[Samba] AD DC DynDns update problem

me at tdiehl.org me at tdiehl.org
Wed Jun 23 22:09:51 UTC 2021 

On Wed, 23 Jun 2021, Rowland Penny via samba wrote:

> On Wed, 2021-06-23 at 17:06 -0400, me at tdiehl.org wrote:
>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>>
>>> On Wed, 2021-06-23 at 15:49 -0400, me at tdiehl.org wrote:
>>>> Hi Rowland,
>>>>
>>>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>>>>
>>>>> On Wed, 2021-06-23 at 12:33 -0400, Tom Diehl via samba wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have an AD domain running a 4.12.15 DC that I am trying to
>>>>>> get
>>>>>> the
>>>>>> dyndns update
>>>>>> script working on. I have it configured as per
>>>>>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>>>>>>
>>>>>> Kerberos appears to be working as the script does not
>>>>>> complain
>>>>>> that
>>>>>> it cannot get
>>>>>> a ticket but when the script try's to run samba-tool I get
>>>>>> the
>>>>>> following:
>>>>>>
>>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: samba-tool dns add
>>>>>> pht-
>>>>>> vdc1
>>>>>> mydomain.com DESKTOP-9L3AOBC A 192.168.1.194 -k yes
>>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: ERROR(runtime):
>>>>>> uncaught
>>>>>> exception - (5, 'WERR_ACCESS_DENIED')
>>>>>
>>>>> What OS are you using ?
>>>>
>>>> RHEL 8. It is a new vm with self compiled instance of Samba and I
>>>> am
>>>> not running
>>>> sssd. :-)
>>>>
>>>>> Who does 'dhcpd' run as ?
>>>>
>>>> It runs as dhcpd.
>>>>
>>>> For completeness here are the permissions on the related files:
>>>>
>>>> (pht-vdc1 pts8) # ll /etc/dhcpduser.keytab
>>>> -r--------. 1 dhcpd dhcpd 216 Jun 18 11:48 /etc/dhcpduser.keytab
>>>> pht-vdc1 pts8) # la /etc/dhcp/scripts/
>>>> total 100
>>>> drwxr-x---. 2 dhcpd dhcpd   239 Jun 23 10:27 .
>>>> drwxr-x---. 4 dhcpd dhcpd   190 Jun 22 15:31 ..
>>>> -rwxr-xr-x. 1 dhcpd dhcpd 13569 Jun 23 10:27 dhcp-dyndns.sh
>>>> (pht-vdc1 pts8) #
>>>>
>>>> Hopefully you can spot what I am missing.
>>>
>>> I use Raspbian (but was using Devuan) and whilst isc-dhcp-server
>>> runs
>>> as dhcpd, it runs the script as root. I also have same permissions
>>> as
>>> you on the keytab and script, but they belong to root:root, so try
>>> changing the ownership of your keytab.
>>
>> Changed the keytab to root:root as suggested but there was no change.
>> I would think the keytab only gets accessed when the krb ticket needs
>> to
>> be renewed. Am I wrong about that?
>>
>> In addition I did an "su - dhcpd" and ran the following with the
>> keytab owned
>> by root:
>>
>> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
>> dhcpduser at MYDOMAIN.COM
>> kinit: Pre-authentication failed: Permission denied while getting
>> initial credentials
>> (pht-vdc1 5) $
>>
>> Same command with the keytab set for dhcpd:dhcpd and I get the
>> flllowing:
>>
>> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
>> dhcpduser at MYDOMAIN.COM
>> (pht-vdc1 5) $ klist
>> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
>> Default principal: dhcpduser at MYDOMAIN.COM
>>
>> Valid starting       Expires              Service principal
>> 06/23/2021 16:57:14  06/24/2021 02:57:14
>> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
>>          renew until 06/24/2021 16:57:14
>> (pht-vdc1 5)
>>
>> and for completeness:
>>
>> (pht-vdc1 5) $ samba-tool dns add pht-vdc1 mydomain.com Bambi A
>> 192.168.1.214 -k yes
>> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
>>    File "/usr/local/samba/lib64/python3.6/site-
>> packages/samba/netcmd/__init__.py", line 186, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/local/samba/lib64/python3.6/site-
>> packages/samba/netcmd/dns.py", line 945, in run
>>      raise e
>>    File "/usr/local/samba/lib64/python3.6/site-
>> packages/samba/netcmd/dns.py", line 941, in run
>>      0, server, zone, name, add_rec_buf, None)
>> (pht-vdc1 5) $
>>
>> In thinking about this the only difference in the way the this DC is
>> build vs the other 2
>> domains where this works is I use rfc2307 on the working domains and
>> on this one I use rid.
>> I do not think that matters but I thought I would mention it just in
>> case.
>>
>> Regards,
>
>
> The winbind backend should have no bearing here.
> I would also expect 'samba-tool dns add pht-vdc1 mydomain.com Bambi A
> 192.168.1.214 -k yes' to fail when run from the command line,

In order to mimic what the scrpt does I ran the following before I ran
the samba-tool command below:

domain=$(hostname -d) ; REALM=$(echo ${domain^^}) ; export KRB5CCNAME="/tmp/dhcp-dyndns.cc" ; SETPRINCIPAL="dhcpduser@${REALM}" ; klist -c "${KRB5CCNAME}" -s

> try this instead:
>
> samba-tool dns add pht-vdc1 mydomain.com Bambi A 192.168.1.214 --krb5-ccache=/tmp/dhcp-dyndns.cc

No joy same result.

>
> I have never run the script on a red-hat distro, but know it works on
> Debian based distros. Perhaps it is something to do with Selinux ? I do
> seem to remember reports of it running on Centos.

The really weird thing about this is that I have 3 other DCs in 2 differernt
domains running RHEL 8 built using the same ansible plays it and works as
advertsed on them. That is what is confusing me.

As for selinux, I just checked to be sure it is in permissive.

I need to upgrade to at least 4.13 so unless you have any other ideas maybe I
will just spin up a 4.13 DC, join it to the domain and try it there.  Not sure
why that would matter but...

Are you aware of any problems going from 4.12 to 4.14 skipping 4.13 or is it better
to join a 4.13 then 4.14 DC? They would be new vm's I never upgrade major versions
in place.

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list