[Samba] AD DC DynDns update problem

me at tdiehl.org me at tdiehl.org
Thu Jun 24 16:42:26 UTC 2021 

Hi Louis,

On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:

> Lookup how owns the DNS A record in the DNS.

OK, how do I do that?

> And, did you add dhcp-user into the windows groups DnsAdmins and DnsUpdateProxy for the servers running DHCP.

The dhcpduser is part of the DnsAdmins group but was not a member of the DnsUpdateProxy.
I added it to the DnsUpdateProxy group but no change.

>
> This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
> Is just the message that, the user your using, doesnt have rights on that A record.

I did not know there was an actual owner of a DNS record. Am I not understanding something?

>
>>>  Pre-authentication failed: Permission denied while getting
> Did you enable "Delegate to all service (only kerberos)" on the computer object running the DHCP

"Delegate to all service (only kerberos)" was enabled on the DC which is where dhcpd
is running. I think that is the default.

Regards,

-- 
Tom			me at tdiehl.org

>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom
>> Diehl via samba
>> Verzonden: donderdag 24 juni 2021 0:10
>> Aan: Rowland Penny
>> CC: sambalist
>> Onderwerp: Re: [Samba] AD DC DynDns update problem
>>
>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>>
>>> On Wed, 2021-06-23 at 17:06 -0400, me at tdiehl.org wrote:
>>>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>>>>
>>>>> On Wed, 2021-06-23 at 15:49 -0400, me at tdiehl.org wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> On Wed, 23 Jun 2021, Rowland Penny via samba wrote:
>>>>>>
>>>>>>> On Wed, 2021-06-23 at 12:33 -0400, Tom Diehl via samba wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have an AD domain running a 4.12.15 DC that I am trying to
>>>>>>>> get
>>>>>>>> the
>>>>>>>> dyndns update
>>>>>>>> script working on. I have it configured as per
>>>>>>>>
>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
>> records_with_BIND9
>>>>>>>>
>>>>>>>> Kerberos appears to be working as the script does not
>>>>>>>> complain
>>>>>>>> that
>>>>>>>> it cannot get
>>>>>>>> a ticket but when the script try's to run samba-tool I get
>>>>>>>> the
>>>>>>>> following:
>>>>>>>>
>>>>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: samba-tool dns add
>>>>>>>> pht-
>>>>>>>> vdc1
>>>>>>>> mydomain.com DESKTOP-9L3AOBC A 192.168.1.194 -k yes
>>>>>>>> Jun 23 11:49:27 pht-vdc1 dhcpd[1397671]: ERROR(runtime):
>>>>>>>> uncaught
>>>>>>>> exception - (5, 'WERR_ACCESS_DENIED')
>>>>>>>
>>>>>>> What OS are you using ?
>>>>>>
>>>>>> RHEL 8. It is a new vm with self compiled instance of Samba and I
>>>>>> am
>>>>>> not running
>>>>>> sssd. :-)
>>>>>>
>>>>>>> Who does 'dhcpd' run as ?
>>>>>>
>>>>>> It runs as dhcpd.
>>>>>>
>>>>>> For completeness here are the permissions on the related files:
>>>>>>
>>>>>> (pht-vdc1 pts8) # ll /etc/dhcpduser.keytab
>>>>>> -r--------. 1 dhcpd dhcpd 216 Jun 18 11:48 /etc/dhcpduser.keytab
>>>>>> pht-vdc1 pts8) # la /etc/dhcp/scripts/
>>>>>> total 100
>>>>>> drwxr-x---. 2 dhcpd dhcpd   239 Jun 23 10:27 .
>>>>>> drwxr-x---. 4 dhcpd dhcpd   190 Jun 22 15:31 ..
>>>>>> -rwxr-xr-x. 1 dhcpd dhcpd 13569 Jun 23 10:27 dhcp-dyndns.sh
>>>>>> (pht-vdc1 pts8) #
>>>>>>
>>>>>> Hopefully you can spot what I am missing.
>>>>>
>>>>> I use Raspbian (but was using Devuan) and whilst isc-dhcp-server
>>>>> runs
>>>>> as dhcpd, it runs the script as root. I also have same permissions
>>>>> as
>>>>> you on the keytab and script, but they belong to root:root, so try
>>>>> changing the ownership of your keytab.
>>>>
>>>> Changed the keytab to root:root as suggested but there was
>> no change.
>>>> I would think the keytab only gets accessed when the krb
>> ticket needs
>>>> to
>>>> be renewed. Am I wrong about that?
>>>>
>>>> In addition I did an "su - dhcpd" and ran the following with the
>>>> keytab owned
>>>> by root:
>>>>
>>>> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
>>>> dhcpduser at MYDOMAIN.COM
>>>> kinit: Pre-authentication failed: Permission denied while getting
>>>> initial credentials
>>>> (pht-vdc1 5) $
>>>>
>>>> Same command with the keytab set for dhcpd:dhcpd and I get the
>>>> flllowing:
>>>>
>>>> (pht-vdc1 5) $ kinit -F -k -t /etc/dhcpduser.keytab
>>>> dhcpduser at MYDOMAIN.COM
>>>> (pht-vdc1 5) $ klist
>>>> Ticket cache: FILE:/tmp/dhcp-dyndns.cc
>>>> Default principal: dhcpduser at MYDOMAIN.COM
>>>>
>>>> Valid starting       Expires              Service principal
>>>> 06/23/2021 16:57:14  06/24/2021 02:57:14
>>>> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
>>>>          renew until 06/24/2021 16:57:14
>>>> (pht-vdc1 5)
>>>>
>>>> and for completeness:
>>>>
>>>> (pht-vdc1 5) $ samba-tool dns add pht-vdc1 mydomain.com Bambi A
>>>> 192.168.1.214 -k yes
>>>> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
>>>>    File "/usr/local/samba/lib64/python3.6/site-
>>>> packages/samba/netcmd/__init__.py", line 186, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File "/usr/local/samba/lib64/python3.6/site-
>>>> packages/samba/netcmd/dns.py", line 945, in run
>>>>      raise e
>>>>    File "/usr/local/samba/lib64/python3.6/site-
>>>> packages/samba/netcmd/dns.py", line 941, in run
>>>>      0, server, zone, name, add_rec_buf, None)
>>>> (pht-vdc1 5) $
>>>>
>>>> In thinking about this the only difference in the way the
>> this DC is
>>>> build vs the other 2
>>>> domains where this works is I use rfc2307 on the working
>> domains and
>>>> on this one I use rid.
>>>> I do not think that matters but I thought I would mention
>> it just in
>>>> case.
>>>>
>>>> Regards,
>>>
>>>
>>> The winbind backend should have no bearing here.
>>> I would also expect 'samba-tool dns add pht-vdc1
>> mydomain.com Bambi A
>>> 192.168.1.214 -k yes' to fail when run from the command line,
>>
>> In order to mimic what the scrpt does I ran the following before I ran
>> the samba-tool command below:
>>
>> domain=$(hostname -d) ; REALM=$(echo ${domain^^}) ; export
>> KRB5CCNAME="/tmp/dhcp-dyndns.cc" ;
>> SETPRINCIPAL="dhcpduser@${REALM}" ; klist -c "${KRB5CCNAME}" -s
>>
>>> try this instead:
>>>
>>> samba-tool dns add pht-vdc1 mydomain.com Bambi A
>> 192.168.1.214 --krb5-ccache=/tmp/dhcp-dyndns.cc
>>
>> No joy same result.
>>
>>>
>>> I have never run the script on a red-hat distro, but know
>> it works on
>>> Debian based distros. Perhaps it is something to do with
>> Selinux ? I do
>>> seem to remember reports of it running on Centos.
>>
>> The really weird thing about this is that I have 3 other DCs
>> in 2 differernt
>> domains running RHEL 8 built using the same ansible plays it
>> and works as
>> advertsed on them. That is what is confusing me.
>>
>> As for selinux, I just checked to be sure it is in permissive.
>>
>> I need to upgrade to at least 4.13 so unless you have any
>> other ideas maybe I
>> will just spin up a 4.13 DC, join it to the domain and try it
>> there.  Not sure
>> why that would matter but...
>>
>> Are you aware of any problems going from 4.12 to 4.14
>> skipping 4.13 or is it better
>> to join a 4.13 then 4.14 DC? They would be new vm's I never
>> upgrade major versions
>> in place.
>>
>> Regards,
>>
>> --
>> Tom			me at tdiehl.org
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>
>

More information about the samba mailing list