Win 2003 SP2 Dynamic DNS update.
Patrik Martinsson
Patrik.Martinsson at smhi.se
Mon Aug 9 07:09:45 MDT 2010
Hello everyone,
I'm having some deep issues with dynamic dns updates and figure I would
give this list a try, I know this is more of a devel list, but I figured
my problem is on quite deep technical level so it would fit here, hope
you don't mind.
Here's my setup,
We have Windows 2003 SP2 AD/DNS/DHCP server.
We have a zone for clients that only allows signed dns updates, today
only Windows clients are in this zone, now I want to put linuxclients in
here too.
Before we had another zone that allowed insecure dynamic updates and
there would all our linuxclients go, and on every connect/dhcp lease
they would manually, through scripts update their dnsentry (with nsupdate).
Kerberos is configures on all our clients and at logon time a user will
get a ticket.
Hope that is enough on the background setup...?
So, here's the case.
I've setup samba on the clients, I've successfully got it to create a
machineaccount in the AD, and thereafter it actually updates the dns
with an entry as expected.
This I'm doing with following command,
'net ads join createupn=host/$HOSTNAME at XX.XXXX.XX
createcomputer="foo/bar/baz" osName="Linux Red Hat Workstation"
osVer="6" -U foo%bar'
Important note :
Sometimes though, this commands partly fails, saying this,
Using short domain name -- XXXX
Joined 'CLIENT' to realm 'xx.xxxx.xx'
[2010/08/09 15:04:59.082626, 0]
libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password CLIENT$@XX.XXXX.XX failed: Client not found
in Kerberos database
DNS update failed!
I dont understand why it does this only sometimes and not always, and as
far as i can see, everything is normal (machineaccount is created and
keytab is written).
HOWEVER, and this is my problem,
If I, after the dns record beeing deleted from the dns (If the dns
server doesnt get any updates on the record it will eventually delete
it) try to update the dnsrecord manually with following command,
'net ads dns register -Ufoo%bar'
I always end up with
'DNS update failed!'
So, I started digging in the source and found out that it's failing
somewhere in the signing part of utils/net_dns.c, digged deeper and
ended up in libaddns/dnsgss.c, here i added some prints in hope of
detecting where it would fail, and strangly enough (at least for me, but
I'm no expert) it failed at different places for every time i ran it.
When 'net' queries our dns for nameservers the DNS responds with 5
nameservers (dig NS xx @xx), which could explain why it fails
differently, depending on which nameserver that comes first in the list,
however these servers should be replicated and look the same, AND even
if i run the command multiple times and I for sure knows 'net' tries to
update the same DNS, it fails differently (I added prints in net that
tells me which DNS it actually tries to update so i would know for sure).
Here's what im talking about,
First run of, 'net ads dns register -Ufoo%bar' it fails here,
libaddns/dnsgss.c @163,
if ((major != GSS_S_COMPLETE) &&
(major != GSS_S_CONTINUE_NEEDED)) {
d_printf("\nFAILED @GSS_S_COMPLETE/GSS_S_CONTINUE_NEEDED\n");
return ERROR_DNS_GSS_ERROR;
}
Next time i run it AND it tries to update the SAME DNS as before, (a
couple of times later because the NS list is in random order), if fails
here,
libaddns/dnsgss.c @191,
if ((resp->num_additionals != 1) ||
(resp->num_answers == 0) ||
(resp->answers[0]->type != QTYPE_TKEY)) {
d_printf("\nFAILED @DNS_ID/KEY\n");
err = ERROR_DNS_INVALID_MESSAGE;
goto error;
}
And here I'm stuck, hoping for some help, tips, pointers etc.
One question that comes to my mind is that, after doing the 'net join'
command, i got a keytab with a host/client as user-principle which is
cool, however when doing the net dns register command, shouldn't that be
using that keytab file ? As I wrote earlier i use the '-U'-flag to
specify a user/password rather then using the host keytab entry...But
maybe I'm mistaken here, I'm really new to kerberos and to be honest I
find it _very_ hard and confusing at the moment, but maybe the picture
will clear later on....
Here's my configfiles,
# /etc/samba/smb.conf
realm = XX.XXXX.XX
security = ADS
encrypt passwords = yes
workgroup = XXXX
kerberos method = secrets and keytab
# /etc/krb5.conf
[libdefaults]
default_realm = XX.XXXX.XX
clockskew = 300
dns_lookup_realm = false # I've tried with both true/false here.
dns_lookup_kdc = false
forwardable = true
allow_weak_crypto = true
[realms]
XX.XXXX.XX = {
default_domain = xx.xxxx.xx
kdc = xx.xxxx.xx
admin_server = xx.xxxx.xx
}
[domain_realm]
.ad.smhi.se = XX.XXXX.XX
.smhi.se = XX.XXXX.XX
Anyway, I know this is a long email and a lot of questions, but I hope
that somebody could clear things up for me.
Best regards,
Patrik Martinsson, Sweden.
More information about the samba-technical
mailing list