[Samba] DHCP dynamic updates by non-root dhcp user

Pluess, Tobias tpluess at ieee.org
Wed Dec 13 08:44:03 UTC 2023 

Hi Rowland
I was not aware that it uses Kerberos in the background, because for "net
ads dns register -P" I absolutely don't need to enter any passwords or
kinit or whatever. It just works, very good.

> Care to write the required code ?
Would do if I knew where to start.

thanks,
best
Tobias


On Wed, Dec 13, 2023 at 9:13 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 13 Dec 2023 08:39:28 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
> > Good day
> >
> > I have sort of a similar question. I also wanted to setup dynamic DNS
> > updates.
> > And I found that the command
> >
> > net ads dns register -P
> >
> > updates the computer's DNS account, and to do that, it needs neither
> > Kerberos nor something else, but instead uses the machine account to
> > authenticate itself to AD.
>
> ER, what do you think the machine account uses ?
> Could it be kerberos ?????
>
> >
> > It does not, however, update the PTR record, unfortunately.
>
> That's why you need the script.
>
> >
> > I experimented a bit with this and found that it worked on my Samba
> > DC even with secure DNS updates only, so if this is really true I
> > propose to add a hook script for the DHCP client that is called
> > whenever the DHCP lease expires, and will automatically update the
> > DNS. I was even thinking about adding this command to crontab and
> > calling it every hour.
> >
> > I have not yet tested this with an unprivileged account, though, but I
> > cannot understand why this shouldn't work, as it uses the computer
> > account to athenticate. So if it really works with
> >
> > net ads dns register -P
> >
> > why should someone even bother with complicated scripts? just let each
> > client do its own DNS update, as the Windows clients do?
>
> Because Linux clients cannot update all their records, unlike Windows
> clients that can, also the script first started back in about 2014.
> If there is a better way of getting Unix clients to update their own
> records, then I am very willing to listen.
>
> >
> > The really awesome stuff would be if it even worked for the PTR
> > record too.
>
> Care to write the required code ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list