[Samba] Samba_dlz: canceling trasaction on zone domain
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Nov 9 21:45:20 UTC 2015
On 09/11/15 21:28, Philip Banh wrote:
> Hey Rowland,
>
> Below is a cutdown version of my DHCP. As you can see, I haven't really set anything up for ddns-update. While using Samba4's internal DNS I had the setting 'ddns-update-style interim;' and it seemed to have worked fine. But with bind I'm not sure what else is needed.
>
> Thanks for taking a look at it.
> Philip
>
> #
> # DHCP Server Configuration file.
> # see /usr/share/doc/dhcp*/dhcpd.conf.sample
> # see 'man 5 dhcpd.conf'
> #
> # option definitions common to all supported networks...
> option domain-name "DOMAIN";
> option domain-name-servers 172.17.0.170, 172.17.0.171;
>
> filename "pxelinux.0";
> next-server 172.17.0.50;
>
> default-lease-time 600;
> max-lease-time 7200;
>
> # Use this to enble / disable dynamic dns updates globally.
> #ddns-updates on; # not really necessary, ddns-update-style is good enough
> ddns-update-style interim;
> deny client-updates;
> ignore-client-updates;
> #allow client-updates;
>
> #update-static-leases on;
> key DHCP_UPDATER {
> algorithm HMAC-MD5.SIG-ALG.REG.INT;
>
> #Paste in the generated key here. Should be in quotes
> secret "SECRET";
> };
> # If this DHCP server is the official DHCP server for the local
> # network, the authoritative directive should be uncommented.
> authoritative;
>
> class "Others" {
>
> .....
>
> }
>
> subnet 172.17.0.0 netmask 255.255.255.0 {
> option routers 172.17.0.1;
>
> pool {
> range 172.17.0.201 172.17.0.254;
> option broadcast-address 172.17.0.255;
> deny members of "Others";
> }
>
> .....The rest of vlans
>
> log-facility local6;
>
> ________________________________________
> From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com]
> Sent: Monday, November 09, 2015 4:15 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
>
> On 09/11/15 20:48, Philip Banh wrote:
>> Hi there,
>>
>> I'm in the process of switching from using Samba4 internal DNS to using BIND as my backend DNS. However, I'm currently running into some issues with the transition.
>>
>> Here's an example of the messages I'm getting from /var/log/messages logs:
>>
>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#59051: update 'DOMAIN/IN' denied
>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: client 172.17.0.30#42206: update 'DOMAIN/IN' denied
>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#51563: update 'DOMAIN/IN' denied
>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>> Nov 9 15:35:32 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>>
>> * 172.17.0.30 being my DHCP server.
>>
>> Does anyone know what's causing the above messages? And how do you proceed in a setup with Samba4 AD / BIND with DDNS.
>>
>> My guess here is I'm having troubles with setting up the DHCP properly to communicate with BIND, so the DNS isn't being updated.
>>
>> Please let me know what other information I can provide.
>>
>> Thanks,
>> Philip
>>
>>
>>
>>
Hmm, That sort of fits in with what I was expecting, I have been using
bind9 with dhcp for the last three years without any real problems, this
is my dhcpd.conf:
default-lease-time 14400;
max-lease-time 14400;
authoritative;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.50 192.168.0.229;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option time-offset 0;
option routers 192.168.0.1;
option domain-name "samdom.example.com";
option domain-name-servers 192.168.0.5;
option netbios-name-servers 192.168.0.5;
option ntp-servers 192.168.0.5;
}
on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ",
ClientName));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually
receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}
And before you ask, this is /etc/dhcp/bin/dhcp-dyndns.sh:
#!/bin/bash
# /etc/bin/dhcp-dyndns.sh
# This script is for secure DDNS updates on Samba 4
# Version: 0.8.7
# DNS domain
domain=$(hostname -d)
if [ -z ${domain} ]; then
echo "Cannot obtain domain name, is DNS set up correctly?"
echo "Cannot continue... Exiting."
logger "Cannot obtain domain name, is DNS set up correctly?"
logger "Cannot continue... Exiting."
exit 1
fi
# Samba 4 realm
REALM=$(echo ${domain^^})
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
#NSUPDFLAGS="-d"
# Additional debug flag, if set will log to screen
#DEBUG="YES"
if [ -n "${DEBUG}" ]; then
logwhere="echo"
else
logwhere="logger"
fi
## Do not change anything below here
# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
# Kerberos principal
SETPRINCIPAL=dhcpduser@${REALM}
# Kerberos keytab
# /etc/dhcpduser.keytab
# krbcc ticket cache
# /tmp/dhcp-dyndns.cc
TESTUSER=$(wbinfo -u | grep 'dhcpduser')
if [ -z "${TESTUSER}" ]; then
echo "No AD dhcp user exists, need to create it first.. exiting."
echo "you can do this by typing the following commands"
echo "kinit Administrator@${REALM}"
echo "samba-tool user create dhcpduser --random-password
--description=\"Unprivileged user for DNS updates via ISC DHCP server\""
echo "samba-tool user setexpiry dhcpduser --noexpiry"
echo "samba-tool group addmembers DnsAdmins dhcpduser"
exit 1
fi
# Check for Kerberos keytab
if [ ! -f /etc/dhcp/dhcpduser.keytab ]; then
echo "Required keytab /etc/dhcpduser.keytab not found, it needs to
be created."
echo "Use the following commands as root"
echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL}
/etc/dhcpduser.keytab"
echo "chown dhcpd:dhcpd /etc/dhcpduser.keytab"
echo "chmod 400 /etc/dhcpduser.keytab"
exit 1
fi
# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
usage()
{
echo "USAGE:"
echo " `basename $0` add ip-address dhcid|mac-address hostname"
echo " `basename $0` delete ip-address dhcid|mac-address"
}
_KERBEROS () {
# get current time as a number
test=$(date +%d'-'%m'-'%y' '%H':'%M':'%S)
# Note: there have been problems with this
# check that 'date' returns something like
# 04-09-15 09:38:14
# Check for valid kerberos ticket
echo "${test} [dyndns] : Running check for valid kerberos ticket"
klist -c /tmp/dhcp-dyndns.cc -s
if [ "$?" != "0" ]; then
echo "${test} [dyndns] : Getting new ticket, old one has expired"
kinit -F -k -t /etc/dhcp/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
"${SETPRINCIPAL}"
if [ "$?" != "0" ]; then
echo "${test} [dyndns] : dhcpd kinit for dynamic DNS failed"
exit 1;
fi
else
echo "${test} [dyndns] : New ticket not required, old one still valid"
fi
}
# Exit if no ip address or mac-address
if [ -z "${ip}" ] || [ -z "${DHCID}" ]; then
usage
exit 1
fi
# Exit if no computer name supplied, unless the action is 'delete'
if [ "${name}" = "" ]; then
if [ "${action}" = "delete" ]; then
name=$(host -t PTR "${ip}" | awk '{print $NF}' | awk -F '.'
'{print $1}')
else
usage
exit 1;
fi
fi
# Set PTR address
ptr=$(echo ${ip} | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
## nsupdate ##
case "${action}" in
add)
_KERBEROS
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${name}.${domain} 3600 A
update add ${name}.${domain} 3600 A ${ip}
send
UPDATE
result1=$?
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${ptr} 3600 PTR
update add ${ptr} 3600 PTR ${name}.${domain}
send
UPDATE
result2=$?
;;
delete)
_KERBEROS
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${name}.${domain} 3600 A
send
UPDATE
result1=$?
nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${ptr} 3600 PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result="${result1}${result2}"
if [ "${result}" != "00" ]; then
$logwhere "DHCP-DNS Update failed: ${result}"
else
$logwhere "DHCP-DNS Update succeeded"
fi
exit ${result}
This is what you need to do to use the above (this is on debian, you may
need to adapt it slightly for you distro):
apt-get install isc-dhcp-server -y
samba-tool user create dhcpduser --description="Unprivileged user for
TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
samba-tool group addmembers DnsAdmins dhcpduser
samba-tool domain exportkeytab --principal=dhcpduser at SAMDOM.EXAMPLE.COM
/etc/dhcp/dhcpduser.keytab
chown root:root /etc/dhcp/dhcpduser.keytab
chmod 400 /etc/dhcp/dhcpduser.keytab
samba-tool user setexpiry dhcpduser --noexpiry
mkdir -p /etc/dhcp/bin
create /etc/dhcp/bin/dhcp-dyndns.sh
chmod 755 /etc/dhcp/bin/dhcp-dyndns.sh
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.orig
create the new /etc/dhcp/dhcpd.conf
OK, this should now work after you restart bind and dhcp, any problems,
let me know.
Rowland
More information about the samba
mailing list