[Samba] AD DC DynDns update problem

me at tdiehl.org me at tdiehl.org
Wed Jun 23 21:06:37 UTC 2021 

On Wed, 23 Jun 2021, Rowland Penny via samba wrote:

> On Wed, 2021-06-23 at 15:49 -0400, me at tdiehl.org wrote:
>> Hi Rowland,
>>
>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>>
>>> On Wed, 2021-06-23 at 12:33 -0400, Tom Diehl via samba wrote:
>>>> Hi,
>>>>
>>>> I have an AD domain running a 4.12.15 DC that I am trying to get
>>>> the
>>>> dyndns update
>>>> script working on. I have it configured as per
>>>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>>>>
>>>> Kerberos appears to be working as the script does not complain
>>>> that
>>>> it cannot get
>>>> a ticket but when the script try's to run samba-tool I get the
>>>> following:
>>>>
>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: samba-tool dns add pht-
>>>> vdc1
>>>> mydomain.com DESKTOP-9L3AOBC A 192.168.1.194 -k yes
>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: ERROR(runtime): uncaught
>>>> exception - (5, 'WERR_ACCESS_DENIED')
>>>
>>> What OS are you using ?
>>
>> RHEL 8. It is a new vm with self compiled instance of Samba and I am
>> not running
>> sssd. :-)
>>
>>> Who does 'dhcpd' run as ?
>>
>> It runs as dhcpd.
>>
>> For completeness here are the permissions on the related files:
>>
>> (pht-vdc1 pts8) # ll /etc/dhcpduser.keytab
>> -r--------. 1 dhcpd dhcpd 216 Jun 18 11:48 /etc/dhcpduser.keytab
>> pht-vdc1 pts8) # la /etc/dhcp/scripts/
>> total 100
>> drwxr-x---. 2 dhcpd dhcpd   239 Jun 23 10:27 .
>> drwxr-x---. 4 dhcpd dhcpd   190 Jun 22 15:31 ..
>> -rwxr-xr-x. 1 dhcpd dhcpd 13569 Jun 23 10:27 dhcp-dyndns.sh
>> (pht-vdc1 pts8) #
>>
>> Hopefully you can spot what I am missing.
>
> I use Raspbian (but was using Devuan) and whilst isc-dhcp-server runs
> as dhcpd, it runs the script as root. I also have same permissions as
> you on the keytab and script, but they belong to root:root, so try
> changing the ownership of your keytab.

Changed the keytab to root:root as suggested but there was no change.
I would think the keytab only gets accessed when the krb ticket needs to
be renewed. Am I wrong about that?

In addition I did an "su - dhcpd" and ran the following with the keytab owned
by root:

(pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab dhcpduser at MYDOMAIN.COM
kinit: Pre-authentication failed: Permission denied while getting initial credentials
(pht-vdc1 5) $

Same command with the keytab set for dhcpd:dhcpd and I get the flllowing:

(pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab dhcpduser at MYDOMAIN.COM
(pht-vdc1 5) $ klist
Ticket cache: FILE:/tmp/dhcp-dyndns.cc
Default principal: dhcpduser at MYDOMAIN.COM

Valid starting       Expires              Service principal
06/23/2021 16:57:14  06/24/2021 02:57:14  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
         renew until 06/24/2021 16:57:14
(pht-vdc1 5)

and for completeness:

(pht-vdc1 5) $ samba-tool dns add pht-vdc1 mydomain.com Bambi A 192.168.1.214 -k yes
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
   File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
     return self.run(*args, **kwargs)
   File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 945, in run
     raise e
   File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 941, in run
     0, server, zone, name, add_rec_buf, None)
(pht-vdc1 5) $

In thinking about this the only difference in the way the this DC is build vs the other 2
domains where this works is I use rfc2307 on the working domains and on this one I use rid.
I do not think that matters but I thought I would mention it just in case.

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list