+4C77A+x
i4JzIodS6MJB9jpfz8A2btLRwszbudcTfE07EVI10JPYmuDnwBdmlsXL HnQ9t0mdJ
+hBjgUiDZjDmRjm6hh8uk6+9gW1EncGU03Z+tBkEF+EK9sI
nOM7sdfsj5kWE3d0J4wbPnnuBbY0UIpczYjhQV8FRle5tNTZfD0fr2oq
+uAorV2tf97cRlsEylZJIwZsPF4XwqNIFNIaiwmqlz1+8LcseggnIXJq
5CA/LMgq2uT3yog9KkpbHJa5Etm58PfT+bbfalv9gPRFSZWUtECafMZG
BYT5pRGeek53fi8HyWJil88zZoY7m2CWt+vfS4KG1a2dZuNsXTeSpu3D
z3Gz2TiXr2AfLW/O6bgnCp6mmsaEkEIuyfswNBkALZC8gf8ECt/Ap6IA
JvmR2anxfNcr1lxyavSqdVxeXeKeMgVExQQ5tjZlpsThoRg3bQDf32rK
9nKemhZ0NQi3BqI1w7dItlu1YsoUx9Wj5lPbGFwb9EDPpKJs/+R1LohR
GUuq3KP0YyJp36Lv7kSoZRhEaqFT2SbHa81VClB8BNzTQ3EmzDKHKem1
GW3dDQHDxUwPWV6yLhIT8MWN8MnEilYGxdr3WphiGFut7hNIm1tdd/ug
jhJdeIWIo7/WNPdzI1+TTziFNbHHhIwYu5+AqbxrR2wc9ruG1GruK84/
oywAB7ZE13phVRrgWSFEx8Fp/FENYoW1KeGUTlkMah/KrdtmobrjYZX7
uq7h4eHnbfjqpeKGBP5LhytgQ7Vqo4pGc+l3CnuQDMn/k6J6q2kMvn+q
apyS8vTju9LlZvFI1uj/5txkCYAqAvcTjuWa9Nby56SKEE5EHsdprfDp RQTcEQ3P
+IqPxgrJ4zQ0QzC9KXk9ju8cNUgi6S2ugayB00v7F9hy3asT QDp
+W23dtT/7xT9bryMMpywBr/dcvfe4j4hzKlyeCzFVpuB23iHOwisv x
+pIPG9gcQPmREnMkH5R3ruVKEPdcly2IhbkR21QqyvU5UYPvBnfhwJr UFfefa/bmJXkq
+upAnIakPE+hHFkJgM1RecpRZghFbfDxImkgegwgeWg
AwIBF6KB3QSB2qB3xXBNwCgdn5NCQMgAlG/VoSK9B770UYPeYPiwSGBf
xXquIVMo5N5dh8JvKjaH99oISuBduFW3Wj1s9TdmlvIWEv+msBTONrdj
eaz0B53aN/kjJZfj6NwR2Jyp+lGT/pLb00FC0g+h9aLpXYMwEzIZEY8y
U9rtdkjy1r7gB3uIwv707HGQ6NLinffsrcJFUGZ5eMgvyJHSj8A/Uyy9
zNCqFVaDQY9ubgBdO5EL5tvHNF80WJDjenzm76rUJrSs8lASJoKVqnED
sxuRbaF3c0NoPDEezrxh0afA 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38487
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;349974442.sig-kdc02.saitel.loc.	ANY	TKEY
;; ANSWER SECTION:
349974442.sig-kdc02.saitel.loc.	0 ANY	TKEY	gss-tsig. 1356000917
1356000917 3 NOERROR 182
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgICAG
+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRriYnymAJLB5j+ 8/oDxPuy1XI4d6
+HF0nxvh80T+VqDNUs645J6obGmDdV1VRi4RMx8r8K
KJkq0QmhbRwGNEP1YrmUyRrJ7X8AZJLEy6qe6vkdRDI+UVsefJ938SjM
0/iGcnGPt0ENE74EF24= 0

;; TSIG PSEUDOSECTION:
349974442.sig-kdc02.saitel.loc.	0 ANY	TSIG	gss-tsig. 1356000917 300 28
BAQF//////8AAAAAPm0OE+yLFzrfFNraPp711Q== 38487 NOERROR 0 

Sending update to 192.168.12.2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   5819
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 4, ADDITIONAL: 1
;; UPDATE SECTION:
alaska.saitel.loc.	0	ANY	A	
alaska.saitel.loc.	0	ANY	TXT	
alaska.saitel.loc.	3600	IN
TXT	"0001019f24a4a2dbacd4cced7b57b0eb03184782d0ce561c39721647e615aff18cb7eb"
alaska.saitel.loc.	3600	IN	A	192.168.12.149
;; TSIG PSEUDOSECTION:
349974442.sig-kdc02.saitel.loc.	0 ANY	TSIG	gss-tsig. 1356000917 300 28
BAQE//////8AAAAAKt3laCeD9NYP2VwGeYxWZg== 5819 NOERROR 0 

; TSIG error with server: tsig verify failure

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   5819
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 4, ADDITIONAL: 1
;; ZONE SECTION:
;saitel.loc.			IN	SOA

;; UPDATE SECTION:
alaska.saitel.loc.	0	ANY	A	
alaska.saitel.loc.	0	ANY	TXT	
alaska.saitel.loc.	3600	IN
TXT	"0001019f24a4a2dbacd4cced7b57b0eb03184782d0ce561c39721647e615aff18cb7eb"
alaska.saitel.loc.	3600	IN	A	192.168.12.149

;; TSIG PSEUDOSECTION:
349974442.sig-kdc02.saitel.loc.	0 ANY	TSIG	gss-tsig. 1356000917 300 28
BAQF//////8AAAAAPm0OFO1PKSEH58XcxnMoHw== 5819 NOERROR 0 

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  41553
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;149.12.168.192.in-addr.arpa.	IN	SOA

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  58116
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;12.168.192.in-addr.arpa.	IN	SOA

;; ANSWER SECTION:
12.168.192.in-addr.arpa. 3600	IN	SOA	kdc02.saitel.loc.
hostmaster.saitel.loc. 16 900 600 86400 3600

Found zone name: 12.168.192.in-addr.arpa
The master is: kdc02.saitel.loc
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  54629
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;4048761587.sig-kdc02.saitel.loc. ANY	TKEY

;; ADDITIONAL SECTION:
4048761587.sig-kdc02.saitel.loc. 0 ANY	TKEY	gss-tsig. 1356000917
1356000917 3 NOERROR 1278 YIIE
+gYGKwYBBQUCoIIE7jCCBOqgDTALBgkqhkiG9xIBAgKiggTXBIIE
02CCBM8GCSqGSIb3EgECAgEAboIEvjCCBLqgAwIBBaEDAgEOogcDBQAg
AAAAo4IDuGGCA7QwggOwoAMCAQWhDBsKU0FJVEVMLkxPQ6IiMCCgAwIB
AaEZMBcbA0ROUxsQa2RjMDIuc2FpdGVsLmxvY6OCA3UwggNxoAMCAReh
AwIBAaKCA2MEggNfab+ns7b5dD7favpFzpMJg/n4XicvpH3wG9kbZvik
myFBRoC9Eklw6/GyO9vfugLGFgDEDQXbecISjuMwzUPH7lCs+4C77A+x
i4JzIodS6MJB9jpfz8A2btLRwszbudcTfE07EVI10JPYmuDnwBdmlsXL HnQ9t0mdJ
+hBjgUiDZjDmRjm6hh8uk6+9gW1EncGU03Z+tBkEF+EK9sI
nOM7sdfsj5kWE3d0J4wbPnnuBbY0UIpczYjhQV8FRle5tNTZfD0fr2oq
+uAorV2tf97cRlsEylZJIwZsPF4XwqNIFNIaiwmqlz1+8LcseggnIXJq
5CA/LMgq2uT3yog9KkpbHJa5Etm58PfT+bbfalv9gPRFSZWUtECafMZG
BYT5pRGeek53fi8HyWJil88zZoY7m2CWt+vfS4KG1a2dZuNsXTeSpu3D
z3Gz2TiXr2AfLW/O6bgnCp6mmsaEkEIuyfswNBkALZC8gf8ECt/Ap6IA
JvmR2anxfNcr1lxyavSqdVxeXeKeMgVExQQ5tjZlpsThoRg3bQDf32rK
9nKemhZ0NQi3BqI1w7dItlu1YsoUx9Wj5lPbGFwb9EDPpKJs/+R1LohR
GUuq3KP0YyJp36Lv7kSoZRhEaqFT2SbHa81VClB8BNzTQ3EmzDKHKem1
GW3dDQHDxUwPWV6yLhIT8MWN8MnEilYGxdr3WphiGFut7hNIm1tdd/ug
jhJdeIWIo7/WNPdzI1+TTziFNbHHhIwYu5+AqbxrR2wc9ruG1GruK84/
oywAB7ZE13phVRrgWSFEx8Fp/FENYoW1KeGUTlkMah/KrdtmobrjYZX7
uq7h4eHnbfjqpeKGBP5LhytgQ7Vqo4pGc+l3CnuQDMn/k6J6q2kMvn+q
apyS8vTju9LlZvFI1uj/5txkCYAqAvcTjuWa9Nby56SKEE5EHsdprfDp RQTcEQ3P
+IqPxgrJ4zQ0QzC9KXk9ju8cNUgi6S2ugayB00v7F9hy3asT QDp
+W23dtT/7xT9bryMMpywBr/dcvfe4j4hzKlyeCzFVpuB23iHOwisv x
+pIPG9gcQPmREnMkH5R3ruVKEPdcly2IhbkR21QqyvU5UYPvBnfhwJr UFfefa/bmJXkq
+upAnIakPE+hHFkJgM1RecpRZghFbfDxImkgegwgeWg AwIBF6KB3QSB2h
+uxiHcwekzKnFkd4PS5A1gkKtyA0pMdRYSUn08e3E6
B3elNCIysLxGiaXz0nO7FLG3qE0Ho6aW7uYzEemx88gMNZH4ZRKxDRHK
9sfS8QxDZHDFBX6tz0SDAGe7rxmRQzJTVSihm/LMN6gIaFyNiY5g1Eed 7xxxH
+wFhuhV3Rt0xL9KE18qbk9o17WbGZd4d5USqIqsHmyt9zlu/Aao 4MURHDJvaNzsqg4Lc3P
+FHBv+h2sZGYICbm1adV//nyboQncoJmeILuI TV+VKY4/lSh95E2mBaEKM8Bv 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  54629
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;4048761587.sig-kdc02.saitel.loc. ANY	TKEY

;; ANSWER SECTION:
4048761587.sig-kdc02.saitel.loc. 0 ANY	TKEY	gss-tsig. 1356000917
1356000917 3 NOERROR 182
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgICAG
+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr6rKn+OVJ04yy
oiSfImSUzUvGjexLY8o65kh/lZoGjYV7HCwS2LCSkZn/4vpIdwvfNDLk 6/lIzvqXLUymq
+5IJ+uOqzpk7DJWuNcfZLvSPRhfMxX5QZJ7FAx6ab3Y 8f8wiuI2haSkaGjPiG8= 0

;; TSIG PSEUDOSECTION:
4048761587.sig-kdc02.saitel.loc. 0 ANY	TSIG	gss-tsig. 1356000917 300 28
BAQF//////8AAAAAEhUQ6A7jjqsDwuRpW7IHKA== 54629 NOERROR 0 

Sending update to 192.168.12.2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  36421
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; UPDATE SECTION:
149.12.168.192.in-addr.arpa. 0	ANY	PTR	
149.12.168.192.in-addr.arpa. 3600 IN	PTR	alaska.saitel.loc.

;; TSIG PSEUDOSECTION:
4048761587.sig-kdc02.saitel.loc. 0 ANY	TSIG	gss-tsig. 1356000917 300 28
BAQE//////8AAAAAF29Yw1k3lyTFHZxzsslQ1A== 36421 NOERROR 0 

; TSIG error with server: tsig verify failure

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  36421
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;12.168.192.in-addr.arpa.	IN	SOA

;; UPDATE SECTION:
149.12.168.192.in-addr.arpa. 0	ANY	PTR	
149.12.168.192.in-addr.arpa. 3600 IN	PTR	alaska.saitel.loc.

;; TSIG PSEUDOSECTION:
4048761587.sig-kdc02.saitel.loc. 0 ANY	TSIG	gss-tsig. 1356000918 300 28
BAQF//////8AAAAAEhUQ6ZQ+LbRXs+HnQKoslw== 36421 NOERROR 0 

DDNS: adding records for 192.168.12.149 (alaska.saitel.loc) FAILED:
nsupdate status 2

As stated above there are 2 TSIG error with server: tsig verify failure
that I do not understand.
At the end the records seems to be created correctly (I can see them
both from samba-tool dns query and with nslookup) and they are A+TXT
records in the forward zone plus PTR in reverse zone.

Before to go on with updating dhcpd.conf with the on commit and on
delete statements can someone tell me if this is the correct behavior?

Thanks,
Daniele.



More information about the samba-technical mailing list