[Samba] further testing - Re: dhcp errors - Re: dhcp example
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Sep 4 08:07:12 UTC 2015
On 04/09/15 01:53, Robert Moskowitz wrote:
> This will be it for tonight...
>
> Sep 3 20:35:30 homebase dhcpd: DHCPDISCOVER from 02:97:09:02:23:a2
> (cubieboard2) via eth0
> Sep 3 20:35:31 homebase dhcpd: DHCPOFFER on 192.168.192.21 to
> 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
> 17: /var/log/dyndns.log: Permission denied
> Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
> 49: which: command not found
>
> # ls -ls /var/log/dy*
> 0 -rw-r--r-- 1 root dhcpd 0 Sep 3 20:27 /var/log/dyndns.log
>
> # grep dhc /etc/passwd
> dhcpd:x:177:177:DHCP server:/:/sbin/nologin
>
> # systemctl status dhcpd
> dhcpd.service - DHCPv4 Server Daemon
> Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled)
> Active: active (running) since Thu 2015-09-03 15:58:44 EDT; 4h
> 46min ago
> Docs: man:dhcpd(8)
> man:dhcpd.conf(5)
> Main PID: 22993 (dhcpd)
> Status: "Dispatching packets..."
> CGroup: /system.slice/dhcpd.service
> └─22993 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user
> dhcpd -group dhcpd ...
>
> So why does the script figure no log file and then tries to 'touch' it?
>
> Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
> 62: which: command not found
> Sep 3 20:35:31 homebase dhcpd: Internet Systems Consortium DHCP
> Server 4.2.5
> Sep 3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems
> Consortium.
> Sep 3 20:35:31 homebase dhcpd: All rights reserved.
> Sep 3 20:35:31 homebase dhcpd: For info, please visit
> https://www.isc.org/software/dhcp/
> Sep 3 20:35:31 homebase dhcpd: (current) UNIX password: Internet
> Systems Consortium DHCP Server 4.2.5
> Sep 3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems
> Consortium.
> Sep 3 20:35:31 homebase dhcpd: All rights reserved.
> Sep 3 20:35:31 homebase dhcpd: For info, please visit
> https://www.isc.org/software/dhcp/
> Sep 3 20:35:31 homebase dhcpd: unable to create icmp socket:
> Operation not permitted
> Sep 3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf:
> Permission denied
> Sep 3 20:35:31 homebase dhcpd: This version of ISC DHCP is based on
> the release available
> Sep 3 20:35:31 homebase dhcpd: on ftp.isc.org. Features have been
> added and other changes
> Sep 3 20:35:31 homebase dhcpd: have been made to the base software
> release in order to make
> Sep 3 20:35:31 homebase dhcpd: it work better with this distribution.
> Sep 3 20:35:31 homebase dhcpd: Please report for this software via
> the CentOS Bugs Database:
> Sep 3 20:35:31 homebase dhcpd: http://bugs.centos.org/
> Sep 3 20:35:31 homebase dhcpd: unable to create icmp socket:
> Operation not permitted
> Sep 3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf:
> Permission denied
> Sep 3 20:35:31 homebase dhcpd:
>
> Huh? Is it restarting dhcpd? And why now complaining about
> permissions for /etc/dhcp/dhcpd.conf; it opened it earlier? It is
> created root:root, not root:dhcpd.
>
> Sep 3 20:35:33 homebase dhcpd: passwd: Authentication token
> manipulation error
> Sep 3 20:35:33 homebase dhcpd: No dhcp user exists, need to create it
> first.. exiting.
> Sep 3 20:35:33 homebase dhcpd: you can do this by typing the
> following commands
> Sep 3 20:35:33 homebase dhcpd: Administrator at home.htt
> Sep 3 20:35:33 homebase dhcpd: user create dhcpd
> --description="Unprivileged user for DNS updates via ISC DHCP server"
> Sep 3 20:35:33 homebase dhcpd: user setexpiry dhcpd --noexpiry
> Sep 3 20:35:33 homebase dhcpd: group addmembers DnsAdmins dhcpd
> Sep 3 20:35:33 homebase dhcpd: execute:
> /usr/local/sbin/dhcp-dyndns.sh exit status 256
>
> So what is needed here for the user? And where is it being created?
> Is this in kerberos? Is there a separate kerberos daemon with sernet?
>
> Sep 3 20:35:34 homebase dhcpd: Wrote 1 leases to leases file.
> Sep 3 20:35:34 homebase dhcpd: DHCPREQUEST for 192.168.192.21
> (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep 3 20:35:34 homebase dhcpd: DHCPACK on 192.168.192.21 to
> 02:97:09:02:23:a2 (cubieboard2) via eth0
> Sep 3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
> 17: /var/log/dyndns.log: Permission denied
> Sep 3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
> 49: which: command not found
>
> Looks like it is looping around again... Same set of messages as the
> first set.
>
> Please help here. thanks.
>
>
> On 09/03/2015 08:27 PM, Robert Moskowitz wrote:
>> I am reading through the script and see some things I did not change...
>>
>> Will do that and try again. As well as create the log file manually.
>>
>> On 09/03/2015 07:47 PM, Robert Moskowitz wrote:
>>> First I am having a couple challenges with your script here:
>>>
>>> On 09/03/2015 02:43 PM, Rowland Penny wrote:
>>>>
>>>> I thought that might be your next question, I wrote it, based on
>>>> what I found here:
>>>>
>>>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>>>>
>>>>
>>>> #!/bin/bash
>>>>
>>>> # /usr/local/sbin/dhcp-dyndns.sh
>>>> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
>>>> # Version: 0.8.3 (includes TXTRR records)
>>>> # Updated with suggestions from L. v. Belle louis at van-belle.nl
>>>> # method to check for valid kerberos ticket changed
>>>>
>>>> LOG="/var/log/dyndns.log"
>>>
>>>> if [ -f /var/log/dyndns.log ]; then
>>>> :
>>>> else
>>>> touch /var/log/dyndns.log
>>>> fi
>>>
>>> Of course this file did not exist, and the 'touch' command failed on
>>> permissions.
>>>
>>> I assume dhcpd is running this script as user dhcpd, group dhcpd, so
>>> I don't see how it can create the file. I have to create it and set
>>> the owner to root:dhcpd
>>>
>>>
>>>>
>>>> exec >> $LOG 2>&1
>>>
>>> Then this line fails and soforth.
>>>
>>>>
>>>> ## CONFIGURATION ##
>>>>
>>>> # Samba 4 realm, change this to YOUR realm.
>>>> SETREALM=EXAMPLE.COM
>>>> ## define the dhcp user that will be used for the Dynamic updates
>>>> to samba4
>>>> ## this will create a Principal like : user at realm
>>>> SETDHCPUSER=dhcpduser
>>>> # DNS domain, change this to YOUR dns domain
>>>> domain=example.com
>>>> # TXT RRs (rfc4701)
>>>> # Set to YES to use TXT RRs
>>>> TXTRRS="NO"
>>>> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
>>>> #NSUPDFLAGS="-d"
>>>> # DNS nameserver
>>>> ns=127.0.0.1
>>>> #
>>>> ## Do not change anything below here
>>>> # Kerberos principal
>>>> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
>>>> # Kerberos keytab
>>>> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
>>>> # Default DNS resource records TTL
>>>> RRTTL="3600"
>>>>
>>>> # krbcc ticket cache
>>>> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>>>>
>>>> ## Command locations, with full paths it speeds up processing.
>>>> ## ( tested on Ubuntu 14.04, Debian 7.5 )
>>>> CMDSORT="$(which sort)"
>>>> CMDAWK="$(which awk)"
>>>> CMDHEAD="$(which head)"
>>>> CMDECHO="$(which echo)"
>>>> CMDDATE="$(which date)"
>>>> CMDKINIT="$(which kinit)"
>>>> CMDKLIST="$(which klist)"
>>>> CMDGREP="$(which grep)"
>>>> CMDGETENT="$(which getent)"
>>>> CMDSAMBATOOL="$(which samba-tool)"
>>>> CMDCHOWN="$(which chown)"
>>>> CMDCHMOD="$(which chmod)"
>>>> CMDHOST="$(which host)"
>>>> CMDNSUPDATE="$(which nsupdate)"
>>>>
>>>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
>>>
>>> Sep 3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
>>> 64: dhcpduser: command not found
>>> Sep 3 19:27:09 homebase dhcpd: (current) UNIX password: passwd:
>>> Authentication token manipulation error
>>> Sep 3 19:27:09 homebase dhcpd: No dhcp user exists, need to create
>>> it first.. exiting.
>>> Sep 3 19:27:09 homebase dhcpd: you can do this by typing the
>>> following commands
>>> Sep 3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM
>>> Sep 3 19:27:09 homebase dhcpd: user create dhcpduser
>>> --description="Unprivileged user for DNS updates via ISC DHCP server"
>>> Sep 3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
>>> Sep 3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
>>> Sep 3 19:27:09 homebase dhcpd: execute:
>>> /usr/local/sbin/dhcp-dyndns.sh exit status 256
>>>
>>> Is this what I need to do. That is create the dhcpduser? There is
>>> no 'user' command. Is this 'adduser'?
>>>
>>>> if [ -z "${TESTUSER}" ]; then
>>>> echo "No dhcp user exists, need to create it first.. exiting."
>>>> echo "you can do this by typing the following commands"
>>>> echo "${CMDKINIT} Administrator@${SETREALM}"
>>>> echo "${CMDSAMBATOOL} user create ${SETDHCPUSER}
>>>> --description=\"Unprivileged user for DNS updates via ISC DHCP
>>>> server\""
>>>> echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
>>>> echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
>>>> exit 1
>>>> fi
>>>>
>>>> # Check for Kerberos keytab
>>>> if [ -f "${SETDHCPKEYTAB}" ]; then
>>>> :
>>>> else
>>>> echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to
>>>> be created."
>>>> echo "Use the following commands as root"
>>>> echo "${CMDSAMBATOOL} domain exportkeytab
>>>> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>>>> testos=$(uname -a | grep 'Debian')
>>>> if [ -z "$testos" ]; then
>>>> echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>>>> echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>>>> fi
>>>> exit 1
>>>> fi
>>>>
>>>> ## VARIABLES ##
>>>>
>>>> # Variables supplied by dhcpd.conf
>>>> action=$1
>>>> ip=$2
>>>> DHCID=$3
>>>> name=${4%%.*}
>>>>
>>>> usage()
>>>> {
>>>> echo "USAGE:"
>>>> echo " `basename $0` add ip-address dhcid|mac-address hostname"
>>>> echo " `basename $0` delete ip-address dhcid|mac-address"
>>>> }
>>>>
>>>> _KERBEROS () {
>>>> # get current time as a number
>>>> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>>>>
>>>> # Check for valid kerberos ticket
>>>> echo "$test [dyndns] : Running check for valid kerberos ticket"
>>>> klist -c "$KRB5CCNAME" -s
>>>> if [ "$?" != "0" ]; then
>>>> echo "$test [dyndns] : Getting new ticket, old one has expired"
>>>> kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME"
>>>> "${SETPRINCIPAL}"
>>>> if [ "$?" != "0" ]; then
>>>> echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
>>>> exit 1;
>>>> fi
>>>> else
>>>> echo "$test [dyndns] : New ticket not required, old one still
>>>> valid"
>>>> fi
>>>>
>>>> }
>>>>
>>>> # Exit if no ip address or mac-address
>>>> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
>>>> usage
>>>> exit 1
>>>> fi
>>>>
>>>> # Exit if no computer name supplied, unless the action is 'delete'
>>>> if [ "$name" = "" ]; then
>>>> if [ "$action" = "delete" ]; then
>>>> name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' |
>>>> ${CMDAWK} -F '.' '{print $1}')
>>>> else
>>>> usage
>>>> exit 1;
>>>> fi
>>>> fi
>>>>
>>>> # Set PTR address
>>>> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
>>>> $4"."$3"."$2"."$1".in-addr.arpa"}')
>>>>
>>>> # Create RRTXT record
>>>> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
>>>> RRTXT="000101${RRTXT%% *}"
>>>> # extract txt record, if there is one
>>>> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
>>>> text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>>>>
>>>> ## ${CMDNSUPDATE} ##
>>>>
>>>> case "$action" in
>>>> add)
>>>> if [ "$TXTRRS" = "YES" ]; then
>>>> TXTRRS=""
>>>> # if string is not null
>>>> if [ -n "$RRTXTOLD" ]; then
>>>> # if old RRTXT is not the same as $RRTXT then exit
>>>> if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>>> echo "DHCP-DNS: adding records for $ip
>>>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>>> exit 1
>>>> fi
>>>> fi
>>>> else
>>>> TXTRRS=";"
>>>> fi
>>>>
>>>> _KERBEROS
>>>>
>>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>>> server $ns
>>>> realm ${SETREALM}
>>>> update delete $name.$domain $RRTTL A
>>>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>>>> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
>>>> update add $name.$domain $RRTTL A $ip
>>>> send
>>>> UPDATE
>>>> result1=$?
>>>>
>>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>>> server $ns
>>>> realm ${SETREALM}
>>>> zone 0.168.192.in-addr.arpa
>>>> update delete $ptr $RRTTL PTR
>>>> update add $ptr $RRTTL PTR $name.$domain
>>>> send
>>>> UPDATE
>>>> result2=$?
>>>> ;;
>>>> delete)
>>>> if [ "$TXTRRS" = "YES" ]; then
>>>> TXTRRS=""
>>>> if [ -n "$RRTXTOLD" ]; then
>>>> if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>>> echo "DHCP-DNS: removing records for $ip
>>>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>>> exit 1
>>>> fi
>>>> else
>>>> TXTRRS=";"
>>>> fi
>>>> else
>>>> TXTRRS=";"
>>>> fi
>>>>
>>>> _KERBEROS
>>>>
>>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>>> server $ns
>>>> realm ${SETREALM}
>>>> update delete $name.$domain $RRTTL A
>>>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>>>> send
>>>> UPDATE
>>>> result1=$?
>>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>>> server $ns
>>>> realm ${SETREALM}
>>>> update delete $ptr $RRTTL PTR
>>>> send
>>>> UPDATE
>>>> result2=$?
>>>> ;;
>>>> *)
>>>> echo "Invalid action specified"
>>>> exit 103
>>>> ;;
>>>> esac
>>>>
>>>> result="$result1$result2"
>>>>
>>>> if [ "$result" != "00" ]; then
>>>> echo "DHCP-DNS Update failed: $result"
>>>> logger "DHCP-DNS Update failed: $result"
>>>> else
>>>> echo "DHCP-DNS Update succeeded"
>>>> logger "DHCP-DNS Update succeeded"
>>>> fi
>>>>
>>>> exit $result
>>>
>>> Sep 3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21
>>> (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
>>> Sep 3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to
>>> 02:97:09:02:23:a2 (cubieboard2) via eth0
>>> Sep 3 19:27:12 homebase named[22720]: client 192.168.192.21#36919
>>> (0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN'
>>> denied
>>>
>>> Oops, Looks like I have acl problems in named. That I know how to
>>> fix...
>>>
>>>
>>>
>>
>>
>
The script was written to run on debian, you are using something else,
you will need to work out the changes required.
More information about the samba
mailing list