[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates

Billy Bob billysbobs at yahoo.com
Fri Jan 11 17:44:48 UTC 2019


 

    On Friday, January 11, 2019 11:20 AM, Billy Bob via samba <samba at lists.samba.org> wrote:
 

 

    On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
 

 On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:


>>> Here is what the logs show WITHOUT the -d option:
>>> 
>>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
>>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
>>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
>>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
>>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
>>> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] =
>>> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
>>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
>>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
>>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36
>>> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status
>>> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364
>>> (secs) under 25% threshold, reply with unaltered, existing lease for
>>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for
>>> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11
>>> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to
>>> d4:be:d9:22:9f:7d (mgmt01) via eno1
>>> 
>> 
>> This shows the script is being run with the correct data, but for some
>> reason, your kerberos key isn't correct
>> 
>> What is in your ticket ?
>> 
>> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:
>> 
>> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
>> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM
>> 
>> Valid starting    Expires            Service principal
>> 11/01/19 10:12:50  11/01/19 20:12:50  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>     renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
>> 11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM
>>     renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
>> 
>> And running 'ktutil' produces this:
>> 
>> root at dc4:~# ktutil
>> ktutil:  rkt /etc/dhcpduser.keytab
>> ktutil:  l
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>>    1    1            dhcpduser at SAMDOM.EXAMPLE.COM
>>    2    1            dhcpduser at SAMDOM.EXAMPLE.COM
>>    3    1            dhcpduser at SAMDOM.EXAMPLE.COM
>>    4    1            dhcpduser at SAMDOM.EXAMPLE.COM
>>    5    1            dhcpduser at SAMDOM.EXAMPLE.COM
>> ktutil:  q
>> 
>> I would delete the ticket and keytab, recreate the keytab and then try
>> again.> 
>  
 > $ sudo klist -ce /tmp/dhcp-dyndns.cc
>  
> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> Default principal: dhcpduser at CORP.<DOMAIN>.COM> 
> 
> Valid starting       Expires              Service principal
> 01/11/2019 09:54:32  01/11/2019 19:54:32  krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM
>         renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 01/11/2019 09:54:32  01/11/2019 19:54:32  DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
>         renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
> 
> 
> $ sudo ktutil
> 
> ktutil:  rkt /etc/dhcpduser.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>    1    2                  dhcpduser at CORP.<DOMAIN>.COM
>    2    2                  dhcpduser at CORP.<DOMAIN>.COM
>    3    2                  dhcpduser at CORP.<DOMAIN>.COM
>    4    2                  dhcpduser at CORP.<DOMAIN>.COM
>    5    2                  dhcpduser at CORP.<DOMAIN>.COM
> 
> 
========================================================================
Deleted and recreated /etc/dhcpduser.keytab with same result for ticket/keytab, and the same errors when running the script.
   


More information about the samba mailing list