[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
Rowland Penny
rpenny at samba.org
Thu Jan 10 19:43:06 UTC 2019
On Thu, 10 Jan 2019 19:09:01 +0000 (UTC)
Billy Bob via samba <samba at lists.samba.org> wrote:
> I am now having a similar issue with dhcpd dynamic updates, though.
> In addition to solving that problem, however, and at least suspecting
> some relationship between the two, I am first curious about the prior
> solution.
There is no connection.
>
> Why was it necessary to select the --use-samba-tool vs.
> --use-nsupdate option, and what is happening as a result of this
> selection? (I looked at the dns-update script, but promise that I am
> too dense to figure this all out in the time I have left to get these
> servers running -- yes, the secondary DC is right behind this mess.)
If you use samba-tool it does the update over RPC instead of DNS
>
> As to the current issue, I am attemting to configure DHCP to update
> DNS records with BIND9, as outlined in the Samba Wiki (with
> correction of a couple errors in the "on release" and "on expiry"
> sections of the example dhcpd.conf file).
What errors ?
>
> As some background, the following script and configuration was
> working fine in the prior incarnation of the DC. In that version,
> however, the Kerberos enablement of the nambed.conf file wrongly
> included:
>
> tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
>
> as opposed to:
>
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
That keytab isn't used when updating the dns records via the dhcp
script.
> ===================================
> CURRENT DHCPD.CONF
> /etc/dhcp/dhcpd.conf
> ===================================
> authoritative;
> ddns-update-style none;
> option domain-name "corp.<DOMAIN>.com";
> option domain-name-servers 172.20.10.130;
> option ntp-servers 172.20.10.130;
> option broadcast-address 172.20.10.255;
> option routers 172.20.10.129;
> option netbios-name-servers 172.20.10.130;
> option time-offset 0;
>
> subnet 172.20.10.128 netmask 255.255.255.128 {
> option subnet-mask 255.255.255.128;
> pool {
> range 172.20.10.165 172.20.10.229;
> default-lease-time 43200;
> max-lease-time 86400;
> }
> }
> on commit {
> set noname = concat("dhcp-", binary-to-ascii(10, 8, "-",
> leased-address)); set ClientIP = binary-to-ascii(10, 8, ".",
> leased-address); set ClientDHCID = binary-to-ascii(16, 8, ":",
> hardware); set ClientName = pick-first-value(option host-name,
> config-option-host-name, client-name, noname); log(concat("Commit:
> IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
> execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP,
> ClientDHCID, ClientName); } on release {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> log(concat("Release: IP: ", ClientIP));
> execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP,
> ClientDHCID, ""); }
> on expiry {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> log(concat("Expired: IP: ", ClientIP));
> execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "0", "");
> }
> ===================================
> CURRENT DHCP-DYNDNS.SH
> /usr/local/bin/dhcp-dyndns.sh
> ===================================
> #!/bin/bash
> # /usr/local/bin/dhcp-dyndns.sh
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
> NSUPDFLAGS="-d"
> # krbcc ticket cache
> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
> # Variables supplied by dhcpd.conf
> action=$1
> ip=$2
> DHCID=$3
> name=${4%%.*}
> # Check for valid kerberos ticket
>
> _KERBEROS () {
>
> klist -c /tmp/dhcp-dyndns.cc -s
> if [ "$?" != "0" ]; then
> kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
> "dhcpduser at CORP.<DOMAIN>.COM" if [ "$?" != "0" ]; then
> exit 1;
> fi
> fi
> }
> # Exit if no ip address or mac-address
> if [ -z "${ip}" ] || [ -z "${DHCID}" ]; then
> exit 1;
> fi
> # Exit if no computer name supplied, unless the action is 'delete'
> if [ "${name}" = "" ]; then
> if [ "${action}" = "delete" ]; then
> name=$(host -t PTR "${ip}" | awk '{print $NF}' | awk -F '.'
> '{print $1}') else
> exit 1;
> fi
> fi
> # Set PTR address
> ptr=$(echo ${ip} | awk -F '.' '{print
> $4"."$3"."$2"."$1".in-addr.arpa"}') ## nsupdate ##
>
> case "${action}" in
> add)
> _KERBEROS
> nsupdate -g ${NSUPDFLAGS} << UPDATE
> server 127.0.0.1
> realm CORP.<DOMAIN>.COM
> update delete ${name}.corp.<DOMAIN>.com 3600 A
> update add ${name}.corp.<DOMAIN>.com 3600 A ${ip}
> send
> UPDATE
> nsupdate -g ${NSUPDFLAGS} << UPDATE
> server 127.0.0.1
> realm CORP.<DOMAIN>.COM
> update delete ${ptr} 3600 PTR
> update add ${ptr} 3600 PTR ${name}.corp.<DOMAIN>.com
> send
> UPDATE
> ;;
> delete)
> _KERBEROS
> nsupdate -g ${NSUPDFLAGS} << UPDATE
> server 127.0.0.1
> realm CORP.<DOMAIN>.COM
> update delete ${name}.corp.<DOMAIN>.com 3600 A
> send
> UPDATE
> nsupdate -g ${NSUPDFLAGS} << UPDATE
> server 127.0.0.1
> realm CORP.<DOMAIN>.COM
> update delete ${ptr} 3600 PTR
> send
> UPDATE
> ;;
> *)
>
> exit 1
>
> ;;
> esac
> exit 0
Do you want to change your scripts to match my scripts as found on the
wiki ?
I know they work, well they have for me for the last 6 years.
> =================================== ERRORS
It is supposed to look like this:
Jan 10 19:36:41 dc4 dhcpd[2093]: Commit: IP: 192.168.0.55 DHCID: 1:b8:27:eb:d3:31:81 Name: devuan
Jan 10 19:36:41 dc4 dhcpd[2093]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jan 10 19:36:41 dc4 dhcpd[2093]: execute_statement argv[1] = add
Jan 10 19:36:41 dc4 dhcpd[2093]: execute_statement argv[2] = 192.168.0.55
Jan 10 19:36:41 dc4 dhcpd[2093]: execute_statement argv[3] = 1:b8:27:eb:d3:31:81
Jan 10 19:36:41 dc4 dhcpd[2093]: execute_statement argv[4] = devuan
Jan 10 19:36:41 dc4 named[2336]: samba_dlz: starting transaction on zone samdom.example.com
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: allowing update of signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=devuan.samdom.example.com tcpaddr=127.0.0.1 type=A key=4044813655.sig-dc4.samdom.example.com/160/0
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: allowing update of signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=devuan.samdom.example.com tcpaddr=127.0.0.1 type=A key=4044813655.sig-dc4.samdom.example.com/160/0
Jan 10 19:36:42 dc4 named[2336]: client 127.0.0.1#55675/key dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE': deleting rrset at 'devuan.samdom.example.com' A
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: subtracted rdataset devuan.samdom.example.com 'devuan.samdom.example.com.#0113600#011IN#011A#011192.168.0.55'
Jan 10 19:36:42 dc4 named[2336]: client 127.0.0.1#55675/key dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE': adding an RR at 'devuan.samdom.example.com' A 192.168.0.55
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: added rdataset devuan.samdom.example.com 'devuan.samdom.example.com.#0113600#011IN#011A#011192.168.0.55'
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: committed transaction on zone samdom.example.com
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: starting transaction on zone 0.168.192.in-addr.arpa
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: allowing update of signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=55.0.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=4072256449.sig-dc4.samdom.example.com/160/0
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: allowing update of signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=55.0.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=4072256449.sig-dc4.samdom.example.com/160/0
Jan 10 19:36:42 dc4 named[2336]: client 127.0.0.1#46009/key dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone '0.168.192.in-addr.arpa/NONE': deleting rrset at '55.0.168.192.in-addr.arpa' PTR
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: subtracted rdataset 55.0.168.192.in-addr.arpa '55.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011devuan.samdom.example.com.'
Jan 10 19:36:42 dc4 named[2336]: client 127.0.0.1#46009/key dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone '0.168.192.in-addr.arpa/NONE': adding an RR at '55.0.168.192.in-addr.arpa' PTR devuan.samdom.example.com.
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: added rdataset 55.0.168.192.in-addr.arpa '55.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011devuan.samdom.example.com.'
Jan 10 19:36:42 dc4 named[2336]: samba_dlz: committed transaction on zone 0.168.192.in-addr.arpa
Jan 10 19:36:42 dc4 root: DHCP-DNS Update succeeded
Jan 10 19:36:42 dc4 dhcpd[2093]: DHCPREQUEST for 192.168.0.55 from b8:27:eb:d3:31:81 (devuan) via eth0
Jan 10 19:36:42 dc4 dhcpd[2093]: DHCPACK on 192.168.0.55 to b8:27:eb:d3:31:81 (devuan) via eth0
Yours looks nothing like that
Rowland
More information about the samba
mailing list