[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
Billy Bob
billysbobs at yahoo.com
Fri Jan 11 17:44:48 UTC 2019
On Friday, January 11, 2019 11:20 AM, Billy Bob via samba <samba at lists.samba.org> wrote:
On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
Billy Bob <billysbobs at yahoo.com> wrote:
>>> Here is what the logs show WITHOUT the -d option:
>>>
>>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
>>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
>>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
>>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
>>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] = 172.20.10.165
>>> Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement argv[3] =
>>> 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
>>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
>>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
>>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36
>>> dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh exit status
>>> 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease: lease age 364
>>> (secs) under 25% threshold, reply with unaltered, existing lease for
>>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPREQUEST for
>>> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1 Jan 11
>>> 10:00:36 dc01 dhcpd[1704]: DHCPACK on 172.20.10.165 to
>>> d4:be:d9:22:9f:7d (mgmt01) via eno1
>>>
>>
>> This shows the script is being run with the correct data, but for some
>> reason, your kerberos key isn't correct
>>
>> What is in your ticket ?
>>
>> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:
>>
>> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
>> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>> renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>> 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM
>> renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
>>
>> And running 'ktutil' produces this:
>>
>> root at dc4:~# ktutil
>> ktutil: rkt /etc/dhcpduser.keytab
>> ktutil: l
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 1 dhcpduser at SAMDOM.EXAMPLE.COM
>> 2 1 dhcpduser at SAMDOM.EXAMPLE.COM
>> 3 1 dhcpduser at SAMDOM.EXAMPLE.COM
>> 4 1 dhcpduser at SAMDOM.EXAMPLE.COM
>> 5 1 dhcpduser at SAMDOM.EXAMPLE.COM
>> ktutil: q
>>
>> I would delete the ticket and keytab, recreate the keytab and then try
>> again.>
>
> $ sudo klist -ce /tmp/dhcp-dyndns.cc
>
> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> Default principal: dhcpduser at CORP.<DOMAIN>.COM>
>
> Valid starting Expires Service principal
> 01/11/2019 09:54:32 01/11/2019 19:54:32 krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM
> renew until 01/12/2019 09:54:32, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 01/11/2019 09:54:32 01/11/2019 19:54:32 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
> renew until 01/12/2019 09:54:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
>
>
> $ sudo ktutil
>
> ktutil: rkt /etc/dhcpduser.keytab
> ktutil: l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 dhcpduser at CORP.<DOMAIN>.COM
> 2 2 dhcpduser at CORP.<DOMAIN>.COM
> 3 2 dhcpduser at CORP.<DOMAIN>.COM
> 4 2 dhcpduser at CORP.<DOMAIN>.COM
> 5 2 dhcpduser at CORP.<DOMAIN>.COM
>
>
========================================================================
Deleted and recreated /etc/dhcpduser.keytab with same result for ticket/keytab, and the same errors when running the script.
More information about the samba
mailing list