[Samba] AD DC DynDns update problem

L.P.H. van Belle belle at bazuin.nl
Thu Jun 24 07:08:12 UTC 2021 

Lookup how owns the DNS A record in the DNS. 
And, did you add dhcp-user into the windows groups DnsAdmins and DnsUpdateProxy for the servers running DHCP. 

This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')  
Is just the message that, the user your using, doesnt have rights on that A record. 

>>  Pre-authentication failed: Permission denied while getting 
Did you enable "Delegate to all serverice (only kerberos)" on the computer object running the DHCP

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom 
> Diehl via samba
> Verzonden: donderdag 24 juni 2021 0:10
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] AD DC DynDns update problem
> 
> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> 
> > On Wed, 2021-06-23 at 17:06 -0400, me at tdiehl.org wrote:
> >> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> >>
> >>> On Wed, 2021-06-23 at 15:49 -0400, me at tdiehl.org wrote:
> >>>> Hi Rowland,
> >>>>
> >>>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> >>>>
> >>>>> On Wed, 2021-06-23 at 12:33 -0400, Tom Diehl via samba wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> I have an AD domain running a 4.12.15 DC that I am trying to
> >>>>>> get
> >>>>>> the
> >>>>>> dyndns update
> >>>>>> script working on. I have it configured as per
> >>>>>> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
> >>>>>>
> >>>>>> Kerberos appears to be working as the script does not
> >>>>>> complain
> >>>>>> that
> >>>>>> it cannot get
> >>>>>> a ticket but when the script try's to run samba-tool I get
> >>>>>> the
> >>>>>> following:
> >>>>>>
> >>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: samba-tool dns add
> >>>>>> pht-
> >>>>>> vdc1
> >>>>>> mydomain.com DESKTOP-9L3AOBC A 192.168.1.194 -k yes
> >>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: ERROR(runtime):
> >>>>>> uncaught
> >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
> >>>>>
> >>>>> What OS are you using ?
> >>>>
> >>>> RHEL 8. It is a new vm with self compiled instance of Samba and I
> >>>> am
> >>>> not running
> >>>> sssd. :-)
> >>>>
> >>>>> Who does 'dhcpd' run as ?
> >>>>
> >>>> It runs as dhcpd.
> >>>>
> >>>> For completeness here are the permissions on the related files:
> >>>>
> >>>> (pht-vdc1 pts8) # ll /etc/dhcpduser.keytab
> >>>> -r--------. 1 dhcpd dhcpd 216 Jun 18 11:48 /etc/dhcpduser.keytab
> >>>> pht-vdc1 pts8) # la /etc/dhcp/scripts/
> >>>> total 100
> >>>> drwxr-x---. 2 dhcpd dhcpd   239 Jun 23 10:27 .
> >>>> drwxr-x---. 4 dhcpd dhcpd   190 Jun 22 15:31 ..
> >>>> -rwxr-xr-x. 1 dhcpd dhcpd 13569 Jun 23 10:27 dhcp-dyndns.sh
> >>>> (pht-vdc1 pts8) #
> >>>>
> >>>> Hopefully you can spot what I am missing.
> >>>
> >>> I use Raspbian (but was using Devuan) and whilst isc-dhcp-server
> >>> runs
> >>> as dhcpd, it runs the script as root. I also have same permissions
> >>> as
> >>> you on the keytab and script, but they belong to root:root, so try
> >>> changing the ownership of your keytab.
> >>
> >> Changed the keytab to root:root as suggested but there was 
> no change.
> >> I would think the keytab only gets accessed when the krb 
> ticket needs
> >> to
> >> be renewed. Am I wrong about that?
> >>
> >> In addition I did an "su - dhcpd" and ran the following with the
> >> keytab owned
> >> by root:
> >>
> >> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
> >> dhcpduser at MYDOMAIN.COM
> >> kinit: Pre-authentication failed: Permission denied while getting
> >> initial credentials
> >> (pht-vdc1 5) $
> >>
> >> Same command with the keytab set for dhcpd:dhcpd and I get the
> >> flllowing:
> >>
> >> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
> >> dhcpduser at MYDOMAIN.COM
> >> (pht-vdc1 5) $ klist
> >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> >> Default principal: dhcpduser at MYDOMAIN.COM
> >>
> >> Valid starting       Expires              Service principal
> >> 06/23/2021 16:57:14  06/24/2021 02:57:14
> >> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
> >>          renew until 06/24/2021 16:57:14
> >> (pht-vdc1 5)
> >>
> >> and for completeness:
> >>
> >> (pht-vdc1 5) $ samba-tool dns add pht-vdc1 mydomain.com Bambi A
> >> 192.168.1.214 -k yes
> >> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
> >>    File "/usr/local/samba/lib64/python3.6/site-
> >> packages/samba/netcmd/__init__.py", line 186, in _run
> >>      return self.run(*args, **kwargs)
> >>    File "/usr/local/samba/lib64/python3.6/site-
> >> packages/samba/netcmd/dns.py", line 945, in run
> >>      raise e
> >>    File "/usr/local/samba/lib64/python3.6/site-
> >> packages/samba/netcmd/dns.py", line 941, in run
> >>      0, server, zone, name, add_rec_buf, None)
> >> (pht-vdc1 5) $
> >>
> >> In thinking about this the only difference in the way the 
> this DC is
> >> build vs the other 2
> >> domains where this works is I use rfc2307 on the working 
> domains and
> >> on this one I use rid.
> >> I do not think that matters but I thought I would mention 
> it just in
> >> case.
> >>
> >> Regards,
> >
> >
> > The winbind backend should have no bearing here.
> > I would also expect 'samba-tool dns add pht-vdc1 
> mydomain.com Bambi A
> > 192.168.1.214 -k yes' to fail when run from the command line,
> 
> In order to mimic what the scrpt does I ran the following before I ran
> the samba-tool command below:
> 
> domain=$(hostname -d) ; REALM=$(echo ${domain^^}) ; export 
> KRB5CCNAME="/tmp/dhcp-dyndns.cc" ; 
> SETPRINCIPAL="dhcpduser@${REALM}" ; klist -c "${KRB5CCNAME}" -s
> 
> > try this instead:
> >
> > samba-tool dns add pht-vdc1 mydomain.com Bambi A 
> 192.168.1.214 --krb5-ccache=/tmp/dhcp-dyndns.cc
> 
> No joy same result.
> 
> >
> > I have never run the script on a red-hat distro, but know 
> it works on
> > Debian based distros. Perhaps it is something to do with 
> Selinux ? I do
> > seem to remember reports of it running on Centos.
> 
> The really weird thing about this is that I have 3 other DCs 
> in 2 differernt
> domains running RHEL 8 built using the same ansible plays it 
> and works as
> advertsed on them. That is what is confusing me.
> 
> As for selinux, I just checked to be sure it is in permissive.
> 
> I need to upgrade to at least 4.13 so unless you have any 
> other ideas maybe I
> will just spin up a 4.13 DC, join it to the domain and try it 
> there.  Not sure
> why that would matter but...
> 
> Are you aware of any problems going from 4.12 to 4.14 
> skipping 4.13 or is it better
> to join a 4.13 then 4.14 DC? They would be new vm's I never 
> upgrade major versions
> in place.
> 
> Regards,
> 
> -- 
> Tom			me at tdiehl.org
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list