[Samba] samba 4.0.6 with internal DNS and DHCP problems

Daniele Dario d.dario76 at gmail.com
Wed Oct 16 03:32:00 MDT 2013


Hi Rowland,

On ven, 2013-10-11 at 17:05 +0100, Rowland Penny wrote:
> On 11/10/13 16:46, Daniele Dario wrote:
> > On Fri, 2013-10-11 at 16:06 +0100, Rowland Penny wrote:
> >> On 11/10/13 14:53, Daniele Dario wrote:
> >>> On Fri, 2013-10-11 at 09:59 +0100, Rowland Penny wrote:
> >>>> On 11/10/13 08:26, Daniele Dario wrote:
> >>>>> On Fri, 2013-10-11 at 16:00 +1300, Andrew Bartlett wrote:
> >>>>>> On Fri, 2013-09-13 at 09:10 +0200, christophe wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> First guys, I'd like congratulate you. Samba 4 is really a cool product.
> >>>>>>>
> >>>>>>> I have a little problem though.
> >>>>>>>
> >>>>>>> The context:
> >>>>>>>
> >>>>>>> I have Samba4 AD DC working perfectly on a virtual machine
> >>>>>>> for testing purpose I joined another Samba4 AD DC to the domain I had
> >>>>>>> provisioned and it worked perfectly but my second DC VM was deleted with no
> >>>>>>> mean to get it back.
> >>>>>>>
> >>>>>>> I have now a problem on my first DC as the second DC still shows up in the
> >>>>>>> RSAT console,  NTDSUTIL, DNS and also samba-tool drs showrepl.
> >>>>>>> it seems to be impossible to delete it completely.
> >>>>>>>
> >>>>>>>
> >>>>>>> I know if I were on a windows DC I'd simply have gone for forced deletion
> >>>>>>> then metadata cleanup.
> >>>>>>> but I don't have a windows DC.
> >>>>>>>
> >>>>>>> Is there a way I can permanently remove all connection to my disappeared
> >>>>>>> second DC form the AD just using  the tools provides with samba 4?
> >>>>>> Can you use the ADUC tools to do it?
> >>>>>>
> >>>>>> Yes, we are aware this isn't ideal, and patches to samba-tool are
> >>>>>> welcome.
> >>>>>>
> >>>>>>> Other question:
> >>>>>>>
> >>>>>>> I use ISC-DHCP-SERVER with SAMBA_Internal DNS.
> >>>>>>>
> >>>>>>> Is there a way to have it updating records?
> >>>>>>> >From the DNS console, it seems I can't allow for unsecure updates
> >>>>>> Currently this is controlled from the smb.conf, not DNS console.
> >>>>>>
> >>>>>> But unsecure updates are a really bad idea.  Other folks have done this
> >>>>>> with GSS-TSIG and an external script, and it would be really neat to
> >>>>>> also support shared-key TSIG, but that requires work.  Patches are very
> >>>>>> welcome (the shared 128 bit key can be stored in or generated from the
> >>>>>> unicodePwd).
> >>>>>>
> >>>>>> Andrew Bartlett
> >>>>>>
> >>>>> Hi,
> >>>>> I post this to samba list:
> >>>>>
> >>>>> As Cristophe, I'm trying to find a way to get records updated and I
> >>>>> found this "howto"
> >>>>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ but I'm not able to get it working properly.
> >>>>> Mainly the script would find the old record, delete it and add the new
> >>>>> one but as stated in my comment on the blog it fails due to TSIG
> >>>>> error/TKEY is unacceptable.
> >>>>>
> >>>>> The last comment on the blog says:
> >>>>>
> >>>>> Just an hint for someone else who stumbles across the same problem, if
> >>>>> you’re using Samba 4 as an AD DC, then kinit with the keytab created in
> >>>>> the script instructions above won’t work as samba4 doesn’t seem to like
> >>>>> the encryption type. Use
> >>>>> -e arcfour-hmac-md5 with the addent command instead.
> >>>>>
> >>>>> The first script posted on the blog states
> >>>>>
> >>>>> # keytab can be generated using
> >>>>> # $ ktutil
> >>>>> # ktutil: addent -password -p dhcpduser at EXAMPLE.COM -k 1 -e
> >>>>> aes256-cts-hmac-sha1-96
> >>>>> # Password for dhcpduser at EXAMPLE.COM:
> >>>>> # ktutil: wkt dhcpduser.keytab
> >>>>> # ktutil: quit
> >>>>>
> >>>>> but next changes in
> >>>>>
> >>>>> Using samba AD DC I used
> >>>>> # keytab can be generated using the Samba4 tool:
> >>>>> # samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab
> >>>>> --principal=dhcpduser
> >>>>>
> >>>>> and klist -k dhcpduser.keytab -e shows
> >>>>> Keytab name: WRFILE:/etc/dhcp/dhcpduser.keytab
> >>>>> KVNO Principal
> >>>>> ----
> >>>>> --------------------------------------------------------------------------
> >>>>>       1 dhcpduser at SAITEL.LOC (DES cbc mode with CRC-32)
> >>>>>       1 dhcpduser at SAITEL.LOC (DES cbc mode with RSA-MD5)
> >>>>>       1 dhcpduser at SAITEL.LOC (ArcFour with HMAC/md5)
> >>>>>
> >>>>> so it seems that the keytab contains the arcfour-hmac-md5 encription
> >>>>> key.
> >>>>>
> >>>>> Can someone put some light on this?
> >>>>>
> >>>>> Thanks,
> >>>>> Daniele.
> >>>>>
> >>>> Hi, I have been using something similar for some time now, without any
> >>>> great problems. I have attached my notes and hope that these help.
> >>>>
> >>>> Rowland
> >>> Hi Rowland,
> >>> I'm trying with your script and something changed so I guess I'm on the
> >>> right way to get DDNS working but what I'm seeing now is
> >>>
> >>> Oct 11 15:35:26 kdc01 dhcpd: Commit: IP: 192.168.12.204 DHCID:
> >>> 1:0:22:43:1b:9f:b2 Name: alaska
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[0]
> >>> = /etc/dhcp/dhcp-krbnsupdate.sh
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[1] = add
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[2] = 192.168.12.204
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[3] =
> >>> 1:0:22:43:1b:9f:b2
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[4] = alaska
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute: /etc/dhcp/dhcp-krbnsupdate.sh exit
> >>> status 256
> >>> Oct 11 15:35:26 kdc01 dhcpd: Unable to add forward map from
> >>> alaska.saitel.loc to 192.168.12.204: timed out
> >>> Oct 11 15:35:26 kdc01 dhcpd: DHCPREQUEST for 192.168.12.204 from
> >>> 00:22:43:1b:9f:b2 (alaska) via eth0
> >>> Oct 11 15:35:26 kdc01 dhcpd: DHCPACK on 192.168.12.204 to
> >>> 00:22:43:1b:9f:b2 (alaska) via eth0
> >>>
> >>> as you can see the script exits with status 256 which is not a value
> >>> given from the script.
> >>>
> >>> Looking deeper I found that when you look if a ticket is already present
> >>> you look
> >>> if [ -z $KRB5CCNAME]; then
> >>>       # if no ticket set expiration to 0
> >>>       expiration=0
> >>> else
> >>>       # get expiration time as a number
> >>>       edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $3}' | tr '/' '-')
> >>>       etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $4}')
> >>>       expiration=$(date -d "$edate $etime" '+%s')
> >>> fi
> >>>
> >>> but [-z] just check if a string is empty and you set KRB5CCNAME before
> >>> so it seems to me that you should test if the cached ticket is present
> >>> using
> >>>
> >>> if [ -f $KRB5CCNAME]; then
> >>>       # a ticket is present
> >>>       # get expiration time as a number
> >>>       edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $3}' | tr '/' '-')
> >>>       etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $4}')
> >>>       expiration=$(date -d "$edate $etime" '+%s')
> >>> else
> >>>       # if no ticket set expiration to 0
> >>>       expiration=0
> >>> fi
> >>>
> >>> BTW, running the script manually this is what I can see:
> >>>
> >>> [root at kdc01:~]# ./etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183
> >>> 1:14:7d:c5:48:7a:d5 android-b9c850d595c8b543
> >>> dhcpd: DHCP-DNS: no ticket present
> >>> dhcpd: Getting new ticket, old one expired 0, now is 1318512848
> >>> dhcpd: DHCP-DNS: kinit succeeded
> >>> dns_tkey_negotiategss: TKEY is unacceptable
> >>> dhcpd: result1 = 1
> >>> dns_tkey_negotiategss: TKEY is unacceptable
> >>> dhcpd: result2 = 1
> >>> dhcpd: DHCP-DNS_Update-failed
> >>>
> >>> Any idea of what I'm doing wrong?
> >>>
> >>> Daniele.
> >>>
> >> Have you created the keytab ? : samba-tool domain exportkeytab
> >> /etc/dhcp/dhcpduser.keytab --principal=dhcpduser@$realm
> >>
> >> Once this is created, you need to ensure that the dhcp user owns all the
> >> files in /etc/dhcp : chown dhcpd:dhcpd -R /etc/dhcp
> >>
> >> If everything is correct, running the script as the dhcp user should work
> >>
> >> su - -s /bin/bash dhcpd -c "/usr/local/sbin/dhcp-dyndns.sh add
> >> 192.168.0.204 1:84:a6:c8:3b:da:7b ThinkPad"
> >> Getting new ticket, old one expired 0, now is 1381503295
> >> DHCP-DNS Update succeeded
> >>
> >> and you should find this in /var/log/syslog:
> >>
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: starting transaction
> >> on zone home.lan
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=ThinkPad.home.lan tcpaddr=127.0.0.1
> >> type=A key=2712415368.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=ThinkPad.home.lan tcpaddr=127.0.0.1
> >> type=A key=2712415368.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:56 homeserver named[1115]: client 127.0.0.1#51111/key
> >> dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': deleting rrset at
> >> 'ThinkPad.home.lan' A
> >> Oct 11 15:54:56 homeserver named[1115]: client 127.0.0.1#51111/key
> >> dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': adding an RR at
> >> 'ThinkPad.home.lan' A
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: added
> >> ThinkPad.home.lan ThinkPad.home.lan.#0113600#011IN#011A#011192.168.0.204
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: subtracted rdataset
> >> home.lan 'home.lan.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 2 900 600 86400 0'
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: added rdataset
> >> home.lan 'home.lan.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 3 900 600 86400 0'
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: committed transaction
> >> on zone home.lan
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: starting transaction
> >> on zone 0.168.192.in-addr.arpa
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=204.0.168.192.in-addr.arpa
> >> tcpaddr=127.0.0.1 type=PTR key=2492596725.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=204.0.168.192.in-addr.arpa
> >> tcpaddr=127.0.0.1 type=PTR key=2492596725.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:57 homeserver named[1115]: client 127.0.0.1#37499/key
> >> dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE':
> >> deleting rrset at '204.0.168.192.in-addr.arpa' PTR
> >> Oct 11 15:54:57 homeserver named[1115]: client 127.0.0.1#37499/key
> >> dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': adding
> >> an RR at '204.0.168.192.in-addr.arpa' PTR
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz:added
> >> 204.0.168.192.in-addr.arpa
> >> 204.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011ThinkPad.home.lan.
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: subtracted rdataset
> >> 0.168.192.in-addr.arpa
> >> '0.168.192.in-addr.arpa.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 4 900 600 86400 3600'
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: added rdataset
> >> 0.168.192.in-addr.arpa
> >> '0.168.192.in-addr.arpa.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 5 900 600 86400 3600'
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: committed transaction
> >> on zone 0.168.192.in-addr.arpa
> >> Oct 11 15:54:57 homeserver root: DHCP-DNS Update succeeded
> >>
> >> Rowland
> >>
> > Just to be sure I did it again
> >
> > [root at kdc01:~]# samba-tool domain
> > exportkeytab /etc/dhcp/dhcpduser.keytab --principal=dhcpduser at SAITEL.LOC
> > [root at kdc01:~]# sudo -R chown dhcpd.dhcpd /etc/dhcp
> > [root at kdc01:~]# su - -s /bin/bash dhcpd -c
> > "/etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183 1:14:7d:c5:48:7a:d5
> > android-b9c850d595c8b543"
> > dhcpd: DHCP-DNS: found ticket: look if valid
> > dhcpd: Getting new ticket, old one expired 1292206524, now ie 1318518931
> > dhcpd: DHCP-DNS: kinit succeeded
> > dns_tkey_negotiategss: TKEY is unacceptable
> > dhcpd: result1 = 1
> > dns_tkey_negotiategss: TKEY is unacceptable
> > dhcpd: result2 = 1
> > dhcpd: DHCP-DNS_Update-failed
> >
> > I'm working on an Ubuntu server 11.04 x86. Apparmor would impact in this
> > scenario?
> >
> > Daniele.
> >
> Hi, mine is running on Ubuntu server 12.04.3 x86_64 without apparmor, so 
> yes it could be apparmor that is stopping it working.
> I hate both selinux and apparmor, both have given me problems in the 
> past, I have spent hours trying to get something to work, only to find 
> out that turning off selinux or apparmor cured the problem. One of these 
> days I must learn how to use them ;-)
> 
> Rowland

I tried to disable apparmor for dhcpd but still have errors on the
update.

One of the things which is different from your settings is that I'm
using samba's internal DNS: I've seen that you are using bind+dlz or
does it work also with internal for you?

Trying to manually run the commands I'm seeing this:

dhcpd at kdc01:~$ export KRB5CCNAME=/tmp/dhcp-dyndns.cc
dhcpd at kdc01:~$ echo $KRB5CCNAME
/tmp/dhcp-dyndns.cc
dhcpd at kdc01:~$ kinit -F -k -t /etc/dhcp/dhcpduser.keytab
dhcpduser at SAITEL.LOC
dhcpd at kdc01:~$ klist
Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser at SAITEL.LOC

Valid starting     Expires            Service principal
10/16/13 09:55:41  10/16/13 19:55:41  krbtgt/SAITEL.LOC at SAITEL.LOC
	renew until 10/17/13 09:55:41
dhcpd at kdc01:~$ nsupdate -g
> server 192.168.12.5
> realm SAITEL.LOC
> update delete alaska.saitel.loc 3600 A
> send
dns_tkey_negotiategss: TKEY is unacceptable 

So it seems that the problem is not related to the script but at this
point I'm not able to figure out how to go on.

Daniele.



More information about the samba mailing list