[Samba] dhcp errors - Re: dhcp example

Robert Moskowitz rgm at htt-consult.com
Fri Sep 4 00:27:14 UTC 2015 

I am reading through the script and see some things I did not change...

Will do that and try again.  As well as create the log file manually.

On 09/03/2015 07:47 PM, Robert Moskowitz wrote:
> First I am having a couple challenges with your script here:
>
> On 09/03/2015 02:43 PM, Rowland Penny wrote:
>>
>> I thought that might be your next question, I wrote it, based on what 
>> I found here:
>>
>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ 
>>
>>
>> #!/bin/bash
>>
>> # /usr/local/sbin/dhcp-dyndns.sh
>> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
>> # Version: 0.8.3 (includes TXTRR records)
>> # Updated with suggestions from L. v. Belle   louis at van-belle.nl
>> # method to check for valid kerberos ticket changed
>>
>> LOG="/var/log/dyndns.log"
>
>> if [ -f /var/log/dyndns.log ]; then
>>     :
>> else
>>     touch /var/log/dyndns.log
>> fi
>
> Of course this file did not exist, and the 'touch' command failed on 
> permissions.
>
> I assume dhcpd is running this script as user dhcpd, group dhcpd, so I 
> don't see how it can create the file.  I have to create it and set the 
> owner to root:dhcpd
>
>
>>
>> exec >> $LOG 2>&1
>
> Then this line fails and soforth.
>
>>
>> ## CONFIGURATION ##
>>
>> # Samba 4 realm, change this to YOUR realm.
>> SETREALM=EXAMPLE.COM
>> ## define the dhcp user that will be used for the Dynamic updates to 
>> samba4
>> ## this will create a Principal like : user at realm
>> SETDHCPUSER=dhcpduser
>> # DNS domain, change this to YOUR dns domain
>> domain=example.com
>> # TXT RRs (rfc4701)
>> # Set to YES to use TXT RRs
>> TXTRRS="NO"
>> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
>> #NSUPDFLAGS="-d"
>> # DNS nameserver
>> ns=127.0.0.1
>> #
>> ## Do not change anything below here
>> # Kerberos principal
>> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
>> # Kerberos keytab
>> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
>> # Default DNS resource records TTL
>> RRTTL="3600"
>>
>> # krbcc ticket cache
>> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>>
>> ## Command locations, with full paths it speeds up processing.
>> ## ( tested on Ubuntu 14.04, Debian 7.5 )
>> CMDSORT="$(which sort)"
>> CMDAWK="$(which awk)"
>> CMDHEAD="$(which head)"
>> CMDECHO="$(which echo)"
>> CMDDATE="$(which date)"
>> CMDKINIT="$(which kinit)"
>> CMDKLIST="$(which klist)"
>> CMDGREP="$(which grep)"
>> CMDGETENT="$(which getent)"
>> CMDSAMBATOOL="$(which samba-tool)"
>> CMDCHOWN="$(which chown)"
>> CMDCHMOD="$(which chmod)"
>> CMDHOST="$(which host)"
>> CMDNSUPDATE="$(which nsupdate)"
>>
>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
>
> Sep  3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 
> 64: dhcpduser: command not found
> Sep  3 19:27:09 homebase dhcpd: (current) UNIX password: passwd: 
> Authentication token manipulation error
> Sep  3 19:27:09 homebase dhcpd: No dhcp user exists, need to create it 
> first.. exiting.
> Sep  3 19:27:09 homebase dhcpd: you can do this by typing the 
> following commands
> Sep  3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM
> Sep  3 19:27:09 homebase dhcpd: user create dhcpduser 
> --description="Unprivileged user for DNS updates via ISC DHCP server"
> Sep  3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
> Sep  3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
> Sep  3 19:27:09 homebase dhcpd: execute: 
> /usr/local/sbin/dhcp-dyndns.sh exit status 256
>
> Is this what I need to do.  That is create the dhcpduser?  There is no 
> 'user' command.  Is this 'adduser'?
>
>> if [ -z "${TESTUSER}" ]; then
>>     echo "No dhcp user exists, need to create it first.. exiting."
>>     echo "you can do this by typing the following commands"
>>     echo "${CMDKINIT} Administrator@${SETREALM}"
>>     echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} 
>> --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
>>     echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
>>     echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
>>     exit 1
>> fi
>>
>> # Check for Kerberos keytab
>> if [ -f "${SETDHCPKEYTAB}" ]; then
>>     :
>> else
>>     echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be 
>> created."
>>     echo "Use the following commands as root"
>>     echo "${CMDSAMBATOOL} domain exportkeytab 
>> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>>     testos=$(uname -a | grep 'Debian')
>>     if [ -z "$testos" ]; then
>>         echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>>         echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>>     fi
>>     exit 1
>> fi
>>
>> ## VARIABLES ##
>>
>> # Variables supplied by dhcpd.conf
>> action=$1
>> ip=$2
>> DHCID=$3
>> name=${4%%.*}
>>
>> usage()
>> {
>> echo "USAGE:"
>> echo "  `basename $0` add ip-address dhcid|mac-address hostname"
>> echo "  `basename $0` delete ip-address dhcid|mac-address"
>> }
>>
>> _KERBEROS () {
>> # get current time as a number
>> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>>
>> # Check for valid kerberos ticket
>> echo "$test [dyndns] : Running check for valid kerberos ticket"
>> klist -c "$KRB5CCNAME" -s
>> if [ "$?" != "0" ]; then
>>     echo "$test [dyndns] : Getting new ticket, old one has expired"
>>     kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
>>     if [ "$?" != "0" ]; then
>>         echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
>>         exit 1;
>>     fi
>> else
>>     echo "$test [dyndns] : New ticket not required, old one still valid"
>> fi
>>
>> }
>>
>> # Exit if no ip address or mac-address
>> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
>>     usage
>>     exit 1
>> fi
>>
>> # Exit if no computer name supplied, unless the action is 'delete'
>> if [ "$name" = "" ]; then
>>     if [ "$action" = "delete" ]; then
>>         name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | 
>> ${CMDAWK} -F '.' '{print $1}')
>>     else
>>         usage
>>         exit 1;
>>     fi
>> fi
>>
>> # Set PTR address
>> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print 
>> $4"."$3"."$2"."$1".in-addr.arpa"}')
>>
>> # Create RRTXT record
>> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
>> RRTXT="000101${RRTXT%% *}"
>> # extract txt record, if there is one
>> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive 
>> text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>>
>> ## ${CMDNSUPDATE} ##
>>
>> case "$action" in
>> add)
>>     if [ "$TXTRRS" = "YES" ]; then
>>         TXTRRS=""
>>         # if string is not null
>>         if [ -n "$RRTXTOLD" ]; then
>>             # if old RRTXT is not the same as $RRTXT then exit
>>             if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>                 echo "DHCP-DNS: adding records for $ip 
>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>                 exit 1
>>             fi
>>         fi
>>     else
>>         TXTRRS=";"
>>     fi
>>
>>     _KERBEROS
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> update delete $name.$domain $RRTTL A
>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
>> update add $name.$domain $RRTTL A $ip
>> send
>> UPDATE
>> result1=$?
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> zone 0.168.192.in-addr.arpa
>> update delete $ptr $RRTTL PTR
>> update add $ptr $RRTTL PTR $name.$domain
>> send
>> UPDATE
>> result2=$?
>> ;;
>> delete)
>>      if [ "$TXTRRS" = "YES" ]; then
>>         TXTRRS=""
>>         if [ -n "$RRTXTOLD" ]; then
>>             if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>                 echo "DHCP-DNS: removing records for $ip 
>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>                 exit 1
>>             fi
>>         else
>>             TXTRRS=";"
>>         fi
>>      else
>>        TXTRRS=";"
>>      fi
>>
>>      _KERBEROS
>>
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> update delete $name.$domain $RRTTL A
>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>> send
>> UPDATE
>> result1=$?
>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>> server $ns
>> realm ${SETREALM}
>> update delete $ptr $RRTTL PTR
>> send
>> UPDATE
>> result2=$?
>> ;;
>> *)
>> echo "Invalid action specified"
>> exit 103
>> ;;
>> esac
>>
>> result="$result1$result2"
>>
>> if [ "$result" != "00" ]; then
>>     echo "DHCP-DNS Update failed: $result"
>>     logger "DHCP-DNS Update failed: $result"
>> else
>>    echo "DHCP-DNS Update succeeded"
>>    logger "DHCP-DNS Update succeeded"
>> fi
>>
>> exit $result
>
> Sep  3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21 
> (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep  3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to 
> 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep  3 19:27:12 homebase named[22720]: client 192.168.192.21#36919 
> (0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN' 
> denied
>
> Oops, Looks like I have acl problems in named.  That I know how to fix...
>
>
>

More information about the samba mailing list