Samba 4 and windows dhcp updates
Rowland Penny
repenny241155 at gmail.com
Thu Jan 23 03:46:41 MST 2014
Can anybody help me here? I thought my Samba4, bind9.9 and dhcp setup
worked perfectly until it was pointed out to me that it doesn't work
with windows clients.
The way it works is that dhcp runs a script, passing to it the relevant
info and nsupdate does the rest, well I say it works but only with
anything but windows it would seem.
The script relies on a keytab and the relevant kerberos cache associated
with it.
If I connect a windows XP machine I find this in syslog:
Jan 23 09:43:29 dc3 dhcpd: Commit: IP: 192.168.0.226 DHCID:
1:8:0:27:4c:3:f1 Name: windowsxp
Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[0] =
/usr/local/sbin/dhcp-dyndns.sh
Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[1] = add
Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[2] = 192.168.0.226
Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[3] = 1:8:0:27:4c:3:f1
Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[4] = windowsxp
Jan 23 09:43:29 dc3 named[19791]: samba_dlz: starting transaction on
zone home.lan
Jan 23 09:43:29 dc3 named[19791]: samba_dlz: disallowing update of
signer=dhcpduser\@HOME.LAN name=windowsxp.home.lan type=A
error=insufficient access rights
Jan 23 09:43:29 dc3 named[19791]: client 127.0.0.1#58763/key
dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': update failed:
rejected by secure update (REFUSED)
Jan 23 09:43:29 dc3 named[19791]: samba_dlz: cancelling transaction on
zone home.lan
Jan 23 09:43:29 dc3 named[19791]: samba_dlz: starting transaction on
zone 0.168.192.in-addr.arpa
Jan 23 09:43:29 dc3 named[19791]: samba_dlz: disallowing update of
signer=dhcpduser\@HOME.LAN name=226.0.168.192.in-addr.arpa type=PTR
error=insufficient access rights
Jan 23 09:43:29 dc3 named[19791]: client 127.0.0.1#43988/key
dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': update
failed: rejected by secure update (REFUSED)
Jan 23 09:43:29 dc3 named[19791]: samba_dlz: cancelling transaction on
zone 0.168.192.in-addr.arpa
Jan 23 09:43:29 dc3 logger: DHCP-DNS Update failed: 22
Jan 23 09:43:29 dc3 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit
status 5632
Jan 23 09:43:29 dc3 dhcpd: DHCPREQUEST for 192.168.0.226 from
08:00:27:4c:03:f1 (windowsxp) via eth0
Jan 23 09:43:29 dc3 dhcpd: DHCPACK on 192.168.0.226 to 08:00:27:4c:03:f1
(windowsxp) via eth0
From this the signer, dhcpduser would seem to have insufficient access
rights, to where I am not quite sure.
But nearly straight after the above, I find this in syslog:
Jan 23 09:52:56 dc3 dhcpd: Commit: IP: 192.168.0.212 DHCID:
1:18:28:61:95:cd:4b Name: skywirelessconnector
Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[0] =
/usr/local/sbin/dhcp-dyndns.sh
Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[1] = add
Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[2] = 192.168.0.212
Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[3] = 1:18:28:61:95:cd:4b
Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[4] = skywirelessconnector
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: starting transaction on
zone home.lan
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of
signer=dhcpduser\@HOME.LAN name=skywirelessconnector.home.lan
tcpaddr=127.0.0.1 type=A key=2996983272.sig-dc3.home.lan/160/0
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of
signer=dhcpduser\@HOME.LAN name=skywirelessconnector.home.lan
tcpaddr=127.0.0.1 type=A key=2996983272.sig-dc3.home.lan/160/0
Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#57540/key
dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': deleting rrset at
'skywirelessconnector.home.lan' A
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: subtracted rdataset
skywirelessconnector.home.lan
'skywirelessconnector.home.lan.#0113600#011IN#011A#011192.168.0.212'
Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#57540/key
dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': adding an RR at
'skywirelessconnector.home.lan' A
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: added rdataset
skywirelessconnector.home.lan
'skywirelessconnector.home.lan.#0113600#011IN#011A#011192.168.0.212'
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: committed transaction on
zone home.lan
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: starting transaction on
zone 0.168.192.in-addr.arpa
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of
signer=dhcpduser\@HOME.LAN name=212.0.168.192.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR key=3568226925.sig-dc3.home.lan/160/0
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of
signer=dhcpduser\@HOME.LAN name=212.0.168.192.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR key=3568226925.sig-dc3.home.lan/160/0
Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#41342/key
dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE':
deleting rrset at '212.0.168.192.in-addr.arpa' PTR
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: subtracted rdataset
212.0.168.192.in-addr.arpa
'212.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011skywirelessconnector.home.lan.'
Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#41342/key
dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': adding
an RR at '212.0.168.192.in-addr.arpa' PTR
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: added rdataset
212.0.168.192.in-addr.arpa
'212.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011skywirelessconnector.home.lan.'
Jan 23 09:52:57 dc3 named[19791]: samba_dlz: committed transaction on
zone 0.168.192.in-addr.arpa
Jan 23 09:52:57 dc3 logger: DHCP-DNS Update succeeded
Jan 23 09:52:57 dc3 dhcpd: DHCPREQUEST for 192.168.0.212 from
18:28:61:95:cd:4b (skywirelessconnector) via eth0
Jan 23 09:52:57 dc3 dhcpd: DHCPACK on 192.168.0.212 to 18:28:61:95:cd:4b
(skywirelessconnector) via eth0
Yes, 9 minutes 27 seconds later dhcpduser does have the right key and
all without me doing anything.
Anybody got any thoughts on why the script works for anything but
windows clients ???? or in other words HELPPPP!!! ;-)
Rowland
More information about the samba-technical
mailing list