[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
Billy Bob
billysbobs at yahoo.com
Fri Jan 11 16:59:27 UTC 2019
On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:
>> Here is what the logs show WITHOUT the -d option:
>>
>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
>> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] =
>> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36
>> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status
>> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364
>> (secs) under 25% threshold, reply with unaltered, existing lease for
>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for
>> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11
>> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to
>> d4:be:d9:22:9f:7d (mgmt01) via eno1
>>
>
> This shows the script is being run with the correct data, but for some
> reason, your kerberos key isn't correct
>
> What is in your ticket ?
>
> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:
>
> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM
> renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
>
> And running 'ktutil' produces this:
>
> root at dc4:~# ktutil
> ktutil: rkt /etc/dhcpduser.keytab
> ktutil: l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 1 dhcpduser at SAMDOM.EXAMPLE.COM
> 2 1 dhcpduser at SAMDOM.EXAMPLE.COM
> 3 1 dhcpduser at SAMDOM.EXAMPLE.COM
> 4 1 dhcpduser at SAMDOM.EXAMPLE.COM
> 5 1 dhcpduser at SAMDOM.EXAMPLE.COM
> ktutil: q
>
> I would delete the ticket and keytab, recreate the keytab and then try
> again.>
$ sudo klist -ce /tmp/dhcp-dyndns.cc
Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser at CORP.<DOMAIN>.COM
Valid starting Expires Service principal
01/11/2019 09:54:32 01/11/2019 19:54:32 krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM
renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
01/11/2019 09:54:32 01/11/2019 19:54:32 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
$ sudo ktutil
ktutil: rkt /etc/dhcpduser.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 dhcpduser at CORP.<DOMAIN>.COM
2 2 dhcpduser at CORP.<DOMAIN>.COM
3 2 dhcpduser at CORP.<DOMAIN>.COM
4 2 dhcpduser at CORP.<DOMAIN>.COM
5 2 dhcpduser at CORP.<DOMAIN>.COM
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list