[Samba] Issue with DHCP Updating DNS Records on AD DC

Mon Jul 1 15:49:35 UTC 2019

This line should be in your bind named.conf … in the options {} section.

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

and the permissions on the dns.keytab file should allow the bind process user to read that file. Also, check permissions on the “bind-dns” folder to ensure that is readable too.

I’ve had this same problem in the past

> On Jul 1, 2019, at 8:36 AM, Ross Harms via samba <samba at lists.samba.org> wrote:
> 
> Greetings,
> 
> I am in the process of replacing my MicroFocus (Novell) eDirectory system
> with a Samba-based Active Directory system.  I've got three domain
> controllers built, and they seem to be humming along nicely. Server OS is
> Ubuntu 18.04 patched current.  I started off with the Samba 4.7 packages
> included in the default Ubuntu repository, but have since upgraded to Samba
> 4.10 using packages from Louis Van Belle's repository. I'm using Bind9 as
> my DNS backend via BIND9_DLZ, and that all seems to be working as it
> should.
> 
> The place I'm getting hung up is with dynamic dns updates from DHCP. I
> followed this set of instructions
> <https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9>
> from
> the Samba wiki, but haven't been able to get it working successfully.  DHCP
> itself works fine, but it's not updating DNS.  When I look in syslog, this
> is an example of what I see
> 
> Jul  1 10:15:57 dc1 dhcpd[1273]: Commit: IP: 10.42.4.11 DHCID:
> a4:31:35:b8:e0:15 Name: AHS-MAD-iPod-02
> Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[0] =
> /usr/local/bin/dhcp-dyndns.sh
> Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[1] = add
> Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[2] = 10.42.4.11
> Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[3] =
> a4:31:35:b8:e0:15
> Jul  1 10:15:57 dc1 dhcpd[1273]: execute_statement argv[4] = AHS-MAD-iPod-02
> Jul  1 10:15:57 dc1 dhcpd: 01-07-19 10:15:57 [dyndns] : Getting new ticket,
> old one has expired
> Jul  1 10:15:57 dc1 sh[1273]: kinit: Pre-authentication failed: Permission
> denied while getting initial credentials
> Jul  1 10:15:57 dc1 dhcpd: 01-07-19 10:15:57 [dyndns] : dhcpd kinit for
> dynamic DNS failed
> Jul  1 10:15:57 dc1 dhcpd[1273]: execute: /usr/local/bin/dhcp-dyndns.sh
> exit status 256
> 
> So, as far as I can tell, dhcpd is providing the correct variable info, and
> the dhcp-dyndns script is attempting to run, but it's having Kerberos
> trouble.  If I check /tmp/ I don't see that the dhcp-dyndns.cc file ever
> creates, which explains why it bombs out when the script tries to verify
> it.  If I log in as root and manually run the kinit line, the
> dhcp-dyndns.cc file creates properly.  If I run a klist against that
> created file, it shows the ticket as existing and being valid.  But, the
> next time the script runs, I get the same result.  It says the ticket is
> expired (even though it's not), attempts to kinit a new one, fails, and the
> script quits there.
> 
> Fairly sure it's a permissions issue somewhere, but I can't seem to figure
> out where.  I have made, and double checked, the changes to the AppArmor
> profile for dhcpd.  I adjusted it further to
> 
> /usr/bin/kinit rwix,
> /usr/bin/klist rix,
> 
> to see if that would clear it up, but no such luck.
> 
> Appreciate any help that you can offer.
> 
> --
> *Ross Harms*
> District Technology Coordinator
> Armorel School District
> P.O. Box 99
> Armorel, AR 72310
> email: rharms at armorel.k12.ar.us
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba