[Samba] DHCP dynamic updates by non-root dhcp user

Rowland Penny rpenny at samba.org
Wed Dec 13 08:06:52 UTC 2023


On Wed, 13 Dec 2023 00:16:58 +0100 (CET)
Peter Serbe via samba <samba at lists.samba.org> wrote:

> Hi all,
> 
> I have (mostly) struggled my may through the documentation found at:
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records.
> 
> But as I am on gentoo, the DHCP daemon is run by the unprivileged
> user dhcp, which did complicate the issue way more than I imagined.
> The documentation rightfully points out to adjust the permissions of
> the keytab, that is used as a replacement of a plaintext password
> within the access of the dhcp user. But here is the first nit: it is
> just as important to adjust the permissions of the ticket cache. If
> one tries the script after failing with the restricted dhcp user
> account as root user (which does succeed, if enough care had been
> taken!), then the ticket cache has the permissions root:root - and
> the resulting error message, when next trying is with the restricted
> user again, is not really helpful (as most Kerberos error messages
> seem to be, at least in the eye of an inexperienced user as I am
> one). Btw, at least on Gentoo these caches are named as
> /tmp/krb5cc_xxx, where xxx is the UID of the owner, i.e. on my system
> a cache for the dhcp user would be named krb5cc_300. I don't know,
> whether the effort is justified to do something like this in the
> script. But the documentation should incorporate a warning to check
> the permissions of that file, too. Especially as the cache is not
> discussed in the text. It just appears within the script.
> 
> But even when having done all that stuff right, the script didn't
> run...
> 
> --------------------------------------------------------------------------------------------------------
> horus # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete
> 192.168.0.5 11:22:33:44:55:66 smb_krb5_init_context_common: Krb5
> context initialization failed (Not a directory)
> smb_krb5_context_init_basic failed (Not a directory)
> smb_krb5_init_context_common: Krb5 context initialization failed (Not
> a directory) smb_krb5_context_init_basic failed (Not a directory)
> gensec_gssapi_start: smb_krb5_init_context failed (Not a directory)
> gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> negTokenInit request Failed to start GENSEC client mechanism (null):
> NT_STATUS_INVALID_PARAMETER Failed to bind to uuid
> xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor
> ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/0x00000005,localaddress=192.168.0.2]
> NT_STATUS_INVALID_PARAMETER ERROR: Connecting to DNS RPC server horus
> failed with (3221225485, 'An invalid parameter was passed to a
> service or function.') smb_krb5_init_context_common: Krb5 context
> initialization failed (Not a directory) smb_krb5_context_init_basic
> failed (Not a directory) smb_krb5_init_context_common: Krb5 context
> initialization failed (Not a directory) smb_krb5_context_init_basic
> failed (Not a directory) gensec_gssapi_start: smb_krb5_init_context
> failed (Not a directory) gensec_spnego_create_negTokenInit_step:
> Failed to setup SPNEGO negTokenInit request Failed to start GENSEC
> client mechanism (null): NT_STATUS_INVALID_PARAMETER Failed to bind
> to uuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor
> ncacn_ip_tcp:192.168.0.2[49153,sign,target_hostname=horus,abstract_syntax=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxfor
> /0x00000005,localaddress=192.168.0.2] NT_STATUS_INVALID_PARAMETER
> ERROR: Connecting to DNS RPC server horus failed with (3221225485,
> 'An invalid parameter was passed to a service or function.')
> --------------------------------------------------------------------------------------------------------
> 
> After having found out, that 'normal' users could do the update, I
> finally modified /etc/passwd from
> 
> --------------------------------------------------------------------------------------------------------
> dhcp:x:300:300:user for dhcp daemon:/dev/null:/sbin/nologin
> --------------------------------------------------------------------------------------------------------
> 
> to
> 
> --------------------------------------------------------------------------------------------------------
> dhcp:x:300:300:user for dhcp daemon:/var/lib/dhcp:/sbin/nologin
> --------------------------------------------------------------------------------------------------------
> 
> where the dhcp user has rwx rights. The script no runs as
> 
> --------------------------------------------------------------------------------------------------------
> horus /etc # runuser -u dhcp -- /usr/local/bin/dhcp-dyndns.sh delete
> 192.168.41.65 50:3e:aa:01:6e:10 Record deleted successfully
> Record deleted successfully
> --------------------------------------------------------------------------------------------------------
> 
> So I would strongly suggest to add this hint to the documentation,
> too, as it may be pretty helpful for those trying get this running
> with a non-root dhcp user.
> 
> Best regards
> Peter
> 
> PS:
> Many thanks go out to Rowland for exploring this option - and giving
> us both that script and the notes on how to use it.
> 

I have never heard of the script being run on Gentoo before, I am glad
you got it to work.

I will add updating the wiki page to my to-do list.

Rowland



More information about the samba mailing list