[Samba] Removing a domain controller help needed

Daniele Dario d.dario76 at gmail.com
Fri Oct 11 08:15:09 MDT 2013 

On Fri, 2013-10-11 at 15:53 +0200, Daniele Dario wrote:
> On Fri, 2013-10-11 at 09:59 +0100, Rowland Penny wrote:
> > On 11/10/13 08:26, Daniele Dario wrote:
> > > On Fri, 2013-10-11 at 16:00 +1300, Andrew Bartlett wrote:
> > >> On Fri, 2013-09-13 at 09:10 +0200, christophe wrote:
> > >>> Hi,
> > >>>
> > >>> First guys, I'd like congratulate you. Samba 4 is really a cool product.
> > >>>
> > >>> I have a little problem though.
> > >>>
> > >>> The context:
> > >>>
> > >>> I have Samba4 AD DC working perfectly on a virtual machine
> > >>> for testing purpose I joined another Samba4 AD DC to the domain I had
> > >>> provisioned and it worked perfectly but my second DC VM was deleted with no
> > >>> mean to get it back.
> > >>>
> > >>> I have now a problem on my first DC as the second DC still shows up in the
> > >>> RSAT console,  NTDSUTIL, DNS and also samba-tool drs showrepl.
> > >>> it seems to be impossible to delete it completely.
> > >>>
> > >>>
> > >>> I know if I were on a windows DC I'd simply have gone for forced deletion
> > >>> then metadata cleanup.
> > >>> but I don't have a windows DC.
> > >>>
> > >>> Is there a way I can permanently remove all connection to my disappeared
> > >>> second DC form the AD just using  the tools provides with samba 4?
> > >> Can you use the ADUC tools to do it?
> > >>
> > >> Yes, we are aware this isn't ideal, and patches to samba-tool are
> > >> welcome.
> > >>
> > >>> Other question:
> > >>>
> > >>> I use ISC-DHCP-SERVER with SAMBA_Internal DNS.
> > >>>
> > >>> Is there a way to have it updating records?
> > >>> >From the DNS console, it seems I can't allow for unsecure updates
> > >> Currently this is controlled from the smb.conf, not DNS console.
> > >>
> > >> But unsecure updates are a really bad idea.  Other folks have done this
> > >> with GSS-TSIG and an external script, and it would be really neat to
> > >> also support shared-key TSIG, but that requires work.  Patches are very
> > >> welcome (the shared 128 bit key can be stored in or generated from the
> > >> unicodePwd).
> > >>
> > >> Andrew Bartlett
> > >>
> > > Hi,
> > > I post this to samba list:
> > >
> > > As Cristophe, I'm trying to find a way to get records updated and I
> > > found this "howto"
> > > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ but I'm not able to get it working properly.
> > > Mainly the script would find the old record, delete it and add the new
> > > one but as stated in my comment on the blog it fails due to TSIG
> > > error/TKEY is unacceptable.
> > >
> > > The last comment on the blog says:
> > >
> > > Just an hint for someone else who stumbles across the same problem, if
> > > you’re using Samba 4 as an AD DC, then kinit with the keytab created in
> > > the script instructions above won’t work as samba4 doesn’t seem to like
> > > the encryption type. Use
> > > -e arcfour-hmac-md5 with the addent command instead.
> > >
> > > The first script posted on the blog states
> > >
> > > # keytab can be generated using
> > > # $ ktutil
> > > # ktutil: addent -password -p dhcpduser at EXAMPLE.COM -k 1 -e
> > > aes256-cts-hmac-sha1-96
> > > # Password for dhcpduser at EXAMPLE.COM:
> > > # ktutil: wkt dhcpduser.keytab
> > > # ktutil: quit
> > >
> > > but next changes in
> > >
> > > Using samba AD DC I used
> > > # keytab can be generated using the Samba4 tool:
> > > # samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab
> > > --principal=dhcpduser
> > >
> > > and klist -k dhcpduser.keytab -e shows
> > > Keytab name: WRFILE:/etc/dhcp/dhcpduser.keytab
> > > KVNO Principal
> > > ----
> > > --------------------------------------------------------------------------
> > >     1 dhcpduser at SAITEL.LOC (DES cbc mode with CRC-32)
> > >     1 dhcpduser at SAITEL.LOC (DES cbc mode with RSA-MD5)
> > >     1 dhcpduser at SAITEL.LOC (ArcFour with HMAC/md5)
> > >
> > > so it seems that the keytab contains the arcfour-hmac-md5 encription
> > > key.
> > >
> > > Can someone put some light on this?
> > >
> > > Thanks,
> > > Daniele.
> > >
> > Hi, I have been using something similar for some time now, without any 
> > great problems. I have attached my notes and hope that these help.
> > 
> > Rowland
> 
> Hi Rowland,
> I'm trying with your script and something changed so I guess I'm on the
> right way to get DDNS working but what I'm seeing now is
> 
> Oct 11 15:35:26 kdc01 dhcpd: Commit: IP: 192.168.12.204 DHCID:
> 1:0:22:43:1b:9f:b2 Name: alaska
> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[0]
> = /etc/dhcp/dhcp-krbnsupdate.sh
> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[1] = add
> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[2] = 192.168.12.204
> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[3] =
> 1:0:22:43:1b:9f:b2
> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[4] = alaska
> Oct 11 15:35:26 kdc01 dhcpd: execute: /etc/dhcp/dhcp-krbnsupdate.sh exit
> status 256
> Oct 11 15:35:26 kdc01 dhcpd: Unable to add forward map from
> alaska.saitel.loc to 192.168.12.204: timed out
> Oct 11 15:35:26 kdc01 dhcpd: DHCPREQUEST for 192.168.12.204 from
> 00:22:43:1b:9f:b2 (alaska) via eth0
> Oct 11 15:35:26 kdc01 dhcpd: DHCPACK on 192.168.12.204 to
> 00:22:43:1b:9f:b2 (alaska) via eth0
> 
> as you can see the script exits with status 256 which is not a value
> given from the script.
> 
> Looking deeper I found that when you look if a ticket is already present
> you look 
> if [ -z $KRB5CCNAME]; then
>     # if no ticket set expiration to 0
>     expiration=0
> else
>     # get expiration time as a number
>     edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> '{print $3}' | tr '/' '-')
>     etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> '{print $4}')
>     expiration=$(date -d "$edate $etime" '+%s')
> fi
> 
> but [-z] just check if a string is empty and you set KRB5CCNAME before
> so it seems to me that you should test if the cached ticket is present
> using
> 
> if [ -f $KRB5CCNAME]; then
>     # a ticket is present
>     # get expiration time as a number
>     edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> '{print $3}' | tr '/' '-')
>     etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> '{print $4}')
>     expiration=$(date -d "$edate $etime" '+%s')
> else
>     # if no ticket set expiration to 0
>     expiration=0
> fi
> 
> BTW, running the script manually this is what I can see:
> 
> [root at kdc01:~]# ./etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183
> 1:14:7d:c5:48:7a:d5 android-b9c850d595c8b543
> dhcpd: DHCP-DNS: no ticket present
> dhcpd: Getting new ticket, old one expired 0, now is 1318512848
> dhcpd: DHCP-DNS: kinit succeeded
> dns_tkey_negotiategss: TKEY is unacceptable 
> dhcpd: result1 = 1
> dns_tkey_negotiategss: TKEY is unacceptable 
> dhcpd: result2 = 1
> dhcpd: DHCP-DNS_Update-failed
> 
> Any idea of what I'm doing wrong?
> 
> Daniele.
> 

Just to add some info, I tried to run nsupdate as:
[root at kdc01:~]# export KRB5CCNAME=/tmp/dhcp-dyndns.cc
[root at kdc01:~]# kinit -F -k -t /etc/dhcp/dhcpduser.keytab -c $KRB5CCNAME
dhcpduser at SAITEL.LOC
[root at kdc01:~]# klist
Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser at SAITEL.LOC

Valid starting     Expires            Service principal
10/11/13 16:13:06  10/12/13 02:13:06  krbtgt/SAITEL.LOC at SAITEL.LOC
	renew until 10/12/13 16:13:06
[root at kdc01:~]# nsupdate -g
> server 192.168.12.5
> realm SAITEL.LOC
> update delete alaska.saitel.loc 3600 A
> send
dns_tkey_negotiategss: TKEY is unacceptable 
[root at kdc01:~]# 

What does it mean?
Daniele.

More information about the samba mailing list