[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Markus Roth
markusroth1983 at gmx.net
Thu Aug 21 14:29:04 MDT 2014
Hi Rowland,
thanks for your help and don't worry about the Dom-Admin group :-) ok, i aktualized the script but it seems that there is a problem again. Dhcp is only updating the forward lookup zone, not the reverse lookup zone and the denied message is still there like on my static-ip-adress tests before. The sh script brings still the exit status 256. The dhcp-server is on centos 7 also running with the user dhcpd. So i set the chown -R dhcpd /etc/dhcp. For the dhcp-tests i generated new VMs so my windows 7 client with the name client1 was new added. The client gets the ip-adress 192.168.178.10 from the dhcp server. My centos 7 which is called server1 has a static ip adress 192.168.178.130. Below are my dhcp config files and the new log /var/log/messages.
Dhcpd.conf
-------------------------------------------------------------------------------------------------------------------
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
# Winnet.local
# ------------------ start -----------------------
default-lease-time 14400;
max-lease-time 14400;
authoritative;
subnet 192.168.178.0 netmask 255.255.255.0 {
range 192.168.178.10 192.168.178.13;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.178.255;
option time-offset 0;
option domain-name "winnet.local";
option domain-name-servers 192.168.178.130;
option domain-search "winnet.local";
}
on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name, config-option-host-name, client-name);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
execute("/etc/dhcp/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}
# ----------------------- end -------------------------------------------
-------------------------------------------------------------------------------------------------------------------
Dhcp-dyndns.sh
-------------------------------------------------------------------------------------------------------------------
# ----------------------- start -------------------------
#!/bin/bash
# /etc/dhcp/dhcp-dyndns.sh
# This script is for secure DDNS updates using GSS/TSIG on Samba 4
# Version: 0.8.3 (includes TXTRR records)
# Rowland Penny rpenny241155 at gmail.com
# Updated with suggestions from L. v. Belle louis at van-belle.nl
# method to check for valid kerberos ticket changed
LOG="/etc/dhcp/dyndns.log"
if [ -f /etc/dhcp/dyndns.log ]; then
:
else
touch /etc/dhcp/dyndns.log
fi
exec >> $LOG 2>&1
## CONFIGURATION ##
# Samba 4 realm, change this to YOUR realm.
SETREALM=WINNET.LOCAL
#
# DNS domain, change this to YOUR dns domain
domain=winnet.local
#
## DO NOT CHANGE ANYTHING BELOW HERE
#
## define the dhcp user that will be used for the Dynamic updates to samba4
## this will create a Principal like : user at realm
SETDHCPUSER=dhcpduser
#
# TXT RRs (rfc4701)
# Set to YES to use TXT RRs
TXTRRS="NO"
#
# DNS nameserver
ns=127.0.0.1
#
# Kerberos principal
SETPRINCIPAL=$SETDHCPUSER@$SETREALM
# Kerberos keytab
SETDHCPKEYTAB=/etc/dhcp/$SETDHCPUSER.keytab
# Default DNS resource records TTL
RRTTL="3600"
# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
## Command locations, with full paths it speeds up processing.
## ( tested on Ubuntu 14.04, Debian 7.5 )
CMDSORT="$(which sort)"
CMDAWK="$(which awk)"
CMDHEAD="$(which head)"
CMDECHO="$(which echo)"
CMDDATE="$(which date)"
CMDKINIT="$(which kinit)"
CMDKLIST="$(which klist)"
CMDGREP="$(which grep)"
CMDGETENT="$(which getent)"
CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
CMDCHOWN="$(which chown)"
CMDCHMOD="$(which chmod)"
CMDHOST="$(which host)"
CMDNSUPDATE="$(which nsupdate)"
TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
echo "No dhcp user exists, need to create it first.. exiting."
echo "you can do this by typing the following commands"
echo "${CMDKINIT} Administrator@${SETREALM}"
echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
exit 1
fi
# Check for Kerberos keytab
if [ -f "${SETDHCPKEYTAB}" ]; then
:
else
echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created."
echo "Use the following commands as root"
echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
testos=$(uname -a | grep 'Debian')
if [ -z "$testos" ]; then
echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
fi
exit 1
fi
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
#NSUPDFLAGS="-d"
## VARIABLES ##
# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
usage()
{
echo "USAGE:"
echo " `basename $0` add ip-address dhcid|mac-address hostname"
echo " `basename $0` delete ip-address dhcid|mac-address"
}
_KERBEROS () {
# get current time as a number
test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
# Check for valid kerberos ticket
echo "$test [dyndns] : Running check for valid kerberos ticket"
klist -c "$KRB5CCNAME" -s
if [ "$?" != "0" ]; then
echo "$test [dyndns] : Getting new ticket, old one has expired"
kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
if [ "$?" != "0" ]; then
echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
exit 1;
fi
else
echo "$test [dyndns] : New ticket not required, old one still valid"
fi
}
# Exit if no ip address or mac-address
if [ -z "$ip" ] || [ -z "$DHCID" ]; then
usage
exit 1
fi
# Exit if no computer name supplied, unless the action is 'delete'
if [ "$name" = "" ]; then
if [ "$action" = "delete" ]; then
name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}')
else
usage
exit 1;
fi
fi
# Set PTR address
ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
# Create RRTXT record
RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
RRTXT="000101${RRTXT%% *}"
# extract txt record, if there is one
RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
## ${CMDNSUPDATE} ##
case "$action" in
add)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
# if string is not null
if [ -n "$RRTXTOLD" ]; then
# if old RRTXT is not the same as $RRTXT then exit
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
update add $name.$domain $RRTTL A $ip
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
zone 0.168.192.in-addr.arpa
update delete $ptr $RRTTL PTR
update add $ptr $RRTTL PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
if [ -n "$RRTXTOLD" ]; then
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
else
TXTRRS=";"
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $ptr $RRTTL PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result="$result1$result2"
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
else
echo "DHCP-DNS Update succeeded"
logger "DHCP-DNS Update succeeded"
fi
exit $result
# ------------------ end -------------------------
-------------------------------------------------------------------------------------------------------------------
/var/log/messages
-------------------------------------------------------------------------------------------------------------------
Aug 21 21:46:01 server1 systemd: Started DHCPv4 Server Daemon.
Aug 21 21:46:41 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
Aug 21 21:46:41 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:41 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:45 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
Aug 21 21:46:45 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:45 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=2009441398.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#35710/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' A
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A192.168.178.130'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 6 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 7 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=AAAA key=1488805345.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#53855/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' AAAA
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=2416078767.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#45459/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'server1.winnet.local' A
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 7 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 8 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=3724135530.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=3724135530.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#41382/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '130.178.168.192.in-addr.arpa' PTR
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#41382/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '130.178.168.192.in-addr.arpa' PTR
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
Aug 21 21:46:51 server1 chronyd[835]: NTP packet received from unauthorised host 192.168.178.10 port 123
Aug 21 21:46:53 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#50494: update 'winnet.local/IN' denied
Aug 21 21:46:53 server1 named[12603]: samba_dlz: cancelling transaction on zone winnet.local
Aug 21 21:46:53 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 21 21:46:53 server1 named[12603]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A192.168.178.10'
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 21 21:46:53 server1 named[12603]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.10'
Aug 21 21:46:53 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
-------------------------------------------------------------------------------------------------------------------
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Donnerstag, 21. August 2014 11:28
An: Markus Roth
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 21/08/14 00:09, Markus Roth wrote:
> Hi Rowland, hi Steve,
>
> @Rowland
>
> Thanks a llot for your howto. I've integrate your script in my centos 7 environment and modified it a little bit for the different pathes. When my client should get an ip-adress the dhcpd daemon brings the message "exit status 256":
>
> Aug 21 00:34:18 server1 dhcpd: Listening on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
> Aug 21 00:34:18 server1 dhcpd: Sending on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
> Aug 21 00:34:18 server1 dhcpd: Sending on Socket/fallback/fallback-net
> Aug 21 00:34:18 server1 systemd: Started DHCPv4 Server Daemon.
> Aug 21 00:34:50 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit
> status 256 Aug 21 00:34:50 server1 dhcpd: DHCPREQUEST for
> 192.168.178.11 from 00:0c:29:a4:b4:10 (client1) via eno16777736 Aug 21
> 00:34:50 server1 dhcpd: DHCPACK on 192.168.178.11 to 00:0c:29:a4:b4:10
> (client1) via eno16777736
>
> The dyndns.log says that my dhcpduser does not exist, but it does. I created it as follows:
>
> samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via DHCP server"
>
> samba-tool group addmembers DnsAdmins dhcpduser samba-tool group
> addmembers "Domain Admins" dhcpduser
>
> Than i generated the keytab:
>
> samba-tool domain exportkeytab --principal=dhcpduser at WINNET.LOCAL
> /etc/dhcp/dhcpduser.keytab
>
> Extract from the dyndns.log:
>
> No dhcp user exists, need to create it first.. exiting.
> you can do this by typing the following commands /usr/bin/kinit
> Administrator at WINNET.LOCAL
> Usage: samba-tool <subcommand>
>
> Main samba administration tool.
>
>
> Options:
> -h, --help show this help message and exit
>
> Version Options:
> -V, --version Display version number .
> .
> .
> .
>
> My modified dhcp-dyndns.sh: All my files are under /etc/dhcp. In the script below i've modified my realm, domainname, temp-path, the path to my samba-tool and the keytab path.
>
> ----------------------------------------------------------------------
> -------------------------
>
> # ----------------------- start ------------------------- #!/bin/bash
>
> # /etc/dhcp/dhcp-dyndns.sh
> # This script is for secure DDNS updates using GSS/TSIG on Samba 4 #
> Version: 0.8.3 (includes TXTRR records) # Rowland Penny
> rpenny241155 at gmail.com
> # Updated with suggestions from L. v. Belle louis at van-belle.nl
> # method to check for valid kerberos ticket changed
>
> LOG="/etc/dhcp/dyndns.log"
>
> if [ -f /etc/dhcp/dyndns.log ]; then
> :
> else
> touch /etc/dhcp/dyndns.log
> fi
>
> exec >> $LOG 2>&1
>
> ## CONFIGURATION ##
>
> # Samba 4 realm, change this to YOUR realm.
> SETREALM=WINNET.LOCAL
> #
> # DNS domain, change this to YOUR dns domain domain=winnet.local # ##
> DO NOT CHANGE ANYTHING BELOW HERE # ## define the dhcp user that will
> be used for the Dynamic updates to samba4 ## this will create a
> Principal like : user at realm SETDHCPUSER=dhcpduser # # TXT RRs
> (rfc4701) # Set to YES to use TXT RRs TXTRRS="NO"
> #
> # DNS nameserver
> ns=127.0.0.1
> #
> # Kerberos principal
> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
> # Kerberos keytab
> SETDHCPKEYTAB=/etc/dhcp/$SETDHCPUSER.keytab
> # Default DNS resource records TTL
> RRTTL="3600"
>
> # krbcc ticket cache
> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>
> ## Command locations, with full paths it speeds up processing.
> ## ( tested on Ubuntu 14.04, Debian 7.5 ) CMDSORT="$(which sort)"
> CMDAWK="$(which awk)"
> CMDHEAD="$(which head)"
> CMDECHO="$(which echo)"
> CMDDATE="$(which date)"
> CMDKINIT="$(which kinit)"
> CMDKLIST="$(which klist)"
> CMDGREP="$(which grep)"
> CMDGETENT="$(which getent)"
> CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
> CMDCHOWN="$(which chown)"
> CMDCHMOD="$(which chmod)"
> CMDHOST="$(which host)"
> CMDNSUPDATE="$(which nsupdate)"
>
> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}") if [ -z
> "${TESTUSER}" ]; then
> echo "No dhcp user exists, need to create it first.. exiting."
> echo "you can do this by typing the following commands"
> echo "${CMDKINIT} Administrator@${SETREALM}"
> echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
> echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
> echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
> exit 1
> fi
>
> # Check for Kerberos keytab
> if [ -f "${SETDHCPKEYTAB}" ]; then
> :
> else
> echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created."
> echo "Use the following commands as root"
> echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
> testos=$(uname -a | grep 'Debian')
> if [ -z "$testos" ]; then
> echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
> echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
> fi
> exit 1
> fi
>
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
> NSUPDFLAGS="-d"
>
> ## VARIABLES ##
>
> # Variables supplied by dhcpd.conf
> action=$1
> ip=$2
> DHCID=$3
> name=${4%%.*}
>
> usage()
> {
> echo "USAGE:"
> echo " `basename $0` add ip-address dhcid|mac-address hostname"
> echo " `basename $0` delete ip-address dhcid|mac-address"
> }
>
> _KERBEROS () {
> # get current time as a number
> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>
> # Check for valid kerberos ticket
> echo "$test [dyndns] : Running check for valid kerberos ticket"
> klist -c "$KRB5CCNAME" -s
> if [ "$?" != "0" ]; then
> echo "$test [dyndns] : Getting new ticket, old one has expired"
> kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
> if [ "$?" != "0" ]; then
> echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
> exit 1;
> fi
> else
> echo "$test [dyndns] : New ticket not required, old one still valid"
> fi
>
> }
>
> # Exit if no ip address or mac-address if [ -z "$ip" ] || [ -z
> "$DHCID" ]; then
> usage
> exit 1
> fi
>
> # Exit if no computer name supplied, unless the action is 'delete'
> if [ "$name" = "" ]; then
> if [ "$action" = "delete" ]; then
> name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}')
> else
> usage
> exit 1;
> fi
> fi
>
> # Set PTR address
> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
> $4"."$3"."$2"."$1".in-addr.arpa"}')
>
> # Create RRTXT record
> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
> RRTXT="000101${RRTXT%% *}"
> # extract txt record, if there is one
> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
> text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>
> ## ${CMDNSUPDATE} ##
>
> case "$action" in
> add)
> if [ "$TXTRRS" = "YES" ]; then
> TXTRRS=""
> # if string is not null
> if [ -n "$RRTXTOLD" ]; then
> # if old RRTXT is not the same as $RRTXT then exit
> if [ "$RRTXT" != "$RRTXTOLD" ]; then
> echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
> exit 1
> fi
> fi
> else
> TXTRRS=";"
> fi
>
> _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
> update delete $name.$domain $RRTTL A ${TXTRRS}update delete
> $name.$domain $RRTTL TXT ${TXTRRS}update add $name.$domain $RRTTL TXT
> $RRTXT update add $name.$domain $RRTTL A $ip send UPDATE result1=$?
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
> zone 0.168.192.in-addr.arpa update delete $ptr $RRTTL PTR update add
> $ptr $RRTTL PTR $name.$domain send UPDATE result2=$?
> ;;
> delete)
> if [ "$TXTRRS" = "YES" ]; then
> TXTRRS=""
> if [ -n "$RRTXTOLD" ]; then
> if [ "$RRTXT" != "$RRTXTOLD" ]; then
> echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
> exit 1
> fi
> else
> TXTRRS=";"
> fi
> else
> TXTRRS=";"
> fi
>
> _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
> update delete $name.$domain $RRTTL A ${TXTRRS}update delete
> $name.$domain $RRTTL TXT send UPDATE result1=$?
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
> update delete $ptr $RRTTL PTR send UPDATE result2=$?
> ;;
> *)
> echo "Invalid action specified"
> exit 103
> ;;
> esac
>
> result="$result1$result2"
> if [ "$result" != "00" ]; then
> echo "DHCP-DNS Update failed: $result"
> logger "DHCP-DNS Update failed: $result"
> else
> echo "DHCP-DNS Update succeeded"
> logger "DHCP-DNS Update succeeded"
> fi
>
> exit $result
> # ------------------ end -------------------------
>
> ----------------------------------------------------------------------
> -------------------------
>
Hi, spotted a few problems, one yours, two mine
First yours:
You changed:
CMDSAMBATOOL="$(which samba-tool)"
To:
CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
What the first does is set 'CMDSAMBATOOL' to where samba-tool is i.e. on Debian '/usr/bin/samba-tool'. Your version does something else entirely, it sets it to what running '/usr/local/samba/bin/samba-tool' in a terminal returns i.e. the usage message. I would suggest that you change:
CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
To:
CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
Now mine:
Not really a problem, but debugging is turned on, I just copied the script from my server and had forgotten to turn off debugging after the install, I have now turned it off.
To turn off debugging is simple, change:
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug NSUPDFLAGS="-d"
To:
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug #NSUPDFLAGS="-d"
I have also moved the two lines to above the '## DO NOT CHANGE ANYTHING BELOW HERE' line, as it is obviously something that you might want to change.
The last problem, you spotted, when I said 'Domain Admins' I really meant 'DnsAdmins', OOPS sorry
Do the alterations and try again, but just one last question, what user does dhcp runas, on Ubuntu it is 'dhcpd' and on Debian it is root, both of which work, but if your dhcp user is different, then you may have to change the script to suit.
Rowland
More information about the samba
mailing list