nsupdate and internal DNS
Daniele Dario
d.dario76 at gmail.com
Thu Jan 3 00:42:15 MST 2013
Hi Rowland, list
On Mon, 2012-12-31 at 12:51 +0000, Rowland Penny wrote:
> On 31/12/12 12:07, Andrew Bartlett wrote:
> >> OK, for me, The internal DNS server will not update via a script that
> >> DHCP runs, this script is based on the one at:
> >> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/.
> >> OK, it works again.
> >>
> >> The original dhcp update script was written to update a windows server,
> >> so as it will not update the internal DNS server, I think that we can
> >> infer that the internal DNS server is not working the same as a windows
> >> server. Not a problem for me, as now I know the limitations of The
> >> internal dns server, I will stop using it and only use bind9.
> >>
> > Rowland,
> >
> > From here, what we need is for someone to look not at DHCP and that
> > script, but simply why nsupdate -g fails against the internal server.
> >
> > This will hit more than DHCP anyway, as samba_dnsupdate is essentially
> > doing the same thing.
> >
> > That BIND's nsupdate -g works against BIND itself is not supprising, but
> > there may be some small details we are getting wrong in the internal
> > server.
> >
> > So, what I'm suggesting is that someone needs to manaully kinit, and
> > then manually run nsupdate -g commands and show what bits fail, how they
> > fail and perhaps work out why they fail.
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
>
> OK, restart Samba 4 using internal DNS server, su to dhcpd user, kinit
> as dhcpd and then manually run nsupdate with debug turned on
>
> service samba4 stop
> service bind9 stop
> mv /usr/local/samba /usr/local/samba-bind
> mv /usr/local/samba-internal /usr/local/samba
> service samba4 start
> * Starting Samba 4 daemons samba
> smbd [ OK ]
> su - -s /bin/bash dhcpd
> kinit -F -k -t /etc/dhcp/dhcpduser.keytab dhcpduser at HOME.LAN
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_107
> Default principal: dhcpduser at HOME.LAN
>
> Valid starting Expires Service principal
> 31/12/12 12:24:27 31/12/12 22:24:27 krbtgt/HOME.LAN at HOME.LAN
> renew until 01/01/13 12:24:27
>
> dhcpd at adserver:~$ nsupdate -g -d
> > server 192.168.0.10
> > realm HOME.LAN
> > update delete LinPad.home.lan 3600 A
> > update add LinPad.home.lan 3600 A 192.168.0.173
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58559
> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;LinPad.home.lan. IN SOA
>
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9390
> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;home.lan. IN SOA
>
> ;; ANSWER SECTION:
> home.lan. 3600 IN SOA adserver.home.lan.
> hostmaster.home.lan. 1 900 600 86400 0
>
> Found zone name: home.lan
> The master is: adserver.home.lan
> start_gssrequest
> send_gssrequest
> Outgoing update query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21882
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;2488446920.sig-adserver.home.lan. ANY TKEY
>
> ;; ADDITIONAL SECTION:
> 2488446920.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957453
> 1356957453 3 NOERROR 1276
> YIIE+AYGKwYBBQUCoIIE7DCCBOigDTALBgkqhkiG9xIBAgKiggTVBIIE
> 0WCCBM0GCSqGSIb3EgECAgEAboIEvDCCBLigAwIBBaEDAgEOogcDBQAg
> AAAAo4IDuGGCA7QwggOwoAMCAQWhChsISE9NRS5MQU6iIzAhoAMCAQGh
> GjAYGwNETlMbEWFkc2VydmVyLmhvbWUubGFuo4IDdjCCA3KgAwIBF6ED
> AgEBooIDZASCA2CUZJwxo6TGmT56jA96kbK5NjwOKBF73KppRa12f5Ub
> md1zpthXjiCHOqwD4/PcE9at9rAzWajUOquYxw0KGguYYcGExAWiU/oO
> Z3iA4tohc3C0QEghivbAQx4Ktq9ygKMCzmLvzsQaJiaWReXrkN/RgAiR
> 3WlLnawHtyVL0sBiOThZkJ0Yq3dkx6k65H9Jv/3faPLYYOX9137bRA1f
> yPDMwGS9Ex4vDSOUSvxoF1e8yd08A628gIPaMV84eZFmAHpoHVyXqeVr
> GPIaW1ddRSId1bzL7e53+roYBZYDlJ2GOYppMNdn6WWMp3D+ELCoC5Y8
> dndaTUymHg08fcz8uOykfaltXGyHfsJIiOcpwqwYzYQLfAQROAVcVm2f
> PWE6tllyWDBfgB+XdHAzqW50vOofwrCaaqxx39kG8UmPBAOHYSob/odW
> 04ltgDuPEP8M4w0SSkWYz7t1LjNA4P+NaSrXzUClZrDUXwct2o/0gBu1
> nJs4tG07GZgAIzWVPk9cFZZssNOy4oiS/owJfTm5wOaqzF8P8EMyTkiE
> nWQwANSQtlhRF64pkwaf2OM+ERG1AQy/xtnesh47xIw6/lSOQ378FO/T
> IiWH5bbUFVpsvl+1sG1VzWRwVThOq7AwEhgAeVUgHDlrrNdF9P2SHvZw
> PUSigmg5LBfqDHUGB1x1bjUvXhPHT3+Tc+7fBTnaErDdkDnncMfLkvTF
> AWeSnDKdDmwNE9FV+KOZMz7aRAWN+NSraoH+BqMXmJjhsb7LlsCtu8FC
> UodvgPUd10zI4YpM1rE4hqCwCEb7QPBL8orRXKbIfZpxMlzYASYPsJ/6
> jnabNcwAPDqikZUIuQvxqvAWllRGWBAZeuL+oGDYRwIHNkb7+PaoxObO
> +hXjlxccWBxadvPEgGMvf+/AgIvADo2nBG3X4WQOskNkb6wfvj/PtvPM
> WM3IlPk67NdDBhwj3LfEsvlWKFg0b96Q5eAxL9JGZGZPHaVGL22TVtXt
> W7NNkDmO3zT6WgAeGziPquDIddPPadoQzYesFUQJtWtO2pPvlrC12mnu
> 2GxSPWchiByrzrVXqnA19eYFeuZ+eVugl7IP2C9BxnPvxhQ2EdBK04tE
> HO7C8DliYRk5W9+ABPRfmQLDjZMN6iAEmd1suKJe4lTJDImkgeYwgeOg
> AwIBF6KB2wSB2Bp/RtoPJxksNxijETXrX4+N+LgvgiyPRW7FfkOu0BW2
> yZh3JARZsVMakpXF0YngJp11zDcMIKz+DfOE9T8dRHaIDH5AQEK7z3+j
> BJW/mpG+cQOTdgkCzeQA63T6oW3hpja4xByQz8lgzbWJrsK/GGVZm8Xz
> XeCAr4IKG+CKdNrPJOgF24F8F1s2wUbu9qStwdcaQFSHkRjK/LlN9Ldd
> dyeoQug2ZvfOMH0jaTDOxAnQb+JnmwNH+0TCJ4HGFQ5a9ykPT9qgIEyR
> 0zKud4lsg9hA7ZTzU3AArg== 0
>
> recvmsg reply from GSS-TSIG query
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21882
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;2488446920.sig-adserver.home.lan. ANY TKEY
>
> ;; ANSWER SECTION:
> 2488446920.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957453
> 1356957453 3 NOERROR 182
> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXizTNaaPuOnP
> rxDuEAq3dvHHBX3sXcA1g/u1UkL14r2aRNj+APOhumDgBjYTasrY/38k
> nDb06HVOfdtEUNpve3DaC/wjnvb7892uqUtGlTLuknHGm0XMhQGKRcys
> Ey77eL4UxwIUfyIPmtM= 0
>
> ;; TSIG PSEUDOSECTION:
> 2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
> 300 28 BAQF//////8AAAAABZ8VZeui8ZjCdztkDnkWiA== 21882 NOERROR 0
>
> Sending update to 192.168.0.10#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49222
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; UPDATE SECTION:
> LinPad.home.lan. 0 ANY A
> LinPad.home.lan. 3600 IN A 192.168.0.173
>
> ;; TSIG PSEUDOSECTION:
> 2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
> 300 28 BAQE//////8AAAAACaFb5Ursxrqu/FMMpvKsJg== 49222 NOERROR 0
>
> ; TSIG error with server: tsig verify failure
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 49222
> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;home.lan. IN SOA
>
> ;; UPDATE SECTION:
> LinPad.home.lan. 0 ANY A
> LinPad.home.lan. 3600 IN A 192.168.0.173
>
> ;; TSIG PSEUDOSECTION:
> 2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
> 300 28 BAQE//////8AAAAACaFb5Ursxrqu/FMMpvKsJg== 49222 NOERROR 0
>
> nsupdate -g -d
> > server 192.168.0.10
> > realm HOME.LAN
> > update delete 173.0.168.192.in-addr.arpa 3600 PTR
> > update add 173.0.168.192.in-addr.arpa 3600 PTR LinPad.home.lan
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24941
> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;173.0.168.192.in-addr.arpa. IN SOA
>
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5879
> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;0.168.192.in-addr.arpa. IN SOA
>
> ;; ANSWER SECTION:
> 0.168.192.in-addr.arpa. 3600 IN SOA adserver.home.lan.
> hostmaster.home.lan. 2 900 600 86400 3600
>
> Found zone name: 0.168.192.in-addr.arpa
> The master is: adserver.home.lan
> start_gssrequest
> send_gssrequest
> Outgoing update query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9536
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;3079738857.sig-adserver.home.lan. ANY TKEY
>
> ;; ADDITIONAL SECTION:
> 3079738857.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957727
> 1356957727 3 NOERROR 1276
> YIIE+AYGKwYBBQUCoIIE7DCCBOigDTALBgkqhkiG9xIBAgKiggTVBIIE
> 0WCCBM0GCSqGSIb3EgECAgEAboIEvDCCBLigAwIBBaEDAgEOogcDBQAg
> AAAAo4IDuGGCA7QwggOwoAMCAQWhChsISE9NRS5MQU6iIzAhoAMCAQGh
> GjAYGwNETlMbEWFkc2VydmVyLmhvbWUubGFuo4IDdjCCA3KgAwIBF6ED
> AgEBooIDZASCA2CUZJwxo6TGmT56jA96kbK5NjwOKBF73KppRa12f5Ub
> md1zpthXjiCHOqwD4/PcE9at9rAzWajUOquYxw0KGguYYcGExAWiU/oO
> Z3iA4tohc3C0QEghivbAQx4Ktq9ygKMCzmLvzsQaJiaWReXrkN/RgAiR
> 3WlLnawHtyVL0sBiOThZkJ0Yq3dkx6k65H9Jv/3faPLYYOX9137bRA1f
> yPDMwGS9Ex4vDSOUSvxoF1e8yd08A628gIPaMV84eZFmAHpoHVyXqeVr
> GPIaW1ddRSId1bzL7e53+roYBZYDlJ2GOYppMNdn6WWMp3D+ELCoC5Y8
> dndaTUymHg08fcz8uOykfaltXGyHfsJIiOcpwqwYzYQLfAQROAVcVm2f
> PWE6tllyWDBfgB+XdHAzqW50vOofwrCaaqxx39kG8UmPBAOHYSob/odW
> 04ltgDuPEP8M4w0SSkWYz7t1LjNA4P+NaSrXzUClZrDUXwct2o/0gBu1
> nJs4tG07GZgAIzWVPk9cFZZssNOy4oiS/owJfTm5wOaqzF8P8EMyTkiE
> nWQwANSQtlhRF64pkwaf2OM+ERG1AQy/xtnesh47xIw6/lSOQ378FO/T
> IiWH5bbUFVpsvl+1sG1VzWRwVThOq7AwEhgAeVUgHDlrrNdF9P2SHvZw
> PUSigmg5LBfqDHUGB1x1bjUvXhPHT3+Tc+7fBTnaErDdkDnncMfLkvTF
> AWeSnDKdDmwNE9FV+KOZMz7aRAWN+NSraoH+BqMXmJjhsb7LlsCtu8FC
> UodvgPUd10zI4YpM1rE4hqCwCEb7QPBL8orRXKbIfZpxMlzYASYPsJ/6
> jnabNcwAPDqikZUIuQvxqvAWllRGWBAZeuL+oGDYRwIHNkb7+PaoxObO
> +hXjlxccWBxadvPEgGMvf+/AgIvADo2nBG3X4WQOskNkb6wfvj/PtvPM
> WM3IlPk67NdDBhwj3LfEsvlWKFg0b96Q5eAxL9JGZGZPHaVGL22TVtXt
> W7NNkDmO3zT6WgAeGziPquDIddPPadoQzYesFUQJtWtO2pPvlrC12mnu
> 2GxSPWchiByrzrVXqnA19eYFeuZ+eVugl7IP2C9BxnPvxhQ2EdBK04tE
> HO7C8DliYRk5W9+ABPRfmQLDjZMN6iAEmd1suKJe4lTJDImkgeYwgeOg
> AwIBF6KB2wSB2J3nDwMLjElosBgzokR900fIHsOs+cungQDAh5JL36pA
> KufY/v0flNaZlAJ2vWkACrczHxtiuOjMXzDmdy3xI7TNitZ5Fg7GZCQ1
> TJ0jW4dBmqU6KNYV/7XuGmpZVshBUSy1ZXtUiWOjdfCPIDSyDNahBin8
> qnhFVahvwM+QRQhU60Ll2xVhapq/cDieLTtF3T0nfjNIp4WgGX4beE3V
> i1Tn6AabVxQG1Cp30d4KrgAFIVucF1SRGY5KIcCG5iz+D5DokcZh8MuQ
> uzZPC9gfMp0Rl+D7ibG20w== 0
>
> recvmsg reply from GSS-TSIG query
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9536
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;3079738857.sig-adserver.home.lan. ANY TKEY
>
> ;; ANSWER SECTION:
> 3079738857.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957727
> 1356957727 3 NOERROR 182
> oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
> AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrNwVU+PQGV2Ee
> aTuPGHZUQyV3zymYbuwosEl1gD/kUNG2KxFkygog/33RBrApPFEECych
> JEHXiWTrrQdFk1tjKmrBnoccZ2FPNinDOgPWUzM2YPpVl9wrGCCJGgNW
> IfBe8AROEW0rBo7Z0MI= 0
>
> ;; TSIG PSEUDOSECTION:
> 3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
> 300 28 BAQF//////8AAAAAHHTCBQzwY3WVCUNfBGd8Kw== 9536 NOERROR 0
>
> Sending update to 192.168.0.10#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48728
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; UPDATE SECTION:
> 173.0.168.192.in-addr.arpa. 0 ANY PTR
> 173.0.168.192.in-addr.arpa. 3600 IN PTR LinPad.home.lan.
>
> ;; TSIG PSEUDOSECTION:
> 3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
> 300 28 BAQE//////8AAAAAPKw4E8zmJIeeotZxLYfxHA== 48728 NOERROR 0
>
> ; TSIG error with server: tsig verify failure
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 48728
> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;0.168.192.in-addr.arpa. IN SOA
>
> ;; UPDATE SECTION:
> 173.0.168.192.in-addr.arpa. 0 ANY PTR
> 173.0.168.192.in-addr.arpa. 3600 IN PTR LinPad.home.lan.
>
> ;; TSIG PSEUDOSECTION:
> 3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
> 300 28 BAQE//////8AAAAAPKw4E8zmJIeeotZxLYfxHA== 48728 NOERROR 0
>
> Hope this helps
>
> Rowland
>
>
I have the same issue. You can find my logs in the thread "dhcp server
with samba4 internal dns configuration".
My setup is 2 samba AD DCs (kdc01 and kdc02) configured with internal
dns on ubuntu 11.04 server. DHCP is running on kdc01.
The dns update script is based on the one posted by Sergey Urushkin to
Michael Kuron blog.
The domain has been provisioned on kdc02 with one of the latest alpha
releases than kdc01 has been joined (same release) and since than I
upgraded to rc(s) and finally to 4.0.0.
I can add that running the script (which invokes the nsupdate -g
commands) manually with debug option enabled I see the same messages but
the records are added (if they are not present) even if the TSIG
failures are notified. The problem is that it seems that if I run the
script as root I can get the ticket from kinit while when the script is
called by dhcpd it fails (even if the ticket is cached). Does it happen
also for you?
Daniele.
More information about the samba-technical
mailing list