[Samba] DDNS with bind9 and isc-dhcp-server

Stefan Kania stefan at kania-online.de
Wed Aug 15 20:02:42 UTC 2018 

Hello List, Hello Rowland :-)
again I'm having problems with the DDNS. I did it as shown in the wiki.
I took all teh scripts from the wiki the dhcp-dyndns.sh is Version: 0.8.9
I configured everything including the failover. When I start the two
DHCP-Server everything is perfect. I see the right messages in the log,
the two DHCP-Servers are talking to each other. When a Client ask for an
IP-adresse he get's one. BUT the DNS-Update is not working. Here is the
result from the log:
--------------------

Aug 15 21:27:51 sambabuch dhcpd[572]: Commit: IP: 192.168.56.221 DHCID:
1:8:0:27:7b:f1:f2 Name: linux-client
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[0] =
/etc/dhcp/bin/dhcp-dyndns.sh
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[1] = add
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[2] =
192.168.56.221
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[3] =
1:8:0:27:7b:f1:f2
Aug 15 21:27:51 sambabuch dhcpd[572]: execute_statement argv[4] =
linux-client
Aug 15 21:27:51 sambabuch root[671]: 15-08-18 21:27:51 [dyndns] :
Getting new ticket, old one has expired
Aug 15 21:27:51 sambabuch root[674]: 15-08-18 21:27:51 [dyndns] : dhcpd
kinit for dynamic DNS failed
Aug 15 21:27:51 sambabuch dhcpd[572]: execute:
/etc/dhcp/bin/dhcp-dyndns.sh exit status 256
Aug 15 21:27:51 sambabuch dhcpd[572]: DHCPREQUEST for 192.168.56.221
from 08:00:27:7b:f1:f2 (linux-client) via enp0s8
Aug 15 21:27:51 sambabuch dhcpd[572]: DHCPACK on 192.168.56.221 to
08:00:27:7b:f1:f2 (linux-client) via enp0s8
--------------------

I saw there is a problem with the kerberos ticket so I checked with:
---------------------
root at sambabuch:~# klist -c /tmp/dhcp-dyndns.cc
klist: No ticket file: /tmp/dhcp-dyndns.cc
---------------------

Then I executed the part of the script step by step
---------------------
root at sambabuch:~# domain=$(hostname -d)
root at sambabuch:~# REALM=$(echo ${domain^^})
root at sambabuch:~# echo $REALM
EXAMPLE.NET
root at sambabuch:~# SETPRINCIPAL="dhcpduser@${REALM}"
root at sambabuch:~# echo $SETPRINCIPAL
dhcpduser at EXAMPLE.NET
root at sambabuch:~# kinit -F -k -t /etc/dhcpduser.keytab -c
/tmp/dhcp-dyndns.cc "${SETPRINCIPAL}"
root at sambabuch:~# klist -c /tmp/dhcp-dyndns.cc
Credentials cache: FILE:/tmp/dhcp-dyndns.cc
        Principal: dhcpduser at EXAMPLE.NET

  Issued                Expires               Principal
Aug 15 21:40:17 2018  Aug 16 07:40:17 2018  krbtgt/EXAMPLE.NET at EXAMPLE.NET

---------------------

Then I restarted the client, I'm getting the following messages:
---------------------Aug 15 21:43:29 sambabuch dhcpd[572]: Commit: IP:
192.168.56.221 DHCID: 1:8:0:27:7b:f1:f2 Name: linux-client
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[0] =
/etc/dhcp/bin/dhcp-dyndns.sh
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[1] = add
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[2] =
192.168.56.221
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[3] =
1:8:0:27:7b:f1:f2
Aug 15 21:43:29 sambabuch dhcpd[572]: execute_statement argv[4] =
linux-client
Aug 15 21:43:29 sambabuch named[506]: client 127.0.0.1#38287/key
dhcpduser\@EXAMPLE.NET: updating zone '168.192.IN-ADDR.ARPA/IN': update
failed: not authoritative for update zone (NOTAUTH)
Aug 15 21:43:29 sambabuch root[766]: DHCP-DNS Update failed: 22
Aug 15 21:43:29 sambabuch dhcpd[572]: execute:
/etc/dhcp/bin/dhcp-dyndns.sh exit status 5632
Aug 15 21:43:29 sambabuch dhcpd[572]: reuse_lease: lease age 88 (secs)
under 25% threshold, reply with unaltered, existing lease for 192.168.56.221
Aug 15 21:43:29 sambabuch dhcpd[572]: DHCPREQUEST for 192.168.56.221
from 08:00:27:7b:f1:f2 (linux-client) via enp0s8
Aug 15 21:43:29 sambabuch dhcpd[572]: DHCPACK on 192.168.56.221 to
08:00:27:7b:f1:f2 (linux-client) via enp0s8

---------------------
And now I don't know where to look.



Here is my dhcpd.conf from the secondary
---------------------
authoritative;
ddns-update-style none;

# Start failover Konfiguration
failover peer "dhcp-failover" {
  secondary;
  address sambabuch-02.example.net;
  peer address sambabuch.example.net;
  max-response-delay 60;
  max-unacked-updates 10;
  load balance max seconds 3;
}
# End failover configuration

subnet 192.168.56.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.56.255;
  option time-offset 0;
#  option routers 192.168.0.1;
  option domain-name "example.net";
  option domain-name-servers 192.168.56.31, 192.168.56.32;
  option netbios-name-servers 192.168.56.11;
  option ntp-servers 192.168.0.31, 192.168.56.32;
  pool {
    failover peer "dhcp-failover"; # Add for failover
    max-lease-time 1800; # 30 minutes
    range 192.168.56.220 192.168.56.239;
  }
}

on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ",
ClientName));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually
receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
          secret
VeKKfYgBBx6i1KJZGUZBb5/hprxWUtquYc6eMMA9ucff5//4bnWJ+JcRJ70A6H6Q2dn67EbyTmeMigbdZ6JS1w==;
}
---------------------


And from the master
---------------------
authoritative;
ddns-update-style none;


#Start failover configuration
failover peer "dhcp-failover" {
  primary;
  address sambabuch.example.net;
  peer address sambabuch-02.example.net;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  split 128;
  load balance max seconds 3;
}
# End failover configuration


subnet 192.168.56.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.56.255;
  option time-offset 0;
#  option routers 192.168.0.1;
  option domain-name "example.net";
  option domain-name-servers 192.168.56.31, 192.168.56.32;
  option netbios-name-servers 192.168.56.11;
  option ntp-servers 192.168.56.31, 192.168.56.32;
  pool {
                failover peer "dhcp-failover"; # Add for failover
    max-lease-time 1800; # 30 minutes
    range 192.168.56.220 192.168.56.239;
  }
}

on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ",
ClientName));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually
receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
                      secret
VeKKfYgBBx6i1KJZGUZBb5/hprxWUtquYc6eMMA9ucff5//4bnWJ+JcRJ70A6H6Q2dn67EbyTmeMigbdZ6JS1w==;
}
---------------------

Permissions:
root at sambabuch:~# ls -l /etc/dhcp/bin/dhcp-dyndns.sh
-rwxr-xr-x 1 root root 4065 Aug 13 21:14 /etc/dhcp/bin/dhcp-dyndns.sh

root at sambabuch:~# ls -l /etc/dhcpduser.keytab
-r-------- 1 root root 337 Aug 15 21:05 /etc/dhcpduser.keytab

As always, any help is welcome :-)

Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180815/18ef3292/signature.sig>

More information about the samba mailing list