[Samba] AD DC DynDns update problem

Rowland Penny rpenny at samba.org
Wed Jun 23 21:22:42 UTC 2021 

On Wed, 2021-06-23 at 17:06 -0400, me at tdiehl.org wrote:
> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> 
> > On Wed, 2021-06-23 at 15:49 -0400, me at tdiehl.org wrote:
> > > Hi Rowland,
> > > 
> > > On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> > > 
> > > > On Wed, 2021-06-23 at 12:33 -0400, Tom Diehl via samba wrote:
> > > > > Hi,
> > > > > 
> > > > > I have an AD domain running a 4.12.15 DC that I am trying to
> > > > > get
> > > > > the
> > > > > dyndns update
> > > > > script working on. I have it configured as per
> > > > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> > > > > 
> > > > > Kerberos appears to be working as the script does not
> > > > > complain
> > > > > that
> > > > > it cannot get
> > > > > a ticket but when the script try's to run samba-tool I get
> > > > > the
> > > > > following:
> > > > > 
> > > > > Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: samba-tool dns add
> > > > > pht-
> > > > > vdc1
> > > > > mydomain.com DESKTOP-9L3AOBC A 192.168.1.194 -k yes
> > > > > Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: ERROR(runtime):
> > > > > uncaught
> > > > > exception - (5, 'WERR_ACCESS_DENIED')
> > > > 
> > > > What OS are you using ?
> > > 
> > > RHEL 8. It is a new vm with self compiled instance of Samba and I
> > > am
> > > not running
> > > sssd. :-)
> > > 
> > > > Who does 'dhcpd' run as ?
> > > 
> > > It runs as dhcpd.
> > > 
> > > For completeness here are the permissions on the related files:
> > > 
> > > (pht-vdc1 pts8) # ll /etc/dhcpduser.keytab
> > > -r--------. 1 dhcpd dhcpd 216 Jun 18 11:48 /etc/dhcpduser.keytab
> > > pht-vdc1 pts8) # la /etc/dhcp/scripts/
> > > total 100
> > > drwxr-x---. 2 dhcpd dhcpd   239 Jun 23 10:27 .
> > > drwxr-x---. 4 dhcpd dhcpd   190 Jun 22 15:31 ..
> > > -rwxr-xr-x. 1 dhcpd dhcpd 13569 Jun 23 10:27 dhcp-dyndns.sh
> > > (pht-vdc1 pts8) #
> > > 
> > > Hopefully you can spot what I am missing.
> > 
> > I use Raspbian (but was using Devuan) and whilst isc-dhcp-server
> > runs
> > as dhcpd, it runs the script as root. I also have same permissions
> > as
> > you on the keytab and script, but they belong to root:root, so try
> > changing the ownership of your keytab.
> 
> Changed the keytab to root:root as suggested but there was no change.
> I would think the keytab only gets accessed when the krb ticket needs
> to
> be renewed. Am I wrong about that?
> 
> In addition I did an "su - dhcpd" and ran the following with the
> keytab owned
> by root:
> 
> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab 
> dhcpduser at MYDOMAIN.COM
> kinit: Pre-authentication failed: Permission denied while getting
> initial credentials
> (pht-vdc1 5) $
> 
> Same command with the keytab set for dhcpd:dhcpd and I get the
> flllowing:
> 
> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab 
> dhcpduser at MYDOMAIN.COM
> (pht-vdc1 5) $ klist
> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> Default principal: dhcpduser at MYDOMAIN.COM
> 
> Valid starting       Expires              Service principal
> 06/23/2021 16:57:14  06/24/2021 02:57:14  
> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
>          renew until 06/24/2021 16:57:14
> (pht-vdc1 5)
> 
> and for completeness:
> 
> (pht-vdc1 5) $ samba-tool dns add pht-vdc1 mydomain.com Bambi A
> 192.168.1.214 -k yes
> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
>    File "/usr/local/samba/lib64/python3.6/site-
> packages/samba/netcmd/__init__.py", line 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib64/python3.6/site-
> packages/samba/netcmd/dns.py", line 945, in run
>      raise e
>    File "/usr/local/samba/lib64/python3.6/site-
> packages/samba/netcmd/dns.py", line 941, in run
>      0, server, zone, name, add_rec_buf, None)
> (pht-vdc1 5) $
> 
> In thinking about this the only difference in the way the this DC is
> build vs the other 2
> domains where this works is I use rfc2307 on the working domains and
> on this one I use rid.
> I do not think that matters but I thought I would mention it just in
> case.
> 
> Regards,


The winbind backend should have no bearing here.
I would also expect 'samba-tool dns add pht-vdc1 mydomain.com Bambi A
192.168.1.214 -k yes' to fail when run from the command line, try this
instead:

samba-tool dns add pht-vdc1 mydomain.com Bambi A 192.168.1.214 --krb5-
ccache=/tmp/dhcp-dyndns.cc

I have never run the script on a red-hat distro, but know it works on
Debian based distros. Perhaps it is something to do with Selinux ? I do
seem to remember reports of it running on Centos. 

Rowland

More information about the samba mailing list