[Samba] DHCP dynamic updates by non-root dhcp user
Peter Serbe
peter at serbe.ch
Tue Dec 12 23:16:58 UTC 2023
Hi all,
I have (mostly) struggled my may through the documentation found at:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records.
But as I am on gentoo, the DHCP daemon is run by the unprivileged user dhcp, which did complicate the issue way more than I imagined. The documentation rightfully points out to adjust the permissions of the keytab, that is used as a replacement of a plaintext password within the access of the dhcp user. But here is the first nit: it is just as important to adjust the permissions of the ticket cache. If one tries the script after failing with the restricted dhcp user account as root user (which does succeed, if enough care had been taken!), then the ticket cache has the permissions root:root - and the resulting error message, when next trying is with the restricted user again, is not really helpful (as most Kerberos error messages seem to be, at least in the eye of an inexperienced user as I am one).
Btw, at least on Gentoo these caches are named as /tmp/krb5cc_xxx, where xxx is the UID of the owner, i.e. on my system a cache for the dhcp user would be named krb5cc_300. I don't know, whether the effort is justified to do something like this in the script. But the documentation should incorporate a warning to check the permissions of that file, too. Especially as the cache is not discussed in the text. It just appears within the script.
But even when having done all that stuff right, the script didn't run...
--------------------------------------------------------------------------------------------------------
horus # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete 192.168.0.5 11:22:33:44:55:66
smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory)
smb_krb5_context_init_basic failed (Not a directory)
smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory)
smb_krb5_context_init_basic failed (Not a directory)
gensec_gssapi_start: smb_krb5_init_context failed (Not a directory)
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER
Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER
ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An invalid parameter was passed to a service or function.')
smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory)
smb_krb5_context_init_basic failed (Not a directory)
smb_krb5_init_context_common: Krb5 context initialization failed (Not a directory)
smb_krb5_context_init_basic failed (Not a directory)
gensec_gssapi_start: smb_krb5_init_context failed (Not a directory)
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER
Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor /0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER
ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An invalid parameter was passed to a service or function.')
--------------------------------------------------------------------------------------------------------
After having found out, that 'normal' users could do the update, I finally modified /etc/passwd from
--------------------------------------------------------------------------------------------------------
dhcp:x:300:300:user for dhcp daemon:/dev/null:/sbin/nologin
--------------------------------------------------------------------------------------------------------
to
--------------------------------------------------------------------------------------------------------
dhcp:x:300:300:user for dhcp daemon:/var/lib/dhcp:/sbin/nologin
--------------------------------------------------------------------------------------------------------
where the dhcp user has rwx rights. The script no runs as
--------------------------------------------------------------------------------------------------------
horus /etc # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete 192.168.41.65 50:3e:aa:01:6e:10
Record deleted successfully
Record deleted successfully
--------------------------------------------------------------------------------------------------------
So I would strongly suggest to add this hint to the documentation, too, as it may be pretty helpful for those trying get this running with a non-root dhcp user.
Best regards
Peter
PS:
Many thanks go out to Rowland for exploring this option - and giving us both that script and the notes on how to use it.
More information about the samba
mailing list