[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates

Fri Jan 11 18:04:20 UTC 2019

On Fri, 11 Jan 2019 17:44:48 +0000 (UTC)
Billy Bob via samba <samba at lists.samba.org> wrote:

>  
> 
>     On Friday, January 11, 2019 11:20 AM, Billy Bob via samba
> <samba at lists.samba.org> wrote: 
> 
>  
> 
>     On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba
> <samba at lists.samba.org> wrote: 
> 
>  On Fri, 11 Jan 2019 16:13:50 +0000 (UTC)
> Billy Bob <billysbobs at yahoo.com> wrote:
> 
> 
> >>> Here is what the logs show WITHOUT the -d option:
> >>> 
> >>> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID:
> >>> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36 dc01 dhcpd[1704]:
> >>> execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jan 11
> >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[1] = add Jan 11
> >>> 10:00:36 dc01 dhcpd[1704]: execute_statement argv[2] =
> >>> 172.20.10.165 Jan 11 10:00:36 dc01 dhcpd[1704]: execute_statement
> >>> argv[3] = 1:d4:be:d9:22:9f:7d Jan 11 10:00:36 dc01 dhcpd[1704]:
> >>> execute_statement argv[4] = mgmt01 Jan 11 10:00:36 dc01 sh[1704]:
> >>> dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11 10:00:36 dc01
> >>> sh[1704]: dns_tkey_gssnegotiate: TKEY is unacceptable Jan 11
> >>> 10:00:36 dc01 dhcpd[1704]: execute: /usr/local/bin/dhcp-dyndns.sh
> >>> exit status 2816 Jan 11 10:00:36 dc01 dhcpd[1704]: reuse_lease:
> >>> lease age 364 (secs) under 25% threshold, reply with unaltered,
> >>> existing lease for 172.20.10.165 Jan 11 10:00:36 dc01
> >>> dhcpd[1704]: DHCPREQUEST for 172.20.10.165 from d4:be:d9:22:9f:7d
> >>> (mgmt01) via eno1 Jan 11 10:00:36 dc01 dhcpd[1704]: DHCPACK on
> >>> 172.20.10.165 to d4:be:d9:22:9f:7d (mgmt01) via eno1
> >>> 
> >> 
> >> This shows the script is being run with the correct data, but for
> >> some reason, your kerberos key isn't correct
> >> 
> >> What is in your ticket ?
> >> 
> >> Running 'klist -ce /tmp/dhcp-dyndns.cc' on my DC produces this:
> >> 
> >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> >> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM
> >> 
> >> Valid starting    Expires            Service principal
> >> 11/01/19 10:12:50  11/01/19 20:12:50
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >>     renew until 12/01/19 10:12:50, Etype (skey, tkt):
> >>aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> >> 11/01/19 10:12:50  11/01/19 20:12:50
> >> DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM
> >>     renew until 12/01/19 10:12:50, Etype (skey, tkt):
> >>arcfour-hmac, arcfour-hmac 
> >> 
> >> And running 'ktutil' produces this:
> >> 
> >> root at dc4:~# ktutil
> >> ktutil:  rkt /etc/dhcpduser.keytab
> >> ktutil:  l
> >> slot KVNO Principal
> >> ---- ----
> >> ---------------------------------------------------------------------
> >>    1    1            dhcpduser at SAMDOM.EXAMPLE.COM
> >>    2    1            dhcpduser at SAMDOM.EXAMPLE.COM
> >>    3    1            dhcpduser at SAMDOM.EXAMPLE.COM
> >>    4    1            dhcpduser at SAMDOM.EXAMPLE.COM
> >>    5    1            dhcpduser at SAMDOM.EXAMPLE.COM
> >> ktutil:  q
> >> 
> >> I would delete the ticket and keytab, recreate the keytab and then
> >> try again.> 
> >  
>  > $ sudo klist -ce /tmp/dhcp-dyndns.cc
> >  
> > Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> > Default principal: dhcpduser at CORP.<DOMAIN>.COM> 
> > 
> > Valid starting       Expires              Service principal
> > 01/11/2019 09:54:32  01/11/2019 19:54:32
> > krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM
> >         renew until 01/12/2019 09:54:32, Etype (skey, tkt):
> >aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> > 01/11/2019 09:54:32  01/11/2019 19:54:32
> > DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
> >         renew until 01/12/2019 09:54:32, Etype (skey, tkt):
> >arcfour-hmac, arcfour-hmac
> > 
> > 
> > $ sudo ktutil
> > 
> > ktutil:  rkt /etc/dhcpduser.keytab
> > ktutil:  l
> > slot KVNO Principal
> > ---- ----
> > ---------------------------------------------------------------------
> >    1    2                  dhcpduser at CORP.<DOMAIN>.COM
> >    2    2                  dhcpduser at CORP.<DOMAIN>.COM
> >    3    2                  dhcpduser at CORP.<DOMAIN>.COM
> >    4    2                  dhcpduser at CORP.<DOMAIN>.COM
> >    5    2                  dhcpduser at CORP.<DOMAIN>.COM
> > 
> > 
> ========================================================================
> Deleted and recreated /etc/dhcpduser.keytab with same result for
> ticket/keytab, and the same errors when running the script. 

OK, you are now running my scripts as found on the Samba wiki, so it
should work.

Lets check some things, can you post the contents of the following
files:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf
smb.conf
your named.conf file(s)

What OS is this on ?
What version of Bind9 ?

Is a firewall running ?
Is Selinux or Apparmor running ?

You might have posted some of this before, but please post it again.

Rowland