Samba 4 and windows dhcp updates

Thu Jan 23 07:08:08 MST 2014

Why new to do that?

If you are running AD the DNS update are simple. 

Regards, 
Chan Min Wai 

> Rowland Penny <repenny241155 at gmail.com> 於 23/01/2014 6:46 PTG 寫道：
> 
> Can anybody help me here? I thought my Samba4, bind9.9 and dhcp setup worked perfectly until it was pointed out to me that it doesn't work with windows clients.
> 
> The way it works is that dhcp runs a script, passing to it the relevant info and nsupdate does the rest, well I say it works but only with anything but windows it would seem.
> 
> The script relies on a keytab and the relevant kerberos cache associated with it.
> 
> If I connect a windows XP machine I find this in syslog:
> 
> Jan 23 09:43:29 dc3 dhcpd: Commit: IP: 192.168.0.226 DHCID: 1:8:0:27:4c:3:f1 Name: windowsxp
> Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[0] = /usr/local/sbin/dhcp-dyndns.sh
> Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[1] = add
> Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[2] = 192.168.0.226
> Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[3] = 1:8:0:27:4c:3:f1
> Jan 23 09:43:29 dc3 dhcpd: execute_statement argv[4] = windowsxp
> Jan 23 09:43:29 dc3 named[19791]: samba_dlz: starting transaction on zone home.lan
> Jan 23 09:43:29 dc3 named[19791]: samba_dlz: disallowing update of signer=dhcpduser\@HOME.LAN name=windowsxp.home.lan type=A error=insufficient access rights
> Jan 23 09:43:29 dc3 named[19791]: client 127.0.0.1#58763/key dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': update failed: rejected by secure update (REFUSED)
> Jan 23 09:43:29 dc3 named[19791]: samba_dlz: cancelling transaction on zone home.lan
> Jan 23 09:43:29 dc3 named[19791]: samba_dlz: starting transaction on zone 0.168.192.in-addr.arpa
> Jan 23 09:43:29 dc3 named[19791]: samba_dlz: disallowing update of signer=dhcpduser\@HOME.LAN name=226.0.168.192.in-addr.arpa type=PTR error=insufficient access rights
> Jan 23 09:43:29 dc3 named[19791]: client 127.0.0.1#43988/key dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED)
> Jan 23 09:43:29 dc3 named[19791]: samba_dlz: cancelling transaction on zone 0.168.192.in-addr.arpa
> Jan 23 09:43:29 dc3 logger: DHCP-DNS Update failed: 22
> Jan 23 09:43:29 dc3 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 5632
> Jan 23 09:43:29 dc3 dhcpd: DHCPREQUEST for 192.168.0.226 from 08:00:27:4c:03:f1 (windowsxp) via eth0
> Jan 23 09:43:29 dc3 dhcpd: DHCPACK on 192.168.0.226 to 08:00:27:4c:03:f1 (windowsxp) via eth0
> 
> From this the signer, dhcpduser would seem to have insufficient access rights, to where I am not quite sure.
> 
> But nearly straight after the above, I find this in syslog:
> 
> Jan 23 09:52:56 dc3 dhcpd: Commit: IP: 192.168.0.212 DHCID: 1:18:28:61:95:cd:4b Name: skywirelessconnector
> Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[0] = /usr/local/sbin/dhcp-dyndns.sh
> Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[1] = add
> Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[2] = 192.168.0.212
> Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[3] = 1:18:28:61:95:cd:4b
> Jan 23 09:52:56 dc3 dhcpd: execute_statement argv[4] = skywirelessconnector
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: starting transaction on zone home.lan
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of signer=dhcpduser\@HOME.LAN name=skywirelessconnector.home.lan tcpaddr=127.0.0.1 type=A key=2996983272.sig-dc3.home.lan/160/0
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of signer=dhcpduser\@HOME.LAN name=skywirelessconnector.home.lan tcpaddr=127.0.0.1 type=A key=2996983272.sig-dc3.home.lan/160/0
> Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#57540/key dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': deleting rrset at 'skywirelessconnector.home.lan' A
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: subtracted rdataset skywirelessconnector.home.lan 'skywirelessconnector.home.lan.#0113600#011IN#011A#011192.168.0.212'
> Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#57540/key dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': adding an RR at 'skywirelessconnector.home.lan' A
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: added rdataset skywirelessconnector.home.lan 'skywirelessconnector.home.lan.#0113600#011IN#011A#011192.168.0.212'
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: committed transaction on zone home.lan
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: starting transaction on zone 0.168.192.in-addr.arpa
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of signer=dhcpduser\@HOME.LAN name=212.0.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=3568226925.sig-dc3.home.lan/160/0
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: allowing update of signer=dhcpduser\@HOME.LAN name=212.0.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=3568226925.sig-dc3.home.lan/160/0
> Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#41342/key dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': deleting rrset at '212.0.168.192.in-addr.arpa' PTR
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: subtracted rdataset 212.0.168.192.in-addr.arpa '212.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011skywirelessconnector.home.lan.'
> Jan 23 09:52:57 dc3 named[19791]: client 127.0.0.1#41342/key dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': adding an RR at '212.0.168.192.in-addr.arpa' PTR
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: added rdataset 212.0.168.192.in-addr.arpa '212.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011skywirelessconnector.home.lan.'
> Jan 23 09:52:57 dc3 named[19791]: samba_dlz: committed transaction on zone 0.168.192.in-addr.arpa
> Jan 23 09:52:57 dc3 logger: DHCP-DNS Update succeeded
> Jan 23 09:52:57 dc3 dhcpd: DHCPREQUEST for 192.168.0.212 from 18:28:61:95:cd:4b (skywirelessconnector) via eth0
> Jan 23 09:52:57 dc3 dhcpd: DHCPACK on 192.168.0.212 to 18:28:61:95:cd:4b (skywirelessconnector) via eth0
> 
> Yes, 9 minutes 27 seconds later dhcpduser does have the right key and all without me doing anything.
> 
> Anybody got any thoughts on why the script works for anything but windows clients ???? or in other words HELPPPP!!! ;-)
> 
> Rowland
> 