[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Ryan Ashley
ryana at reachtechfp.com
Thu Aug 21 14:48:01 MDT 2014
I have not followed every post on this thread, so if what I am about to
mention has been noted, forgive me. Do you happen to be using
Avahi/mDNS/Bonjour on your network? They use the ".local" domain. All of
my domains use ".lan" for this reason. It has given me issues in the
past, though I honestly do not know if it would interfere with your
issue. I am sure Rowland or Steve would know though.
On 08/21/2014 04:29 PM, Markus Roth wrote:
> Hi Rowland,
>
> thanks for your help and don't worry about the Dom-Admin group :-) ok, i aktualized the script but it seems that there is a problem again. Dhcp is only updating the forward lookup zone, not the reverse lookup zone and the denied message is still there like on my static-ip-adress tests before. The sh script brings still the exit status 256. The dhcp-server is on centos 7 also running with the user dhcpd. So i set the chown -R dhcpd /etc/dhcp. For the dhcp-tests i generated new VMs so my windows 7 client with the name client1 was new added. The client gets the ip-adress 192.168.178.10 from the dhcp server. My centos 7 which is called server1 has a static ip adress 192.168.178.130. Below are my dhcp config files and the new log /var/log/messages.
>
> Dhcpd.conf
> -------------------------------------------------------------------------------------------------------------------
> #
> # DHCP Server Configuration file.
> # see /usr/share/doc/dhcp*/dhcpd.conf.example
> # see dhcpd.conf(5) man page
> #
> # Winnet.local
> # ------------------ start -----------------------
> default-lease-time 14400;
> max-lease-time 14400;
> authoritative;
>
> subnet 192.168.178.0 netmask 255.255.255.0 {
> range 192.168.178.10 192.168.178.13;
> option subnet-mask 255.255.255.0;
> option broadcast-address 192.168.178.255;
> option time-offset 0;
> option domain-name "winnet.local";
> option domain-name-servers 192.168.178.130;
> option domain-search "winnet.local";
> }
>
> on commit {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> set ClientName = pick-first-value(option host-name, config-option-host-name, client-name);
> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
> execute("/etc/dhcp/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
> }
>
> on release {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> log(concat("Release: IP: ", ClientIP));
> execute("/etc/dhcp/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
> }
> # ----------------------- end -------------------------------------------
> -------------------------------------------------------------------------------------------------------------------
> Dhcp-dyndns.sh
> -------------------------------------------------------------------------------------------------------------------
> # ----------------------- start -------------------------
> #!/bin/bash
>
> # /etc/dhcp/dhcp-dyndns.sh
> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
> # Version: 0.8.3 (includes TXTRR records)
> # Rowland Penny rpenny241155 at gmail.com
> # Updated with suggestions from L. v. Belle louis at van-belle.nl
> # method to check for valid kerberos ticket changed
>
> LOG="/etc/dhcp/dyndns.log"
>
> if [ -f /etc/dhcp/dyndns.log ]; then
> :
> else
> touch /etc/dhcp/dyndns.log
> fi
>
> exec >> $LOG 2>&1
>
> ## CONFIGURATION ##
>
> # Samba 4 realm, change this to YOUR realm.
> SETREALM=WINNET.LOCAL
> #
> # DNS domain, change this to YOUR dns domain
> domain=winnet.local
> #
> ## DO NOT CHANGE ANYTHING BELOW HERE
> #
> ## define the dhcp user that will be used for the Dynamic updates to samba4
> ## this will create a Principal like : user at realm
> SETDHCPUSER=dhcpduser
> #
> # TXT RRs (rfc4701)
> # Set to YES to use TXT RRs
> TXTRRS="NO"
> #
> # DNS nameserver
> ns=127.0.0.1
> #
> # Kerberos principal
> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
> # Kerberos keytab
> SETDHCPKEYTAB=/etc/dhcp/$SETDHCPUSER.keytab
> # Default DNS resource records TTL
> RRTTL="3600"
>
> # krbcc ticket cache
> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>
> ## Command locations, with full paths it speeds up processing.
> ## ( tested on Ubuntu 14.04, Debian 7.5 )
> CMDSORT="$(which sort)"
> CMDAWK="$(which awk)"
> CMDHEAD="$(which head)"
> CMDECHO="$(which echo)"
> CMDDATE="$(which date)"
> CMDKINIT="$(which kinit)"
> CMDKLIST="$(which klist)"
> CMDGREP="$(which grep)"
> CMDGETENT="$(which getent)"
> CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
> CMDCHOWN="$(which chown)"
> CMDCHMOD="$(which chmod)"
> CMDHOST="$(which host)"
> CMDNSUPDATE="$(which nsupdate)"
>
> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
> if [ -z "${TESTUSER}" ]; then
> echo "No dhcp user exists, need to create it first.. exiting."
> echo "you can do this by typing the following commands"
> echo "${CMDKINIT} Administrator@${SETREALM}"
> echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
> echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
> echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
> exit 1
> fi
>
> # Check for Kerberos keytab
> if [ -f "${SETDHCPKEYTAB}" ]; then
> :
> else
> echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created."
> echo "Use the following commands as root"
> echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
> testos=$(uname -a | grep 'Debian')
> if [ -z "$testos" ]; then
> echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
> echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
> fi
> exit 1
> fi
>
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
> #NSUPDFLAGS="-d"
>
> ## VARIABLES ##
>
> # Variables supplied by dhcpd.conf
> action=$1
> ip=$2
> DHCID=$3
> name=${4%%.*}
>
> usage()
> {
> echo "USAGE:"
> echo " `basename $0` add ip-address dhcid|mac-address hostname"
> echo " `basename $0` delete ip-address dhcid|mac-address"
> }
>
> _KERBEROS () {
> # get current time as a number
> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>
> # Check for valid kerberos ticket
> echo "$test [dyndns] : Running check for valid kerberos ticket"
> klist -c "$KRB5CCNAME" -s
> if [ "$?" != "0" ]; then
> echo "$test [dyndns] : Getting new ticket, old one has expired"
> kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
> if [ "$?" != "0" ]; then
> echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
> exit 1;
> fi
> else
> echo "$test [dyndns] : New ticket not required, old one still valid"
> fi
>
> }
>
> # Exit if no ip address or mac-address
> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
> usage
> exit 1
> fi
>
> # Exit if no computer name supplied, unless the action is 'delete'
> if [ "$name" = "" ]; then
> if [ "$action" = "delete" ]; then
> name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}')
> else
> usage
> exit 1;
> fi
> fi
>
> # Set PTR address
> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
>
> # Create RRTXT record
> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
> RRTXT="000101${RRTXT%% *}"
> # extract txt record, if there is one
> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>
> ## ${CMDNSUPDATE} ##
>
> case "$action" in
> add)
> if [ "$TXTRRS" = "YES" ]; then
> TXTRRS=""
> # if string is not null
> if [ -n "$RRTXTOLD" ]; then
> # if old RRTXT is not the same as $RRTXT then exit
> if [ "$RRTXT" != "$RRTXTOLD" ]; then
> echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
> exit 1
> fi
> fi
> else
> TXTRRS=";"
> fi
>
> _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $name.$domain $RRTTL A
> ${TXTRRS}update delete $name.$domain $RRTTL TXT
> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
> update add $name.$domain $RRTTL A $ip
> send
> UPDATE
> result1=$?
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> zone 0.168.192.in-addr.arpa
> update delete $ptr $RRTTL PTR
> update add $ptr $RRTTL PTR $name.$domain
> send
> UPDATE
> result2=$?
> ;;
> delete)
> if [ "$TXTRRS" = "YES" ]; then
> TXTRRS=""
> if [ -n "$RRTXTOLD" ]; then
> if [ "$RRTXT" != "$RRTXTOLD" ]; then
> echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
> exit 1
> fi
> else
> TXTRRS=";"
> fi
> else
> TXTRRS=";"
> fi
>
> _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $name.$domain $RRTTL A
> ${TXTRRS}update delete $name.$domain $RRTTL TXT
> send
> UPDATE
> result1=$?
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $ptr $RRTTL PTR
> send
> UPDATE
> result2=$?
> ;;
> *)
> echo "Invalid action specified"
> exit 103
> ;;
> esac
>
> result="$result1$result2"
> if [ "$result" != "00" ]; then
> echo "DHCP-DNS Update failed: $result"
> logger "DHCP-DNS Update failed: $result"
> else
> echo "DHCP-DNS Update succeeded"
> logger "DHCP-DNS Update succeeded"
> fi
>
> exit $result
> # ------------------ end -------------------------
>
> -------------------------------------------------------------------------------------------------------------------
> /var/log/messages
> -------------------------------------------------------------------------------------------------------------------
> Aug 21 21:46:01 server1 systemd: Started DHCPv4 Server Daemon.
> Aug 21 21:46:41 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
> Aug 21 21:46:41 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 21 21:46:41 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 21 21:46:45 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
> Aug 21 21:46:45 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 21 21:46:45 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=2009441398.sig-server1.winnet.local/160/0
> Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#35710/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' A
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A192.168.178.130'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 6 900 600 86400 0'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 7 900 600 86400 0'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=AAAA key=1488805345.sig-server1.winnet.local/160/0
> Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#53855/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' AAAA
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=2416078767.sig-server1.winnet.local/160/0
> Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#45459/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'server1.winnet.local' A
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 7 900 600 86400 0'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 8 900 600 86400 0'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=3724135530.sig-server1.winnet.local/160/0
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=3724135530.sig-server1.winnet.local/160/0
> Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#41382/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '130.178.168.192.in-addr.arpa' PTR
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
> Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#41382/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '130.178.168.192.in-addr.arpa' PTR
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
> Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> Aug 21 21:46:51 server1 chronyd[835]: NTP packet received from unauthorised host 192.168.178.10 port 123
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
> Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#50494: update 'winnet.local/IN' denied
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: cancelling transaction on zone winnet.local
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
> Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A192.168.178.10'
> Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.10'
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
>
> -------------------------------------------------------------------------------------------------------------------
>
>
> -----Ursprüngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Donnerstag, 21. August 2014 11:28
> An: Markus Roth
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>
> On 21/08/14 00:09, Markus Roth wrote:
>> Hi Rowland, hi Steve,
>>
>> @Rowland
>>
>> Thanks a llot for your howto. I've integrate your script in my centos 7 environment and modified it a little bit for the different pathes. When my client should get an ip-adress the dhcpd daemon brings the message "exit status 256":
>>
>> Aug 21 00:34:18 server1 dhcpd: Listening on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
>> Aug 21 00:34:18 server1 dhcpd: Sending on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
>> Aug 21 00:34:18 server1 dhcpd: Sending on Socket/fallback/fallback-net
>> Aug 21 00:34:18 server1 systemd: Started DHCPv4 Server Daemon.
>> Aug 21 00:34:50 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit
>> status 256 Aug 21 00:34:50 server1 dhcpd: DHCPREQUEST for
>> 192.168.178.11 from 00:0c:29:a4:b4:10 (client1) via eno16777736 Aug 21
>> 00:34:50 server1 dhcpd: DHCPACK on 192.168.178.11 to 00:0c:29:a4:b4:10
>> (client1) via eno16777736
>>
>> The dyndns.log says that my dhcpduser does not exist, but it does. I created it as follows:
>>
>> samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via DHCP server"
>>
>> samba-tool group addmembers DnsAdmins dhcpduser samba-tool group
>> addmembers "Domain Admins" dhcpduser
>>
>> Than i generated the keytab:
>>
>> samba-tool domain exportkeytab --principal=dhcpduser at WINNET.LOCAL
>> /etc/dhcp/dhcpduser.keytab
>>
>> Extract from the dyndns.log:
>>
>> No dhcp user exists, need to create it first.. exiting.
>> you can do this by typing the following commands /usr/bin/kinit
>> Administrator at WINNET.LOCAL
>> Usage: samba-tool <subcommand>
>>
>> Main samba administration tool.
>>
>>
>> Options:
>> -h, --help show this help message and exit
>>
>> Version Options:
>> -V, --version Display version number .
>> .
>> .
>> .
>>
>> My modified dhcp-dyndns.sh: All my files are under /etc/dhcp. In the script below i've modified my realm, domainname, temp-path, the path to my samba-tool and the keytab path.
>>
>> ----------------------------------------------------------------------
>> -------------------------
>>
>> # ----------------------- start ------------------------- #!/bin/bash
>>
>> # /etc/dhcp/dhcp-dyndns.sh
>> # This script is for secure DDNS updates using GSS/TSIG on Samba 4 #
>> Version: 0.8.3 (includes TXTRR records) # Rowland Penny
>> rpenny241155 at gmail.com
>> # Updated with suggestions from L. v. Belle louis at van-belle.nl
>> # method to check for valid kerberos ticket changed
>>
>> LOG="/etc/dhcp/dyndns.log"
>>
>> if [ -f /etc/dhcp/dyndns.log ]; then
>> :
>> else
>> touch /etc/dhcp/dyndns.log
>> fi
>>
>> exec >> $LOG 2>&1
>>
>> ## CONFIGURATION ##
>>
>> # Samba 4 realm, change this to YOUR realm.
>> SETREALM=WINNET.LOCAL
>> #
>> # DNS domain, change this to YOUR dns domain domain=winnet.local # ##
>> DO NOT CHANGE ANYTHING BELOW HERE # ## define the dhcp user that will
>> be used for the Dynamic updates to samba4 ## this will create a
>> Principal like : user at realm SETDHCPUSER=dhcpduser # # TXT RRs
>> (rfc4701) # Set to YES to use TXT RRs TXTRRS="NO"
>> #
>> # DNS nameserver
>> ns=127.0.0.1
>> #
>> # Kerberos principal
>> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
>> # Kerberos keytab
>> SETDHCPKEYTAB=/etc/dhcp/$SETDHCPUSER.keytab
>> # Default DNS resource records TTL
>> RRTTL="3600"
>>
>> # krbcc ticket cache
>> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>>
>> ## Command locations, with full paths it speeds up processing.
>> ## ( tested on Ubuntu 14.04, Debian 7.5 ) CMDSORT="$(which sort)"
>> CMDAWK="$(which awk)"
>> CMDHEAD="$(which head)"
>> CMDECHO="$(which echo)"
>> CMDDATE="$(which date)"
>> CMDKINIT="$(which kinit)"
>> CMDKLIST="$(which klist)"
>> CMDGREP="$(which grep)"
>> CMDGETENT="$(which getent)"
>> CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
>> CMDCHOWN="$(which chown)"
>> CMDCHMOD="$(which chmod)"
>> CMDHOST="$(which host)"
>> CMDNSUPDATE="$(which nsupdate)"
>>
>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}") if [ -z
>> "${TESTUSER}" ]; then
>> echo "No dhcp user exists, need to create it first.. exiting."
>> echo "you can do this by typing the following commands"
>> echo "${CMDKINIT} Administrator@${SETREALM}"
>> echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
>> echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
>> echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
>> exit 1
>> fi
>>
>> # Check for Kerberos keytab
>> if [ -f "${SETDHCPKEYTAB}" ]; then
>> :
>> else
>> echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created."
>> echo "Use the following commands as root"
>> echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>> testos=$(uname -a | grep 'Debian')
>> if [ -z "$testos" ]; then
>> echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>> echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>> fi
>> exit 1
>> fi
>>
>> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
>> NSUPDFLAGS="-d"
>>
>> ## VARIABLES ##
>>
>> # Variables supplied by dhcpd.conf
>> action=$1
>> ip=$2
>> DHCID=$3
>> name=${4%%.*}
>>
>> usage()
>> {
>> echo "USAGE:"
>> echo " `basename $0` add ip-address dhcid|mac-address hostname"
>> echo " `basename $0` delete ip-address dhcid|mac-address"
>> }
>>
>> _KERBEROS () {
>> # get current time as a number
>> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>>
>> # Check for valid kerberos ticket
>> echo "$test [dyndns] : Running check for valid kerberos ticket"
>> klist -c "$KRB5CCNAME" -s
>> if [ "$?" != "0" ]; then
>> echo "$test [dyndns] : Getting new ticket, old one has expired"
>> kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
>> if [ "$?" != "0" ]; then
>> echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
>> exit 1;
>> fi
>> else
>> echo "$test [dyndns] : New ticket not required, old one still valid"
>> fi
>>
>> }
>>
>> # Exit if no ip address or mac-address if [ -z "$ip" ] || [ -z
>> "$DHCID" ]; then
>> usage
>> exit 1
>> fi
>>
>> # Exit if no computer name supplied, unless the action is 'delete'
>> if [ "$name" = "" ]; then
>> if [ "$action" = "delete" ]; then
>> name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}')
>> else
>> usage
>> exit 1;
>> fi
>> fi
>>
>> # Set PTR address
>> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
>> $4"."$3"."$2"."$1".in-addr.arpa"}')
>>
>> # Create RRTXT record
>> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
>> RRTXT="000101${RRTXT%% *}"
>> # extract txt record, if there is one
>> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
>> text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>>
>> ## ${CMDNSUPDATE} ##
>>
>> case "$action" in
>> add)
>> if [ "$TXTRRS" = "YES" ]; then
>> TXTRRS=""
>> # if string is not null
>> if [ -n "$RRTXTOLD" ]; then
>> # if old RRTXT is not the same as $RRTXT then exit
>> if [ "$RRTXT" != "$RRTXTOLD" ]; then
>> echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
>> exit 1
>> fi
>> fi
>> else
>> TXTRRS=";"
>> fi
>>
>> _KERBEROS
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
>> update delete $name.$domain $RRTTL A ${TXTRRS}update delete
>> $name.$domain $RRTTL TXT ${TXTRRS}update add $name.$domain $RRTTL TXT
>> $RRTXT update add $name.$domain $RRTTL A $ip send UPDATE result1=$?
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
>> zone 0.168.192.in-addr.arpa update delete $ptr $RRTTL PTR update add
>> $ptr $RRTTL PTR $name.$domain send UPDATE result2=$?
>> ;;
>> delete)
>> if [ "$TXTRRS" = "YES" ]; then
>> TXTRRS=""
>> if [ -n "$RRTXTOLD" ]; then
>> if [ "$RRTXT" != "$RRTXTOLD" ]; then
>> echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
>> exit 1
>> fi
>> else
>> TXTRRS=";"
>> fi
>> else
>> TXTRRS=";"
>> fi
>>
>> _KERBEROS
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
>> update delete $name.$domain $RRTTL A ${TXTRRS}update delete
>> $name.$domain $RRTTL TXT send UPDATE result1=$?
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE server $ns realm ${SETREALM}
>> update delete $ptr $RRTTL PTR send UPDATE result2=$?
>> ;;
>> *)
>> echo "Invalid action specified"
>> exit 103
>> ;;
>> esac
>>
>> result="$result1$result2"
>> if [ "$result" != "00" ]; then
>> echo "DHCP-DNS Update failed: $result"
>> logger "DHCP-DNS Update failed: $result"
>> else
>> echo "DHCP-DNS Update succeeded"
>> logger "DHCP-DNS Update succeeded"
>> fi
>>
>> exit $result
>> # ------------------ end -------------------------
>>
>> ----------------------------------------------------------------------
>> -------------------------
>>
> Hi, spotted a few problems, one yours, two mine
>
> First yours:
> You changed:
>
> CMDSAMBATOOL="$(which samba-tool)"
>
> To:
>
> CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
>
> What the first does is set 'CMDSAMBATOOL' to where samba-tool is i.e. on Debian '/usr/bin/samba-tool'. Your version does something else entirely, it sets it to what running '/usr/local/samba/bin/samba-tool' in a terminal returns i.e. the usage message. I would suggest that you change:
>
> CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
>
> To:
>
> CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
>
> Now mine:
> Not really a problem, but debugging is turned on, I just copied the script from my server and had forgotten to turn off debugging after the install, I have now turned it off.
> To turn off debugging is simple, change:
>
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug NSUPDFLAGS="-d"
>
> To:
>
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug #NSUPDFLAGS="-d"
>
> I have also moved the two lines to above the '## DO NOT CHANGE ANYTHING BELOW HERE' line, as it is obviously something that you might want to change.
>
> The last problem, you spotted, when I said 'Domain Admins' I really meant 'DnsAdmins', OOPS sorry
>
> Do the alterations and try again, but just one last question, what user does dhcp runas, on Ubuntu it is 'dhcpd' and on Debian it is root, both of which work, but if your dhcp user is different, then you may have to change the script to suit.
>
> Rowland
>
More information about the samba
mailing list