[Samba] AD DC DynDns update problem

me at tdiehl.org me at tdiehl.org
Thu Jun 24 19:37:42 UTC 2021 

Hi Rowland,

On Thu, 24 Jun 2021, Rowland Penny via samba wrote:

> On Thu, 2021-06-24 at 12:42 -0400, Tom Diehl via samba wrote:
>> Hi Louis,
>>
>> On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:
>>
>>> Lookup how owns the DNS A record in the DNS.
>>
>> OK, how do I do that?
>>
>>> And, did you add dhcp-user into the windows groups DnsAdmins and
>>> DnsUpdateProxy for the servers running DHCP.
>>
>> The dhcpduser is part of the DnsAdmins group but was not a member of
>> the DnsUpdateProxy.
>> I added it to the DnsUpdateProxy group but no change.
>>
>>> This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
>>> Is just the message that, the user your using, doesnt have rights
>>> on that A record.
>>
>> I did not know there was an actual owner of a DNS record. Am I not
>> understanding something?
>>
>>>>>  Pre-authentication failed: Permission denied while getting
>>> Did you enable "Delegate to all service (only kerberos)" on the
>>> computer object running the DHCP
>>
>> "Delegate to all service (only kerberos)" was enabled on the DC which
>> is where dhcpd
>> is running. I think that is the default.
>>
>> Regards,
>>
>>
>
> I think I might have found the problem, do you actually have the keytab
> /etc/dhcpduser.keytab ?
>
> Note: not 'did you create it', does it exist. I ask this because I have
> got to this point on an almalinux8 DC and I cannot create it. The
> samba-tool command appears to work, but no keytab is created.

That is weird. I have not tried Almalinux yet.

Here is what I have for the keytab:

(pht-vdc1 pts5) # ktutil 
ktutil:  read_kt /etc/dhcpduser.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
    1    2                     dhcpduser at MYDOMAIN.COM
    2    2                     dhcpduser at MYDOMAIN.COM
    3    2                     dhcpduser at MYDOMAIN.COM
ktutil:
  (pht-vdc1 pts5) #

It looks correct to me. What say you?

FWIW, I killed the keytab and re-created it. No joy!!

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list