[Samba] Issue with DHCP Updating DNS Records on AD DC

Ross Harms rharms at armorel.k12.ar.us
Mon Jul 1 15:36:11 UTC 2019 

Greetings,

I am in the process of replacing my MicroFocus (Novell) eDirectory system
with a Samba-based Active Directory system.  I've got three domain
controllers built, and they seem to be humming along nicely. Server OS is
Ubuntu 18.04 patched current.  I started off with the Samba 4.7 packages
included in the default Ubuntu repository, but have since upgraded to Samba
4.10 using packages from Louis Van Belle's repository. I'm using Bind9 as
my DNS backend via BIND9_DLZ, and that all seems to be working as it
should.

The place I'm getting hung up is with dynamic dns updates from DHCP. I
followed this set of instructions
<https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9>
from
the Samba wiki, but haven't been able to get it working successfully.  DHCP
itself works fine, but it's not updating DNS.  When I look in syslog, this
is an example of what I see

Jul  1 10:15:57 dc1 dhcpd[1273]: Commit: IP: 10.42.4.11 DHCID:
a4:31:35:b8:e0:15 Name: AHS-MAD-iPod-02
Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[1] = add
Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[2] = 10.42.4.11
Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[3] =
a4:31:35:b8:e0:15
Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[4] = AHS-MAD-iPod-02
Jul  1 10:15:57 dc1 dhcpd: 01-07-19 10:15:57 [dyndns] : Getting new ticket,
old one has expired
Jul  1 10:15:57 dc1 sh[1273]: kinit: Pre-authentication failed: Permission
denied while getting initial credentials
Jul  1 10:15:57 dc1 dhcpd: 01-07-19 10:15:57 [dyndns] : dhcpd kinit for
dynamic DNS failed
Jul  1 10:15:57 dc1 dhcpd[1273]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 256

So, as far as I can tell, dhcpd is providing the correct variable info, and
the dhcp-dyndns script is attempting to run, but it's having Kerberos
trouble.  If I check /tmp/ I don't see that the dhcp-dyndns.cc file ever
creates, which explains why it bombs out when the script tries to verify
it.  If I log in as root and manually run the kinit line, the
dhcp-dyndns.cc file creates properly.  If I run a klist against that
created file, it shows the ticket as existing and being valid.  But, the
next time the script runs, I get the same result.  It says the ticket is
expired (even though it's not), attempts to kinit a new one, fails, and the
script quits there.

Fairly sure it's a permissions issue somewhere, but I can't seem to figure
out where.  I have made, and double checked, the changes to the AppArmor
profile for dhcpd.  I adjusted it further to

 /usr/bin/kinit rwix,
 /usr/bin/klist rix,

to see if that would clear it up, but no such luck.

Appreciate any help that you can offer.

--
*Ross Harms*
District Technology Coordinator
Armorel School District
P.O. Box 99
Armorel, AR 72310
email: rharms at armorel.k12.ar.us

More information about the samba mailing list