[Samba] nsupdate-gss

[Dag Wieers]

On Wed, 1 Aug 2007, Dag Wieers wrote:

> PS I also noticed that the nsupdate-gss fails even when it by accident 
> takes a local DC because it does not use the same server for $nameserver 
> and $server_name, which causes the TKEY negotiation to fail.
> 
> This could explain tridge his 'only one out of two attempts work'. In 
> fact, only 1 out of X attempts will work when X number of nameservers are 
> available. Only if you have a single DC it will work consistently.

When I fixed the above, it suddenly worked for all DCs ! So the extra 
argument patch is no longer really useful unless you want to target a 
specific DC for test purposes.

Here is a new patch that fixes all problems we had with the 
original nsupdate-gss. The only real fix is this bit:

	 print "Using DNS server name $server_name\n";
 
	+$nameserver->nameservers($server_name);
	+
	 # use a long random key name

Which enforces the same nameserver to be used during TKEY negotiation for 
constructing the principal name in the GSS query as the one used to send 
the GSS query to.

This is required if you have more than one DC acting as a nameserver, 
without it your luck depends on the order of the nameserver (which is 
round-robin).

Is the nsupdate-gss still maintained ? I'd like to add some additional 
features (like automatically filling in the hostname, domain and IP if 
none are provided). I also want to fix the 'Uninitialized value in 
Net/DNS/RR/TKEY.pm' problem.

I'm interested to hear from people how to best integrate this with DHCP 
and non-interactive DNS updates (those are my next tasks in this quest).


PS nsupdate-gss is pretty much still required:

 - because every Enterprise Linux ships Samba <= 2.0.23
 - Samba 2.0.25b does not work (and may suffer from the above problem)
 - it does not require Samba to work

Kind regards,
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]
-------------- next part --------------
--- /usr/src/redhat/SOURCES/nsupdate-gss	2006-01-23 06:35:10.000000000 +0100
+++ /usr/bin/nsupdate-gss	2007-08-01 17:30:35.000000000 +0200
@@ -5,6 +5,9 @@
 # jmruiz at animatika.net
 # updated, 2004-Enero
 
+# dag at wieers.com
+# updated, 2007-EMC
+
 
 # See draft-ietf-dnsext-gss-tsig-02, RFC2845 and RFC2930
 
@@ -20,21 +23,22 @@
 
 # Integrity of the arguments
 
-if ($#ARGV != 3) {
+if ($#ARGV < 3) {
     print "
-Usage: nsupdate-gss.pl HOST DOMAIN IP TTL
+Usage: nsupdate-gss.pl HOST DOMAIN IP TTL [NS]
 ";
     exit 1;
 }
 
 
 
-
-my $host = $ARGV[0];
-my $domain = $ARGV[1];
-my $ip = $ARGV[2];
+### FIXME: Fill in all information automatically
+my $host = $ARGV[0]; # hostname -s
+my $domain = $ARGV[1]; # domainname
+my $ip = $ARGV[2]; # ifconfig
 my $ttl = $ARGV[3];
 my $alg = "gss.microsoft.com";
+my $ns = $ARGV[4] if ($#ARGV >= 4);
 
 
 
@@ -229,7 +233,11 @@
 # find the nameservers
 my $nameserver = find_nameservers("$domain.");
 
-print "Found nameserver $nameserver\n";
+$nameserver->nameservers($ns) if (defined($ns));
+#print $nameserver->print;
+
+#print "Found nameserver $nameserver\n";
+print "Found ".$nameserver->nameservers." nameserver(s)\n";
 
 if (!defined($nameserver) || $nameserver->{'errorstring'} ne 'NOERROR') {
     print "Failed to find a nameserver for domain $domain\n";
@@ -238,12 +246,16 @@
 
 # find the name of the DNS server
 my $server_name = find_server_name($domain);
+$server_name = $ns if (defined($ns));
+
 if (!defined($server_name)) {
     print "Failed to find a DNS server name for $domain\n";
     exit 1;
 }
 print "Using DNS server name $server_name\n";
 
+$nameserver->nameservers($server_name);
+
 # use a long random key name
 my $key_name = int(rand 10000000000000);