[Samba] dhcp example
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Sep 3 18:43:43 UTC 2015
On 03/09/15 19:28, Robert Moskowitz wrote:
>
>
> On 09/03/2015 02:17 PM, Rowland Penny wrote:
>> On 03/09/15 19:05, Robert Moskowitz wrote:
>>>
>>> Anyway, next to DHCP...
>>>
>>> I have installed it. But need to config. Rowland, can you send me
>>> your sample config you mentioned?
>>>
>>>
>>>
>>
>> default-lease-time 14400;
>> max-lease-time 14400;
>> authoritative;
>>
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>> range 192.168.0.21 192.168.0.229;
>> option subnet-mask 255.255.255.0;
>> option broadcast-address 192.168.0.255;
>> option time-offset 0;
>> option routers 192.168.0.1;
>> option domain-name "example.com";
>> option domain-name-servers 192.168.0.2;
>> option domain-search "example.com";
>> option netbios-name-servers 192.168.0.2;
>> option ntp-servers 192.168.0.2;
>> }
>>
>> on commit {
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>> set ClientName = pick-first-value(option host-name,
>> config-option-host-name, client-name);
>> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name:
>> ", ClientName));
>> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP,
>> ClientDHCID, ClientName);
>> }
>>
>> on release {
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>> log(concat("Release: IP: ", ClientIP));
>> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP,
>> ClientDHCID);
>> }
>
> I can't find dhcp-dyndns.sh
>
> where does it come from?
>
>
I thought that might be your next question, I wrote it, based on what I
found here:
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
#!/bin/bash
# /usr/local/sbin/dhcp-dyndns.sh
# This script is for secure DDNS updates using GSS/TSIG on Samba 4
# Version: 0.8.3 (includes TXTRR records)
# Updated with suggestions from L. v. Belle louis at van-belle.nl
# method to check for valid kerberos ticket changed
LOG="/var/log/dyndns.log"
if [ -f /var/log/dyndns.log ]; then
:
else
touch /var/log/dyndns.log
fi
exec >> $LOG 2>&1
## CONFIGURATION ##
# Samba 4 realm, change this to YOUR realm.
SETREALM=EXAMPLE.COM
## define the dhcp user that will be used for the Dynamic updates to samba4
## this will create a Principal like : user at realm
SETDHCPUSER=dhcpduser
# DNS domain, change this to YOUR dns domain
domain=example.com
# TXT RRs (rfc4701)
# Set to YES to use TXT RRs
TXTRRS="NO"
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
#NSUPDFLAGS="-d"
# DNS nameserver
ns=127.0.0.1
#
## Do not change anything below here
# Kerberos principal
SETPRINCIPAL=$SETDHCPUSER@$SETREALM
# Kerberos keytab
SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
# Default DNS resource records TTL
RRTTL="3600"
# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
## Command locations, with full paths it speeds up processing.
## ( tested on Ubuntu 14.04, Debian 7.5 )
CMDSORT="$(which sort)"
CMDAWK="$(which awk)"
CMDHEAD="$(which head)"
CMDECHO="$(which echo)"
CMDDATE="$(which date)"
CMDKINIT="$(which kinit)"
CMDKLIST="$(which klist)"
CMDGREP="$(which grep)"
CMDGETENT="$(which getent)"
CMDSAMBATOOL="$(which samba-tool)"
CMDCHOWN="$(which chown)"
CMDCHMOD="$(which chmod)"
CMDHOST="$(which host)"
CMDNSUPDATE="$(which nsupdate)"
TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
echo "No dhcp user exists, need to create it first.. exiting."
echo "you can do this by typing the following commands"
echo "${CMDKINIT} Administrator@${SETREALM}"
echo "${CMDSAMBATOOL} user create ${SETDHCPUSER}
--description=\"Unprivileged user for DNS updates via ISC DHCP server\""
echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
exit 1
fi
# Check for Kerberos keytab
if [ -f "${SETDHCPKEYTAB}" ]; then
:
else
echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be
created."
echo "Use the following commands as root"
echo "${CMDSAMBATOOL} domain exportkeytab
--principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
testos=$(uname -a | grep 'Debian')
if [ -z "$testos" ]; then
echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
fi
exit 1
fi
## VARIABLES ##
# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
usage()
{
echo "USAGE:"
echo " `basename $0` add ip-address dhcid|mac-address hostname"
echo " `basename $0` delete ip-address dhcid|mac-address"
}
_KERBEROS () {
# get current time as a number
test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
# Check for valid kerberos ticket
echo "$test [dyndns] : Running check for valid kerberos ticket"
klist -c "$KRB5CCNAME" -s
if [ "$?" != "0" ]; then
echo "$test [dyndns] : Getting new ticket, old one has expired"
kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
if [ "$?" != "0" ]; then
echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
exit 1;
fi
else
echo "$test [dyndns] : New ticket not required, old one still valid"
fi
}
# Exit if no ip address or mac-address
if [ -z "$ip" ] || [ -z "$DHCID" ]; then
usage
exit 1
fi
# Exit if no computer name supplied, unless the action is 'delete'
if [ "$name" = "" ]; then
if [ "$action" = "delete" ]; then
name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' |
${CMDAWK} -F '.' '{print $1}')
else
usage
exit 1;
fi
fi
# Set PTR address
ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
$4"."$3"."$2"."$1".in-addr.arpa"}')
# Create RRTXT record
RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
RRTXT="000101${RRTXT%% *}"
# extract txt record, if there is one
RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
## ${CMDNSUPDATE} ##
case "$action" in
add)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
# if string is not null
if [ -n "$RRTXTOLD" ]; then
# if old RRTXT is not the same as $RRTXT then exit
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: adding records for $ip ($name.$domain)
FAILED: has A record but DHCID is wrong"
exit 1
fi
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
update add $name.$domain $RRTTL A $ip
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
zone 0.168.192.in-addr.arpa
update delete $ptr $RRTTL PTR
update add $ptr $RRTTL PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
if [ -n "$RRTXTOLD" ]; then
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: removing records for $ip
($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
else
TXTRRS=";"
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $ptr $RRTTL PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result="$result1$result2"
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
else
echo "DHCP-DNS Update succeeded"
logger "DHCP-DNS Update succeeded"
fi
exit $result
More information about the samba
mailing list