[Samba] dhcp example
Robert Moskowitz
rgm at htt-consult.com
Thu Sep 3 19:50:35 UTC 2015
Thanks. I will give this a try. Hopefully there won't be any
dependency problems!
Consider putting it up on some server or such....
On 09/03/2015 02:43 PM, Rowland Penny wrote:
> On 03/09/15 19:28, Robert Moskowitz wrote:
>>
>>
>> On 09/03/2015 02:17 PM, Rowland Penny wrote:
>>> On 03/09/15 19:05, Robert Moskowitz wrote:
>>>>
>>>> Anyway, next to DHCP...
>>>>
>>>> I have installed it. But need to config. Rowland, can you send me
>>>> your sample config you mentioned?
>>>>
>>>>
>>>>
>>>
>>> default-lease-time 14400;
>>> max-lease-time 14400;
>>> authoritative;
>>>
>>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>> range 192.168.0.21 192.168.0.229;
>>> option subnet-mask 255.255.255.0;
>>> option broadcast-address 192.168.0.255;
>>> option time-offset 0;
>>> option routers 192.168.0.1;
>>> option domain-name "example.com";
>>> option domain-name-servers 192.168.0.2;
>>> option domain-search "example.com";
>>> option netbios-name-servers 192.168.0.2;
>>> option ntp-servers 192.168.0.2;
>>> }
>>>
>>> on commit {
>>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>>> set ClientName = pick-first-value(option host-name,
>>> config-option-host-name, client-name);
>>> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, "
>>> Name: ", ClientName));
>>> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP,
>>> ClientDHCID, ClientName);
>>> }
>>>
>>> on release {
>>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>>> log(concat("Release: IP: ", ClientIP));
>>> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP,
>>> ClientDHCID);
>>> }
>>
>> I can't find dhcp-dyndns.sh
>>
>> where does it come from?
>>
>>
>
> I thought that might be your next question, I wrote it, based on what
> I found here:
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
>
> #!/bin/bash
>
> # /usr/local/sbin/dhcp-dyndns.sh
> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
> # Version: 0.8.3 (includes TXTRR records)
> # Updated with suggestions from L. v. Belle louis at van-belle.nl
> # method to check for valid kerberos ticket changed
>
> LOG="/var/log/dyndns.log"
>
> if [ -f /var/log/dyndns.log ]; then
> :
> else
> touch /var/log/dyndns.log
> fi
>
> exec >> $LOG 2>&1
>
> ## CONFIGURATION ##
>
> # Samba 4 realm, change this to YOUR realm.
> SETREALM=EXAMPLE.COM
> ## define the dhcp user that will be used for the Dynamic updates to
> samba4
> ## this will create a Principal like : user at realm
> SETDHCPUSER=dhcpduser
> # DNS domain, change this to YOUR dns domain
> domain=example.com
> # TXT RRs (rfc4701)
> # Set to YES to use TXT RRs
> TXTRRS="NO"
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
> #NSUPDFLAGS="-d"
> # DNS nameserver
> ns=127.0.0.1
> #
> ## Do not change anything below here
> # Kerberos principal
> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
> # Kerberos keytab
> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
> # Default DNS resource records TTL
> RRTTL="3600"
>
> # krbcc ticket cache
> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>
> ## Command locations, with full paths it speeds up processing.
> ## ( tested on Ubuntu 14.04, Debian 7.5 )
> CMDSORT="$(which sort)"
> CMDAWK="$(which awk)"
> CMDHEAD="$(which head)"
> CMDECHO="$(which echo)"
> CMDDATE="$(which date)"
> CMDKINIT="$(which kinit)"
> CMDKLIST="$(which klist)"
> CMDGREP="$(which grep)"
> CMDGETENT="$(which getent)"
> CMDSAMBATOOL="$(which samba-tool)"
> CMDCHOWN="$(which chown)"
> CMDCHMOD="$(which chmod)"
> CMDHOST="$(which host)"
> CMDNSUPDATE="$(which nsupdate)"
>
> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
> if [ -z "${TESTUSER}" ]; then
> echo "No dhcp user exists, need to create it first.. exiting."
> echo "you can do this by typing the following commands"
> echo "${CMDKINIT} Administrator@${SETREALM}"
> echo "${CMDSAMBATOOL} user create ${SETDHCPUSER}
> --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
> echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
> echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
> exit 1
> fi
>
> # Check for Kerberos keytab
> if [ -f "${SETDHCPKEYTAB}" ]; then
> :
> else
> echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be
> created."
> echo "Use the following commands as root"
> echo "${CMDSAMBATOOL} domain exportkeytab
> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
> testos=$(uname -a | grep 'Debian')
> if [ -z "$testos" ]; then
> echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
> echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
> fi
> exit 1
> fi
>
> ## VARIABLES ##
>
> # Variables supplied by dhcpd.conf
> action=$1
> ip=$2
> DHCID=$3
> name=${4%%.*}
>
> usage()
> {
> echo "USAGE:"
> echo " `basename $0` add ip-address dhcid|mac-address hostname"
> echo " `basename $0` delete ip-address dhcid|mac-address"
> }
>
> _KERBEROS () {
> # get current time as a number
> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>
> # Check for valid kerberos ticket
> echo "$test [dyndns] : Running check for valid kerberos ticket"
> klist -c "$KRB5CCNAME" -s
> if [ "$?" != "0" ]; then
> echo "$test [dyndns] : Getting new ticket, old one has expired"
> kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
> if [ "$?" != "0" ]; then
> echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
> exit 1;
> fi
> else
> echo "$test [dyndns] : New ticket not required, old one still valid"
> fi
>
> }
>
> # Exit if no ip address or mac-address
> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
> usage
> exit 1
> fi
>
> # Exit if no computer name supplied, unless the action is 'delete'
> if [ "$name" = "" ]; then
> if [ "$action" = "delete" ]; then
> name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' |
> ${CMDAWK} -F '.' '{print $1}')
> else
> usage
> exit 1;
> fi
> fi
>
> # Set PTR address
> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
> $4"."$3"."$2"."$1".in-addr.arpa"}')
>
> # Create RRTXT record
> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
> RRTXT="000101${RRTXT%% *}"
> # extract txt record, if there is one
> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
> text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>
> ## ${CMDNSUPDATE} ##
>
> case "$action" in
> add)
> if [ "$TXTRRS" = "YES" ]; then
> TXTRRS=""
> # if string is not null
> if [ -n "$RRTXTOLD" ]; then
> # if old RRTXT is not the same as $RRTXT then exit
> if [ "$RRTXT" != "$RRTXTOLD" ]; then
> echo "DHCP-DNS: adding records for $ip ($name.$domain)
> FAILED: has A record but DHCID is wrong"
> exit 1
> fi
> fi
> else
> TXTRRS=";"
> fi
>
> _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $name.$domain $RRTTL A
> ${TXTRRS}update delete $name.$domain $RRTTL TXT
> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
> update add $name.$domain $RRTTL A $ip
> send
> UPDATE
> result1=$?
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> zone 0.168.192.in-addr.arpa
> update delete $ptr $RRTTL PTR
> update add $ptr $RRTTL PTR $name.$domain
> send
> UPDATE
> result2=$?
> ;;
> delete)
> if [ "$TXTRRS" = "YES" ]; then
> TXTRRS=""
> if [ -n "$RRTXTOLD" ]; then
> if [ "$RRTXT" != "$RRTXTOLD" ]; then
> echo "DHCP-DNS: removing records for $ip
> ($name.$domain) FAILED: has A record but DHCID is wrong"
> exit 1
> fi
> else
> TXTRRS=";"
> fi
> else
> TXTRRS=";"
> fi
>
> _KERBEROS
>
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $name.$domain $RRTTL A
> ${TXTRRS}update delete $name.$domain $RRTTL TXT
> send
> UPDATE
> result1=$?
> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
> server $ns
> realm ${SETREALM}
> update delete $ptr $RRTTL PTR
> send
> UPDATE
> result2=$?
> ;;
> *)
> echo "Invalid action specified"
> exit 103
> ;;
> esac
>
> result="$result1$result2"
>
> if [ "$result" != "00" ]; then
> echo "DHCP-DNS Update failed: $result"
> logger "DHCP-DNS Update failed: $result"
> else
> echo "DHCP-DNS Update succeeded"
> logger "DHCP-DNS Update succeeded"
> fi
>
> exit $result
>
>
>
More information about the samba
mailing list