[Samba] AD DC DynDns update problem
L.P.H. van Belle
belle at bazuin.nl
Thu Jun 24 07:08:12 UTC 2021
Lookup how owns the DNS A record in the DNS.
And, did you add dhcp-user into the windows groups DnsAdmins and DnsUpdateProxy for the servers running DHCP.
This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
Is just the message that, the user your using, doesnt have rights on that A record.
>> Pre-authentication failed: Permission denied while getting
Did you enable "Delegate to all serverice (only kerberos)" on the computer object running the DHCP
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
> Diehl via samba
> Verzonden: donderdag 24 juni 2021 0:10
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] AD DC DynDns update problem
>
> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>
> > On Wed, 2021-06-23 at 17:06 -0400, me at tdiehl.org wrote:
> >> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> >>
> >>> On Wed, 2021-06-23 at 15:49 -0400, me at tdiehl.org wrote:
> >>>> Hi Rowland,
> >>>>
> >>>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
> >>>>
> >>>>> On Wed, 2021-06-23 at 12:33 -0400, Tom Diehl via samba wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> I have an AD domain running a 4.12.15 DC that I am trying to
> >>>>>> get
> >>>>>> the
> >>>>>> dyndns update
> >>>>>> script working on. I have it configured as per
> >>>>>>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
> >>>>>>
> >>>>>> Kerberos appears to be working as the script does not
> >>>>>> complain
> >>>>>> that
> >>>>>> it cannot get
> >>>>>> a ticket but when the script try's to run samba-tool I get
> >>>>>> the
> >>>>>> following:
> >>>>>>
> >>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: samba-tool dns add
> >>>>>> pht-
> >>>>>> vdc1
> >>>>>> mydomain.com DESKTOP-9L3AOBC A 192.168.1.194 -k yes
> >>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: ERROR(runtime):
> >>>>>> uncaught
> >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
> >>>>>
> >>>>> What OS are you using ?
> >>>>
> >>>> RHEL 8. It is a new vm with self compiled instance of Samba and I
> >>>> am
> >>>> not running
> >>>> sssd. :-)
> >>>>
> >>>>> Who does 'dhcpd' run as ?
> >>>>
> >>>> It runs as dhcpd.
> >>>>
> >>>> For completeness here are the permissions on the related files:
> >>>>
> >>>> (pht-vdc1 pts8) # ll /etc/dhcpduser.keytab
> >>>> -r--------. 1 dhcpd dhcpd 216 Jun 18 11:48 /etc/dhcpduser.keytab
> >>>> pht-vdc1 pts8) # la /etc/dhcp/scripts/
> >>>> total 100
> >>>> drwxr-x---. 2 dhcpd dhcpd 239 Jun 23 10:27 .
> >>>> drwxr-x---. 4 dhcpd dhcpd 190 Jun 22 15:31 ..
> >>>> -rwxr-xr-x. 1 dhcpd dhcpd 13569 Jun 23 10:27 dhcp-dyndns.sh
> >>>> (pht-vdc1 pts8) #
> >>>>
> >>>> Hopefully you can spot what I am missing.
> >>>
> >>> I use Raspbian (but was using Devuan) and whilst isc-dhcp-server
> >>> runs
> >>> as dhcpd, it runs the script as root. I also have same permissions
> >>> as
> >>> you on the keytab and script, but they belong to root:root, so try
> >>> changing the ownership of your keytab.
> >>
> >> Changed the keytab to root:root as suggested but there was
> no change.
> >> I would think the keytab only gets accessed when the krb
> ticket needs
> >> to
> >> be renewed. Am I wrong about that?
> >>
> >> In addition I did an "su - dhcpd" and ran the following with the
> >> keytab owned
> >> by root:
> >>
> >> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
> >> dhcpduser at MYDOMAIN.COM
> >> kinit: Pre-authentication failed: Permission denied while getting
> >> initial credentials
> >> (pht-vdc1 5) $
> >>
> >> Same command with the keytab set for dhcpd:dhcpd and I get the
> >> flllowing:
> >>
> >> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
> >> dhcpduser at MYDOMAIN.COM
> >> (pht-vdc1 5) $ klist
> >> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
> >> Default principal: dhcpduser at MYDOMAIN.COM
> >>
> >> Valid starting Expires Service principal
> >> 06/23/2021 16:57:14 06/24/2021 02:57:14
> >> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
> >> renew until 06/24/2021 16:57:14
> >> (pht-vdc1 5)
> >>
> >> and for completeness:
> >>
> >> (pht-vdc1 5) $ samba-tool dns add pht-vdc1 mydomain.com Bambi A
> >> 192.168.1.214 -k yes
> >> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
> >> File "/usr/local/samba/lib64/python3.6/site-
> >> packages/samba/netcmd/__init__.py", line 186, in _run
> >> return self.run(*args, **kwargs)
> >> File "/usr/local/samba/lib64/python3.6/site-
> >> packages/samba/netcmd/dns.py", line 945, in run
> >> raise e
> >> File "/usr/local/samba/lib64/python3.6/site-
> >> packages/samba/netcmd/dns.py", line 941, in run
> >> 0, server, zone, name, add_rec_buf, None)
> >> (pht-vdc1 5) $
> >>
> >> In thinking about this the only difference in the way the
> this DC is
> >> build vs the other 2
> >> domains where this works is I use rfc2307 on the working
> domains and
> >> on this one I use rid.
> >> I do not think that matters but I thought I would mention
> it just in
> >> case.
> >>
> >> Regards,
> >
> >
> > The winbind backend should have no bearing here.
> > I would also expect 'samba-tool dns add pht-vdc1
> mydomain.com Bambi A
> > 192.168.1.214 -k yes' to fail when run from the command line,
>
> In order to mimic what the scrpt does I ran the following before I ran
> the samba-tool command below:
>
> domain=$(hostname -d) ; REALM=$(echo ${domain^^}) ; export
> KRB5CCNAME="/tmp/dhcp-dyndns.cc" ;
> SETPRINCIPAL="dhcpduser@${REALM}" ; klist -c "${KRB5CCNAME}" -s
>
> > try this instead:
> >
> > samba-tool dns add pht-vdc1 mydomain.com Bambi A
> 192.168.1.214 --krb5-ccache=/tmp/dhcp-dyndns.cc
>
> No joy same result.
>
> >
> > I have never run the script on a red-hat distro, but know
> it works on
> > Debian based distros. Perhaps it is something to do with
> Selinux ? I do
> > seem to remember reports of it running on Centos.
>
> The really weird thing about this is that I have 3 other DCs
> in 2 differernt
> domains running RHEL 8 built using the same ansible plays it
> and works as
> advertsed on them. That is what is confusing me.
>
> As for selinux, I just checked to be sure it is in permissive.
>
> I need to upgrade to at least 4.13 so unless you have any
> other ideas maybe I
> will just spin up a 4.13 DC, join it to the domain and try it
> there. Not sure
> why that would matter but...
>
> Are you aware of any problems going from 4.12 to 4.14
> skipping 4.13 or is it better
> to join a 4.13 then 4.14 DC? They would be new vm's I never
> upgrade major versions
> in place.
>
> Regards,
>
> --
> Tom me at tdiehl.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list