[Samba] DHCP dynamic updates by non-root dhcp user
Pluess, Tobias
tpluess at ieee.org
Wed Dec 13 07:39:28 UTC 2023
Good day
I have sort of a similar question. I also wanted to setup dynamic DNS
updates.
And I found that the command
net ads dns register -P
updates the computer's DNS account, and to do that, it needs neither
Kerberos nor something else, but instead uses the machine account to
authenticate itself to AD.
It does not, however, update the PTR record, unfortunately.
I experimented a bit with this and found that it worked on my Samba DC even
with secure DNS updates only, so if this is really true I propose to add a
hook script for the DHCP client that is called whenever the DHCP lease
expires, and will automatically update the DNS. I was even thinking about
adding this command to crontab and calling it every hour.
I have not yet tested this with an unprivileged account, though, but I
cannot understand why this shouldn't work, as it uses the computer account
to athenticate. So if it really works with
net ads dns register -P
why should someone even bother with complicated scripts? just let each
client do its own DNS update, as the Windows clients do?
The really awesome stuff would be if it even worked for the PTR record too.
Thanks,
best
Tobias
On Wed, 13 Dec 2023, 00:42 Peter Serbe via samba, <samba at lists.samba.org>
wrote:
> Hi all,
>
> I have (mostly) struggled my may through the documentation found at:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records.
>
> But as I am on gentoo, the DHCP daemon is run by the unprivileged user
> dhcp, which did complicate the issue way more than I imagined. The
> documentation rightfully points out to adjust the permissions of the
> keytab, that is used as a replacement of a plaintext password within the
> access of the dhcp user. But here is the first nit: it is just as important
> to adjust the permissions of the ticket cache. If one tries the script
> after failing with the restricted dhcp user account as root user (which
> does succeed, if enough care had been taken!), then the ticket cache has
> the permissions root:root - and the resulting error message, when next
> trying is with the restricted user again, is not really helpful (as most
> Kerberos error messages seem to be, at least in the eye of an inexperienced
> user as I am one).
> Btw, at least on Gentoo these caches are named as /tmp/krb5cc_xxx, where
> xxx is the UID of the owner, i.e. on my system a cache for the dhcp user
> would be named krb5cc_300. I don't know, whether the effort is justified to
> do something like this in the script. But the documentation should
> incorporate a warning to check the permissions of that file, too.
> Especially as the cache is not discussed in the text. It just appears
> within the script.
>
> But even when having done all that stuff right, the script didn't run...
>
>
> --------------------------------------------------------------------------------------------------------
> horus # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete
> 192.168.0.5 11:22:33:44:55:66
> smb_krb5_init_context_common: Krb5 context initialization failed (Not a
> directory)
> smb_krb5_context_init_basic failed (Not a directory)
> smb_krb5_init_context_common: Krb5 context initialization failed (Not a
> directory)
> smb_krb5_context_init_basic failed (Not a directory)
> gensec_gssapi_start: smb_krb5_init_context failed (Not a directory)
> gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> negTokenInit request
> Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER
> Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor
> ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/0x00000005,localaddress=192.168.0.2]
> NT_STATUS_INVALID_PARAMETER
> ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An
> invalid parameter was passed to a service or function.')
> smb_krb5_init_context_common: Krb5 context initialization failed (Not a
> directory)
> smb_krb5_context_init_basic failed (Not a directory)
> smb_krb5_init_context_common: Krb5 context initialization failed (Not a
> directory)
> smb_krb5_context_init_basic failed (Not a directory)
> gensec_gssapi_start: smb_krb5_init_context failed (Not a directory)
> gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> negTokenInit request
> Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER
> Failed to bind to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor
> ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor
> /0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER
> ERROR: Connecting to DNS RPC server horus failed with (3221225485, 'An
> invalid parameter was passed to a service or function.')
>
> --------------------------------------------------------------------------------------------------------
>
> After having found out, that 'normal' users could do the update, I finally
> modified /etc/passwd from
>
>
> --------------------------------------------------------------------------------------------------------
> dhcp:x:300:300:user for dhcp daemon:/dev/null:/sbin/nologin
>
> --------------------------------------------------------------------------------------------------------
>
> to
>
>
> --------------------------------------------------------------------------------------------------------
> dhcp:x:300:300:user for dhcp daemon:/var/lib/dhcp:/sbin/nologin
>
> --------------------------------------------------------------------------------------------------------
>
> where the dhcp user has rwx rights. The script no runs as
>
>
> --------------------------------------------------------------------------------------------------------
> horus /etc # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete
> 192.168.41.65 50:3e:aa:01:6e:10
> Record deleted successfully
> Record deleted successfully
>
> --------------------------------------------------------------------------------------------------------
>
> So I would strongly suggest to add this hint to the documentation, too, as
> it may be pretty helpful for those trying get this running with a non-root
> dhcp user.
>
> Best regards
> Peter
>
> PS:
> Many thanks go out to Rowland for exploring this option - and giving us
> both that script and the notes on how to use it.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list