[Samba] AD DC DynDns update problem

me at tdiehl.org me at tdiehl.org
Sat Jun 26 00:18:20 UTC 2021 

Hi Rowland,

On Thu, 24 Jun 2021, Rowland Penny via samba wrote:

> On Thu, 2021-06-24 at 15:37 -0400, me at tdiehl.org wrote:
>> Hi Rowland,
>>
>> On Thu, 24 Jun 2021, Rowland Penny via samba wrote:
>>
>>> On Thu, 2021-06-24 at 12:42 -0400, Tom Diehl via samba wrote:
>>>> Hi Louis,
>>>>
>>>> On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:
>>>>
>>>>> Lookup how owns the DNS A record in the DNS.
>>>>
>>>> OK, how do I do that?
>>>>
>>>>> And, did you add dhcp-user into the windows groups DnsAdmins
>>>>> and
>>>>> DnsUpdateProxy for the servers running DHCP.
>>>>
>>>> The dhcpduser is part of the DnsAdmins group but was not a member
>>>> of
>>>> the DnsUpdateProxy.
>>>> I added it to the DnsUpdateProxy group but no change.
>>>>
>>>>> This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
>>>>> Is just the message that, the user your using, doesnt have
>>>>> rights
>>>>> on that A record.
>>>>
>>>> I did not know there was an actual owner of a DNS record. Am I
>>>> not
>>>> understanding something?
>>>>
>>>>>>>  Pre-authentication failed: Permission denied while getting
>>>>> Did you enable "Delegate to all service (only kerberos)" on the
>>>>> computer object running the DHCP
>>>>
>>>> "Delegate to all service (only kerberos)" was enabled on the DC
>>>> which
>>>> is where dhcpd
>>>> is running. I think that is the default.
>>>>
>>>> Regards,
>>>>
>>>>
>>>
>>> I think I might have found the problem, do you actually have the
>>> keytab
>>> /etc/dhcpduser.keytab ?
>>>
>>> Note: not 'did you create it', does it exist. I ask this because I
>>> have
>>> got to this point on an almalinux8 DC and I cannot create it. The
>>> samba-tool command appears to work, but no keytab is created.
>>
>> That is weird. I have not tried Almalinux yet.
>>
>> Here is what I have for the keytab:
>>
>> (pht-vdc1 pts5) # ktutil
>> ktutil:  read_kt /etc/dhcpduser.keytab
>> ktutil:  list
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------
>> ------------
>>     1    2                     dhcpduser at MYDOMAIN.COM
>>     2    2                     dhcpduser at MYDOMAIN.COM
>>     3    2                     dhcpduser at MYDOMAIN.COM
>> ktutil:
>>   (pht-vdc1 pts5) #
>>
>> It looks correct to me. What say you?
>>
>> FWIW, I killed the keytab and re-created it. No joy!!
>>
>> Regards,
>>
>
> Forget, it was a cut and paste error :"-)
>
> I now have the script working, but with errors, it doesn't seem to be
> able to ignore the deletion of records that don't exist yet (to put it
> another way, it tries to delete records that do not exist, something
> that doesn't happen on Debian)
>
> I will have a look at this tomorrow, it is nearly 9 PM here.

Since you are looking at the script, I have a patch below that adds the keytab
variable to the one last place where you have the keytab specifically defined and
makes several logger statements more verbose so that it is easier to debug things
when things go wrong.

--- dhcp-dyndns-wiki.sh 2021-06-18 13:23:45.681919590 -0400
+++ dhcp-dyndns-prod.sh 2021-06-25 19:08:56.931922404 -0400
@@ -155,7 +155,7 @@
  fi

  # Check for Kerberos keytab
-if [ ! -f /etc/dhcpduser.keytab ]; then
+if [ ! -f $keytab ]; then
      logger "Required keytab $keytab not found, it needs to be created."
      logger "Use the following commands as root"
      logger "samba-tool domain exportkeytab --principal=${SETPRINCIPAL} $keytab"
@@ -216,13 +216,13 @@
              result2="$?"
          elif [ "$A_REC" = "${ip}" ]; then
                # Correct A record exists, do nothing
-              logger "Correct 'A' record exists, not updating."
+              logger "Correct 'A' record for ${name} exists, not updating."
                result1=0
                result2=0
                count=$((count+1))
          elif [ "$A_REC" != "${ip}" ]; then
                # Wrong A record exists
-              logger "'A' record changed, updating record."
+              logger "'A' record for ${name} changed, updating record."
                samba-tool dns delete ${Server} ${domain} "${name}" A ${A_REC} -k yes
                result1="$?"
                samba-tool dns add ${Server} ${domain} "${name}" A ${ip} -k yes
@@ -251,7 +251,7 @@
                        break
                    elif [ "$PTR_REC" = "${name}" ]; then
                          # Correct PTR record exists, do nothing
-                        logger "Correct 'PTR' record exists, not updating."
+                        logger "Correct 'PTR' record for ${ip} exists, not updating."
                          result3=0
                          result4=0
                          count=$((count+1))
@@ -259,7 +259,7 @@
                    elif [ "$PTR_REC" != "${name}" ]; then
                          # Wrong PTR record exists
                          # points to wrong host
-                        logger "'PTR' record changed, updating record."
+                        logger "'PTR' record for ${ip} changed, updating record."
                          samba-tool dns delete ${Server} ${revzone} ${IP2add} PTR "${PTR_REC}".${domain} -k yes
                          result3="$?"
                          samba-tool dns add ${Server} ${revzone} ${IP2add} PTR "${name}".${domain} -k yes
@@ -382,4 +382,3 @@
  fi

  exit 0

If you have a better way to do this or are just not interested in adding it,
please let me know.

Thanks for your help.

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list