[Samba] samba 4.0.6 with internal DNS and DHCP problems

steve steve at steve-ss.com
Mon Oct 28 00:46:28 MDT 2013 

On Wed, 2013-10-16 at 11:32 +0200, Daniele Dario wrote:
> Hi Rowland,
> 
> On ven, 2013-10-11 at 17:05 +0100, Rowland Penny wrote:
> > On 11/10/13 16:46, Daniele Dario wrote:
> > > On Fri, 2013-10-11 at 16:06 +0100, Rowland Penny wrote:
> > >> On 11/10/13 14:53, Daniele Dario wrote:
> > >>> On Fri, 2013-10-11 at 09:59 +0100, Rowland Penny wrote:
> > >>>> On 11/10/13 08:26, Daniele Dario wrote:
> > >>>>> On Fri, 2013-10-11 at 16:00 +1300, Andrew Bartlett wrote:
> > >>>>>> On Fri, 2013-09-13 at 09:10 +0200, christophe wrote:
> > >>>>>>> Hi,
> > >>>>>>>
> > >>>>>>> First guys, I'd like congratulate you. Samba 4 is really a cool product.
> > >>>>>>>
> > >>>>>>> I have a little problem though.
> > >>>>>>>
> > >>>>>>> The context:
> > >>>>>>>
> > >>>>>>> I have Samba4 AD DC working perfectly on a virtual machine
> > >>>>>>> for testing purpose I joined another Samba4 AD DC to the domain I had
> > >>>>>>> provisioned and it worked perfectly but my second DC VM was deleted with no
> > >>>>>>> mean to get it back.
> > >>>>>>>
> > >>>>>>> I have now a problem on my first DC as the second DC still shows up in the
> > >>>>>>> RSAT console,  NTDSUTIL, DNS and also samba-tool drs showrepl.
> > >>>>>>> it seems to be impossible to delete it completely.
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> I know if I were on a windows DC I'd simply have gone for forced deletion
> > >>>>>>> then metadata cleanup.
> > >>>>>>> but I don't have a windows DC.
> > >>>>>>>
> > >>>>>>> Is there a way I can permanently remove all connection to my disappeared
> > >>>>>>> second DC form the AD just using  the tools provides with samba 4?
> > >>>>>> Can you use the ADUC tools to do it?
> > >>>>>>
> > >>>>>> Yes, we are aware this isn't ideal, and patches to samba-tool are
> > >>>>>> welcome.
> > >>>>>>
> > >>>>>>> Other question:
> > >>>>>>>
> > >>>>>>> I use ISC-DHCP-SERVER with SAMBA_Internal DNS.
> > >>>>>>>
> > >>>>>>> Is there a way to have it updating records?
> > >>>>>>> >From the DNS console, it seems I can't allow for unsecure updates
> > >>>>>> Currently this is controlled from the smb.conf, not DNS console.
> > >>>>>>
> > >>>>>> But unsecure updates are a really bad idea.  Other folks have done this
> > >>>>>> with GSS-TSIG and an external script, and it would be really neat to
> > >>>>>> also support shared-key TSIG, but that requires work.  Patches are very
> > >>>>>> welcome (the shared 128 bit key can be stored in or generated from the
> > >>>>>> unicodePwd).
> > >>>>>>
> > >>>>>> Andrew Bartlett
> > >>>>>>
> > >>>>> Hi,
> > >>>>> I post this to samba list:
> > >>>>>
> > >>>>> As Cristophe, I'm trying to find a way to get records updated and I
> > >>>>> found this "howto"
> > >>>>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ but I'm not able to get it working properly.
> > >>>>> Mainly the script would find the old record, delete it and add the new
> > >>>>> one but as stated in my comment on the blog it fails due to TSIG
> > >>>>> error/TKEY is unacceptable.
> > >>>>>
> > >>>>> The last comment on the blog says:
> > >>>>>
> > >>>>> Just an hint for someone else who stumbles across the same problem, if
> > >>>>> you’re using Samba 4 as an AD DC, then kinit with the keytab created in
> > >>>>> the script instructions above won’t work as samba4 doesn’t seem to like
> > >>>>> the encryption type. Use
> > >>>>> -e arcfour-hmac-md5 with the addent command instead.
> > >>>>>
> > >>>>> The first script posted on the blog states
> > >>>>>
> > >>>>> # keytab can be generated using
> > >>>>> # $ ktutil
> > >>>>> # ktutil: addent -password -p dhcpduser at EXAMPLE.COM -k 1 -e
> > >>>>> aes256-cts-hmac-sha1-96
> > >>>>> # Password for dhcpduser at EXAMPLE.COM:
> > >>>>> # ktutil: wkt dhcpduser.keytab
> > >>>>> # ktutil: quit
> > >>>>>
> > >>>>> but next changes in
> > >>>>>
> > >>>>> Using samba AD DC I used
> > >>>>> # keytab can be generated using the Samba4 tool:
> > >>>>> # samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab
> > >>>>> --principal=dhcpduser
> > >>>>>
> > >>>>> and klist -k dhcpduser.keytab -e shows
> > >>>>> Keytab name: WRFILE:/etc/dhcp/dhcpduser.keytab
> > >>>>> KVNO Principal
> > >>>>> ----
> > >>>>> --------------------------------------------------------------------------
> > >>>>>       1 dhcpduser at SAITEL.LOC (DES cbc mode with CRC-32)
> > >>>>>       1 dhcpduser at SAITEL.LOC (DES cbc mode with RSA-MD5)
> > >>>>>       1 dhcpduser at SAITEL.LOC (ArcFour with HMAC/md5)
> > >>>>>
> > >>>>> so it seems that the keytab contains the arcfour-hmac-md5 encription
> > >>>>> key.
> > >>>>>
> > >>>>> Can someone put some light on this?
> > >>>>>
> > >>>>> Thanks,
> > >>>>> Daniele.
> > >>>>>
> > >>>> Hi, I have been using something similar for some time now, without any
> > >>>> great problems. I have attached my notes and hope that these help.
> > >>>>
> > >>>> Rowland
> > >>> Hi Rowland,
> > >>> I'm trying with your script and something changed so I guess I'm on the
> > >>> right way to get DDNS working but what I'm seeing now is
> > >>>
> > >>> Oct 11 15:35:26 kdc01 dhcpd: Commit: IP: 192.168.12.204 DHCID:
> > >>> 1:0:22:43:1b:9f:b2 Name: alaska
> > >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[0]
> > >>> = /etc/dhcp/dhcp-krbnsupdate.sh
> > >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[1] = add
> > >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[2] = 192.168.12.204
> > >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[3] =
> > >>> 1:0:22:43:1b:9f:b2
> > >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[4] = alaska
> > >>> Oct 11 15:35:26 kdc01 dhcpd: execute: /etc/dhcp/dhcp-krbnsupdate.sh exit
> > >>> status 256
> > >>> Oct 11 15:35:26 kdc01 dhcpd: Unable to add forward map from
> > >>> alaska.saitel.loc to 192.168.12.204: timed out
> > >>> Oct 11 15:35:26 kdc01 dhcpd: DHCPREQUEST for 192.168.12.204 from
> > >>> 00:22:43:1b:9f:b2 (alaska) via eth0
> > >>> Oct 11 15:35:26 kdc01 dhcpd: DHCPACK on 192.168.12.204 to
> > >>> 00:22:43:1b:9f:b2 (alaska) via eth0
> > >>>
> > >>> as you can see the script exits with status 256 which is not a value
> > >>> given from the script.
> > >>>
> > >>> Looking deeper I found that when you look if a ticket is already present
> > >>> you look
> > >>> if [ -z $KRB5CCNAME]; then
> > >>>       # if no ticket set expiration to 0
> > >>>       expiration=0
> > >>> else
> > >>>       # get expiration time as a number
> > >>>       edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> > >>> '{print $3}' | tr '/' '-')
> > >>>       etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> > >>> '{print $4}')
> > >>>       expiration=$(date -d "$edate $etime" '+%s')
> > >>> fi
> > >>>
> > >>> but [-z] just check if a string is empty and you set KRB5CCNAME before
> > >>> so it seems to me that you should test if the cached ticket is present
> > >>> using
> > >>>
> > >>> if [ -f $KRB5CCNAME]; then
> > >>>       # a ticket is present
> > >>>       # get expiration time as a number
> > >>>       edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> > >>> '{print $3}' | tr '/' '-')
> > >>>       etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> > >>> '{print $4}')
> > >>>       expiration=$(date -d "$edate $etime" '+%s')
> > >>> else
> > >>>       # if no ticket set expiration to 0
> > >>>       expiration=0
> > >>> fi
> > >>>
> > >>> BTW, running the script manually this is what I can see:
> > >>>
> > >>> [root at kdc01:~]# ./etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183
> > >>> 1:14:7d:c5:48:7a:d5 android-b9c850d595c8b543
> > >>> dhcpd: DHCP-DNS: no ticket present
> > >>> dhcpd: Getting new ticket, old one expired 0, now is 1318512848
> > >>> dhcpd: DHCP-DNS: kinit succeeded
> > >>> dns_tkey_negotiategss: TKEY is unacceptable
> > >>> dhcpd: result1 = 1
> > >>> dns_tkey_negotiategss: TKEY is unacceptable
> > >>> dhcpd: result2 = 1
> > >>> dhcpd: DHCP-DNS_Update-failed
> > >>>
> > >>> Any idea of what I'm doing wrong?
> > >>>
> > >>> Daniele.
> > >>>
> > >> Have you created the keytab ? : samba-tool domain exportkeytab
> > >> /etc/dhcp/dhcpduser.keytab --principal=dhcpduser@$realm
> > >>
> > >> Once this is created, you need to ensure that the dhcp user owns all the
> > >> files in /etc/dhcp : chown dhcpd:dhcpd -R /etc/dhcp
> > >>
> > >> If everything is correct, running the script as the dhcp user should work
> > >>
> > >> su - -s /bin/bash dhcpd -c "/usr/local/sbin/dhcp-dyndns.sh add
> > >> 192.168.0.204 1:84:a6:c8:3b:da:7b ThinkPad"
> > >> Getting new ticket, old one expired 0, now is 1381503295
> > >> DHCP-DNS Update succeeded
> > >>
> > >> and you should find this in /var/log/syslog:
> > >>
> > >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: starting transaction
> > >> on zone home.lan
> > >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: allowing update of
> > >> signer=dhcpduser\@HOME.LAN name=ThinkPad.home.lan tcpaddr=127.0.0.1
> > >> type=A key=2712415368.sig-homeserver.home.lan/160/0
> > >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: allowing update of
> > >> signer=dhcpduser\@HOME.LAN name=ThinkPad.home.lan tcpaddr=127.0.0.1
> > >> type=A key=2712415368.sig-homeserver.home.lan/160/0
> > >> Oct 11 15:54:56 homeserver named[1115]: client 127.0.0.1#51111/key
> > >> dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': deleting rrset at
> > >> 'ThinkPad.home.lan' A
> > >> Oct 11 15:54:56 homeserver named[1115]: client 127.0.0.1#51111/key
> > >> dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': adding an RR at
> > >> 'ThinkPad.home.lan' A
> > >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: added
> > >> ThinkPad.home.lan ThinkPad.home.lan.#0113600#011IN#011A#011192.168.0.204
> > >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: subtracted rdataset
> > >> home.lan 'home.lan.#0113600#011IN#011SOA#011homeserver.home.lan.
> > >> hostmaster.home.lan. 2 900 600 86400 0'
> > >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: added rdataset
> > >> home.lan 'home.lan.#0113600#011IN#011SOA#011homeserver.home.lan.
> > >> hostmaster.home.lan. 3 900 600 86400 0'
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: committed transaction
> > >> on zone home.lan
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: starting transaction
> > >> on zone 0.168.192.in-addr.arpa
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: allowing update of
> > >> signer=dhcpduser\@HOME.LAN name=204.0.168.192.in-addr.arpa
> > >> tcpaddr=127.0.0.1 type=PTR key=2492596725.sig-homeserver.home.lan/160/0
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: allowing update of
> > >> signer=dhcpduser\@HOME.LAN name=204.0.168.192.in-addr.arpa
> > >> tcpaddr=127.0.0.1 type=PTR key=2492596725.sig-homeserver.home.lan/160/0
> > >> Oct 11 15:54:57 homeserver named[1115]: client 127.0.0.1#37499/key
> > >> dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE':
> > >> deleting rrset at '204.0.168.192.in-addr.arpa' PTR
> > >> Oct 11 15:54:57 homeserver named[1115]: client 127.0.0.1#37499/key
> > >> dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': adding
> > >> an RR at '204.0.168.192.in-addr.arpa' PTR
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz:added
> > >> 204.0.168.192.in-addr.arpa
> > >> 204.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011ThinkPad.home.lan.
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: subtracted rdataset
> > >> 0.168.192.in-addr.arpa
> > >> '0.168.192.in-addr.arpa.#0113600#011IN#011SOA#011homeserver.home.lan.
> > >> hostmaster.home.lan. 4 900 600 86400 3600'
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: added rdataset
> > >> 0.168.192.in-addr.arpa
> > >> '0.168.192.in-addr.arpa.#0113600#011IN#011SOA#011homeserver.home.lan.
> > >> hostmaster.home.lan. 5 900 600 86400 3600'
> > >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: committed transaction
> > >> on zone 0.168.192.in-addr.arpa
> > >> Oct 11 15:54:57 homeserver root: DHCP-DNS Update succeeded
> > >>
> > >> Rowland
> > >>
> > > Just to be sure I did it again
> > >
> > > [root at kdc01:~]# samba-tool domain
> > > exportkeytab /etc/dhcp/dhcpduser.keytab --principal=dhcpduser at SAITEL.LOC
> > > [root at kdc01:~]# sudo -R chown dhcpd.dhcpd /etc/dhcp
> > > [root at kdc01:~]# su - -s /bin/bash dhcpd -c
> > > "/etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183 1:14:7d:c5:48:7a:d5
> > > android-b9c850d595c8b543"
> > > dhcpd: DHCP-DNS: found ticket: look if valid
> > > dhcpd: Getting new ticket, old one expired 1292206524, now ie 1318518931
> > > dhcpd: DHCP-DNS: kinit succeeded
> > > dns_tkey_negotiategss: TKEY is unacceptable
> > > dhcpd: result1 = 1
> > > dns_tkey_negotiategss: TKEY is unacceptable
> > > dhcpd: result2 = 1
> > > dhcpd: DHCP-DNS_Update-failed
> > >
> > > I'm working on an Ubuntu server 11.04 x86. Apparmor would impact in this
> > > scenario?
> > >
> > > Daniele.
> > >
> > Hi, mine is running on Ubuntu server 12.04.3 x86_64 without apparmor, so 
> > yes it could be apparmor that is stopping it working.
> > I hate both selinux and apparmor, both have given me problems in the 
> > past, I have spent hours trying to get something to work, only to find 
> > out that turning off selinux or apparmor cured the problem. One of these 
> > days I must learn how to use them ;-)
> > 
> > Rowland
> 
> I tried to disable apparmor for dhcpd but still have errors on the
> update.
> 
> One of the things which is different from your settings is that I'm
> using samba's internal DNS: I've seen that you are using bind+dlz or
> does it work also with internal for you?
> 
> Trying to manually run the commands I'm seeing this:
> 
> dhcpd at kdc01:~$ export KRB5CCNAME=/tmp/dhcp-dyndns.cc
> dhcpd at kdc01:~$ echo $KRB5CCNAME
> /tmp/dhcp-dyndns.cc
> dhcpd at kdc01:~$ kinit -F -k -t /etc/dhcp/dhcpduser.keytab
> dhcpduser at SAITEL.LOC
> dhcpd at kdc01:~$ klist
> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> Default principal: dhcpduser at SAITEL.LOC
> 
> Valid starting     Expires            Service principal
> 10/16/13 09:55:41  10/16/13 19:55:41  krbtgt/SAITEL.LOC at SAITEL.LOC
> 	renew until 10/17/13 09:55:41
> dhcpd at kdc01:~$ nsupdate -g
> > server 192.168.12.5
> > realm SAITEL.LOC
> > update delete alaska.saitel.loc 3600 A
> > send
> dns_tkey_negotiategss: TKEY is unacceptable 
> 
> So it seems that the problem is not related to the script but at this
> point I'm not able to figure out how to go on.
> 
> Daniele.
> 

Hi
I can't get ddns updates going with the internal DNS. It goes in once
and then is never updated. bind works OK. Also, I think you may have
stale dns records:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
But first, move over to bind_dlz and see if that solves it for you:
samba_upgradedns --help
HTH
Steve

More information about the samba mailing list