[Samba] How to handle secure AD dynamic DNS registrations?

Tue Sep 9 19:34:01 MDT 2014

Hi Keith,

I can't say for sure...

As what I know.
The machine kerberos password are different from the DNS update.
These machine kerberos should be handle by AD DC and should not have any
relation with DNS.

Please correct me if I'm wrong.

On Wed, Sep 10, 2014 at 4:54 AM, Keith Jones <K.E.Jones at brighton.ac.uk>
wrote:

>  Hi,
>
>
>
> Apologies for the top-down post and slow response. It’s rather busy around
> here at the moment!
>
>
>
> Thank you for the link. It was an exceptionally good read and definitely
> useful to look at. Unfortunately, although it handled DNS registrations and
> some Kerberos ticket renewal ideas,  it didn’t cover the idea of getting
> the server to refresh it’s machine account password like a Windows system
> would.  The code  was also designed to fire up when DHCP leases were
> given/renewed. My servers are statically addressed so they’d never trigger
> those scripts and I’d only end up re-writing the code to run as a cron job
> instead.
>
>
>
> In the meantime,  I’ve found something that seems to fit my needs and
> might be useful to others;  msktutil. It’s yum/apt-get-able and easily
> available. It does a lot of the work needed to maintain a Kerberos keytable
> and do password resets in a cron-able way. I’m trying it out now but, given
> the 30 days it’ll take for a machine account password to expire, I’m not
> expecting to find out if it really works for a long time. It looks like
> it’s doing the right things so far though J
>
>
>
> Thanks for the quick response and advice.
>
>
>
> Regards,
>
>
>
> Keith
>
>
>
> *From:* Chan Min Wai [mailto:dcmwai at gmail.com]
> *Sent:* 07 September 2014 05:02
> *To:* Keith Jones
> *Cc:* samba at lists.samba.org
> *Subject:* Re: [Samba] How to handle secure AD dynamic DNS registrations?
>
>
>
> I think you have the right timing...
>
>
>
> Someone just ask.
>
>
>
> see here:
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
>
>
>
>
>
>
> On Sat, Sep 6, 2014 at 5:34 AM, Keith Jones <K.E.Jones at brighton.ac.uk>
> wrote:
>
> Hi,
>
>  My apologies for the newbie question/dumb-question-of-the-day but when
> searching the archives I couldn't see the wood for the trees :-/
>
>  Are there any good walkthroughs/RTFMs out there for troubleshooting
> getting samba to register DNS entries to an AD controller that requires
> secure updates?
>
>  I have a CentOS 6 server that seems to be set up correctly. Initially it
> worked fine, but then the AD controllers expired the DNS entries. As samba
> doesn't seem to natively refresh the registrations I ended up adding a
> simple cron job that ran "net ads dns register -P" on a daily basis. It
> worked for a while but that job is now failing. with "ERROR_DNS_GSS_ERROR"
> which starts implying that Kerberos tickets or machine account passwords
> are broken. I'm not sure if they need to be refreshed in a similar way or
> whether I should tinker with the samba config.
>
>  A good guide that explains what I need to have setup to cover the
> convoluted AD needs for secure updates would be very welcome!
>
> Regards and thanks in advance for any help.
>
> Keith
>
>
> ___________________________________________________________
> This email has been scanned by MessageLabs' Email Security
> System on behalf of the University of Brighton.
> For more information see http://www.brighton.ac.uk/is/spam/
> ___________________________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> ___________________________________________________________
> This email has been scanned by MessageLabs' Email Security
> System on behalf of the University of Brighton.
> For more information see http://www.brighton.ac.uk/is/spam/
> ___________________________________________________________
>
> ___________________________________________________________
> This email has been scanned by MessageLabs' Email Security
> System on behalf of the University of Brighton.
> For more information see http://www.brighton.ac.uk/is/spam/
> ___________________________________________________________
>