[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates

Rowland Penny rpenny at samba.org
Fri Jan 11 16:43:34 UTC 2019 

On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:

>  
> 
>     On Friday, January 11, 2019 3:14 AM, Rowland Penny via samba
> <samba at lists.samba.org> wrote: 
> >
>  >I have no idea where the above is coming from, but it isn't from
>  >the dhcp scripts.
> >
> 
> I don't know what to tell you, Rowland. The previous logs were with
> the -d option in place, and those extra lines were what was added as
> a result of the -d option.
> 
> Here is what the logs show WITHOUT the -d option:
> 
> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] =
> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36
> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status
> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364
> (secs) under 25% threshold, reply with unaltered, existing lease for
> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for
> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11
> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to
> d4:be:d9:22:9f:7d (mgmt01) via eno1
> 

This shows the script is being run with the correct data, but for some
reason, your kerberos key isn't correct

What is in your ticket ?

Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:

Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
11/01/19 10:12:50  11/01/19 20:12:50  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM
	renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 

And running 'ktutil' produces this:

root at dc4:~# ktutil
ktutil:  rkt /etc/dhcpduser.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1             dhcpduser at SAMDOM.EXAMPLE.COM
   2    1             dhcpduser at SAMDOM.EXAMPLE.COM
   3    1             dhcpduser at SAMDOM.EXAMPLE.COM
   4    1             dhcpduser at SAMDOM.EXAMPLE.COM
   5    1             dhcpduser at SAMDOM.EXAMPLE.COM
ktutil:  q

I would delete the ticket and keytab, recreate the keytab and then try
again.

Rowland

More information about the samba mailing list