ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS

UPDATE 2016: I have posted a much simpler way that works with DNS delegations so that you can have your domain controllers maintain the records necessary for their discovery in Microsoft DNS, while all your clients are in a BIND DNS server which can be easily interfaced with ISC DHCPd.

ISC DHCPd is capable of Dynamic DNS updates against servers like BIND that support shared-key authentication or any other server that supports unauthenticated updates (such as BIND or Microsoft DNS with secure updates disabled).

So, what to do if you want to run ISC DHCPd on your Windows network, which is obviously running Microsoft’s DNS server? BIND’s nsupdate tool supports Microsoft’s Kerberos authentication scheme when using the -g flag (the -o flag is only necessary for Windows 2000 Server, but not anymore for Windows Server 2008 R2), and DHCPd supports on commit/release/expiry blocks that let you run scripts upon these events. So here is my script:

#!/bin/bash

## CONFIGURATION ##

realm=EXAMPLE.COM
principal=dhcpduser@$realm
keytab=/root/dhcpduser.keytab
domain=example.com
ns=example-domain01.example.com

export KRB5CCNAME="/tmp/dhcp-dyndns.cc"

keytab can be generated using

$ ktutil

ktutil: addent -password -p dhcpduser@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96

Password for dhcpduser@EXAMPLE.COM:

ktutil: wkt dhcpduser.keytab

ktutil: quit

VARIABLES

action=$1
ip=$2
name=$(echo $3 | awk -F '.' '{print $1}')
mac=$4

usage()
{
echo "USAGE:"
echo $0 add 192.0.2.123 testhost 00:11:22:33:44:55
echo $0 add 192.168.0.127 "" 00:11:22:44:33:55
echo $0 delete 192.0.2.123 testhost 00:11:22:33:44:55
echo $0 delete 192.0.2.127 "" 00:11:22:44:33:55
}

if [ "$ip" = "" ]; then
echo "IP missing"
usage
exit 101
fi
if [ "$name" = "" ]; then
#echo "name missing"
#usage
#exit 102
name=$(echo $ip | awk -F '.' '{print "dhcp-"$1"-"$2"-"$3"-"$4}')

if [ "$action" = "delete" ]; then
name=$(host $ip | awk '{print $5}' | awk -F '.' '{print $1}')

echo $name | grep NXDOMAIN 2>$1 >/dev/null
if [ "$?" = "0" ]; then
exit 0;
fi
fi
fi

ptr=$(echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')

KERBEROS

#export LD_LIBRARY_PATH=/usr/local/krb5-1.7/lib
#export PATH=/usr/local/krb5-1.7/bin:$PATH

klist 2>&1 | grep $realm | grep '/' > /dev/null
if [ "$?" = 1 ]; then
expiration=0
else
expiration=$(klist | grep $realm | grep '/' | awk -F ' ' '{system ("date -d \""$2"\" +%s")}' | sort | head -n 1)
fi

now=$(date +%s)
if [ "$now" -ge "$expiration" ]; then
echo "Getting new ticket, old one expired $expiration, now is $now"
kinit -F -k -t $keytab $principal
fi

NSUPDATE

case "$action" in
add)
echo "Setting $name.$domain to $ip on $ns"

oldname=$(host $ip $ns | grep "domain name pointer" | awk '{print $5}' | awk -F '.' '{print $1}')
if [ "$oldname" = "" ]; then
oldname=$name
elif [ "$oldname" = "$name" ]; then
oldname=$name
else
echo "Also deleting $oldname A record"
fi

nsupdate -g <
server $ns
realm $realm
update delete $oldname.$domain 3600 A
update delete $name.$domain 3600 A
update add $name.$domain 3600 A $ip
send
UPDATE
result1=$?
nsupdate -g <
server $ns
realm $realm
update delete $ptr 3600 PTR
update add $ptr 3600 PTR $name.$domain
send
UPDATE
result2=$?
;;

delete)
echo "Deleting $name.$domain to $ip on $ns"
nsupdate -g <
server $ns
realm $realm
update delete $name.$domain 3600 A
send
UPDATE
result1=$?
nsupdate -g <
server $ns
realm $realm
update delete $ptr 3600 PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac

result=$result1$result2
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
fi

exit $result

and here is the relevant part of my dhcpd.conf:

on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
set ClientName = pick-first-value(option host-name, host-decl-name, config-option host-name, noname);
log(concat("Commit: IP: ", ClientIP, " Mac: ", ClientMac, " Name: ", ClientName));

execute("/root/dhcp-dyndns.sh", "add", ClientIP, ClientName, ClientMac);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
log(concat("Release: IP: ", ClientIP, " Mac: ", ClientMac));

cannot get a ClientName here, for some reason that always fails

execute("/root/dhcp-dyndns.sh", "delete", ClientIP, "", ClientMac);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);

cannot get a ClientMac here, apparently this only works when actually receiving a packet

log(concat("Expired: IP: ", ClientIP));

cannot get a ClientName here, for some reason that always fails

execute("/root/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

Figuring this all out took me several afternoons because Kerberos 5 1.8 has a bug where forwardable tickets (which is the default on Debian) are incompatible with nsupdate. Manually compiling 1.7 or getting 1.9 from the experimental Debian branch helps, as does adding the -F flag to kinit (which I did in the script above) to make the ticket non-forwardable.
I filed a bug with Debian (#611906) and Sam Hartman (thanks!) helped me track it down.

EDIT 2011-11-17:
I recently ran into the issue that if the AD server could not be reached, dhcpd would stall (and not respond to DHCP requests during that time) until nsupdate reached its timeout. The fix is simple: rename dhcp-dyndns.sh to dhcp-dyndns-real.sh and create dhcp-dyndns.sh with the following contents to fork off the real script into the background:
#!/bin/bash

$(dirname $0)/dhcp-dyndns.sh $@ 2>&1 | logger &

Also, I updated the on commit section in the dhcpd.conf excerpt above to compose a fallback name from the IP address if the client provides no hostname. This fixes the issue that nsupdate tries to register a record based on the name and fails.

91 thoughts on “ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS

  1. Bill Smith

    Hi Michael,

    I am trying to get Linux DHCP to dynamically update Microsoft (2008 R2) DNS when the DNS Service is in Secure updates only mode.

    I was pointed in the direction of your script which would seem to do the job and I have to ask the following questions:

    1) Did you encounter any further problems that you have either not yet resolved or have not published the resolution?

    2) Can I use your script in a commercial environment please?

    Regards

    Bill

  2. Michael Kuron Post author

    Hi Bill,

    I just updated my post with two changes I made a few days ago: one fixes an issue so that dhcpd doesn’t pause until nsupdate finishes, the other one makes sure that clients that don’t provide a hostname in their DHCP request are registered with an automatically-generated fallback name.
    Also, I just noticed that the “nsupdate -g <<UPDATE” lines were screwed up by WordPress, but they’re correct now.
    Other than that, I am not aware of any issues with my solution.

    You can use the script for whatever you like (but if you publish it somewhere else, I expect that you cite the source).
    Please do note that I accept no responsibility for the functionality, security or anything else related to the sample code, how-to guides, etc. on my blog. You’re entirely on your own if you use it in a production environment. I’m publishing this because it works for me, but your mileage may vary.

    That being said, I’d appreciate if you could let me know how my script works out for you and if you find any bugs.

  3. Bill Smith

    Hi
    Thanks for the response – it turns out that I can only use part of the script but I will cite the source anyway. One of the biggest problems I ran into was that klist was returning $? = 1 no matter what parameters I used – turns out that SELinux prevents non-interactive shells read access to /tmp so I couldnt read the cache file.

  4. Bill Smith

    Michael

    I need some help please – the script is failing. When I run nsupdate from the command line, I am getting the error TSIG error with server: tsig verify failure

    Any help appreciated

  5. Michael Kuron Post author

    Could be anything, you need to be a bit more specific there. What version of the Kerberos library and nsupdate/bind are you running? Does Kerberos work in general (test it using e.g. smbclient)? Do you get anything more specific when running nsupdate with -vvvd (verbose+debug)?
    If you provide some more details, I’ll see whether I can help.

  6. Bill Smith

    Hi
    Thanks very much for the offer of help – really needed.

    I have a user in my Windows Domain called DDNS1.
    I have generated a Kerberos ticket for this user.
    If I try to use nsupdate from the command line, it fails with the error I mentioned.

    My questions are:
    1) How do I get the version of nsupdate.
    2) How does nsupdate know what credentials to use for the updates.
    3) Where are the kerberos tickets stored i.e. do I need to point nsupdate at that store and, if so, how do I do this

    Cheers

  7. Michael Kuron Post author

    export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
    This points kinit, klist, nsupdate, … at the correct credential cache.
    kinit -F -k -t $keytab $principal
    This obtains the ticket and stores it in the keytab mentioned above.
    So for testing, execute the script, then do export KRB5CCNAME="/tmp/dhcp-dyndns.cc" and then do klist. Do you see the ticket? Now do smbclient -k //server/share (or use some other kerberized service) to see whether the ticket works properly.

    You must have somehow installed nsupdate (which comes with Bind) and Kerberos. If you installed them using your Linux distribution’s package manager, I assume you’d find it there somewhere. On my Debian Squeeze machine, dpkg --list | grep 'krb\|bind' reveals bind9 at version 9.7.3 and krb5-user and libkrb5-3 at version MIT 1.8.3.

  8. Bill Smith

    Hi

    Thanks for the help (sorry it has taken so long to get back to you). I am now getting an error ‘could not find enclosing zone’ – any ideas?

    Regards

    Bill

  9. Bill Smith

    Hi

    Ignore previous message (I solved the zone problem) but I am now getting the message

    TSIG error with server: tsig verify failure

    The only thing I have done differently to you is that I generated the keytab file in windows then copied it to linux – would this cause a problem.

    btw is your dhcp server a member of your windows domain?

    Regards
    Bill

  10. Michael Kuron Post author

    No, my DHCP server doesn’t even have winbind installed and thus is not joined to the AD domain.
    Did you try kinit -t /path/to/keytab followed by a klist and does it show the ticket? Before moving on, make sure that Kerberos is indeed working properly. Also, try the other things I mentioned in my previous comment.

  11. Bill Smith

    Hi

    Yes I tried that and got the following in the ticket file (as dictated by the variable KRB5CCNAME):

    Ticket cache: FILE:/tmp/dhcp.dyndns.cc
    Default principal: W2K8DC/ddns1.DHCPTEST.COM@DHCPTEST.COM

    Valid starting Expires Service principal
    01/16/12 10:30:34 01/16/12 20:30:35 krbtgt/DHCPTEST.COM@DHCPTEST.COM
    renew until 01/17/12 10:30:34
    01/16/12 10:43:32 01/16/12 20:30:35 cifs/W2K8DC.DHCPTEST.COM@DHCPTEST.COM
    renew until 01/17/12 10:30:34
    01/16/12 10:43:32 01/16/12 20:30:35 cifs/W2K8DC.DHCPTEST.COM@DHCPTEST.COM
    renew until 01/17/12 10:30:34
    01/16/12 10:56:05 01/16/12 20:30:35 DNS/w2k8dc.DHCPTEST.COM@DHCPTEST.COM
    renew until 01/17/12 10:30:34
    01/16/12 11:11:51 01/16/12 20:30:35 DNS/w2k8dc.dhcptest.com@DHCPTEST.COM
    renew until 01/17/12 10:30:34

    Note that ddns1 is the user I created in Windows.

    I tried a connection to a share on the Windows server and got a

    smbclient -k //192.168.0.1/test
    session setup failed: NT_STATUS_LOGON_FAILURE

    Regards
    Bill

  12. Michael Kuron Post author

    Ok, then there’s your problem. Check your Windows server’s event log and try to find out why smbclient logon fails. Also, you could try recreating the keytab for ddns1 with ktutil as described in my blog post, but as kinit appears to work, I don’t think that’ll make a difference.

  13. Bill Smith

    Ok

    Heres what I think is the problem (and solution):

    1) I am currently signed on as user bill trying to use a ticket for user ddns1.

    2) Windows thinks I am trying to connect as bill when I try to connect to the share (detailed previously). So either smbclient -k is being overridden or I must be signed on as user ddns1 to use the ticket.

    3) DHCPD runs as root so i am guessing that the user in windows with privileges to update dns must be ‘root’

    Can you verify the above points or correct me please?

    Regards

    Bill

  14. Charles Tryon

    I believe I am having trouble creating a correct keytab file.
    Does the dhcpuser need to be a valid user in the domain already, with a known password? If so, is this the password you enter for the ktutil addent command?
    ktutil: addent -password -p dhcpduser@BBAGGINS.NET -k 1 -e aes256-cts-hmac-sha1-96
    Password for dhcpduser@BBAGGINS.NET:
    ktutil: wkt dhcpduser.keytab
    ktutil: quit

    when I try to do the kinit command, I’m getting the error:
    # kinit -F -k -t ./dhcpduser.keytab dhcpduser@BBAGGINS.NET
    kinit: Key table entry not found while getting initial credentials

  15. Michael Kuron Post author

    @Bill:
    In my testing, smbclient -k used whatever krbtgt ticket I had previously obtained. Also, I did all of this as root and it didn’t matter at all.
    What version of kerberos are you using? And is it MIT or Heimdal? I don’t really know enough about the inner workings of Windows authentication or Kerberos to debug this kind of issue. It appears to be lying at a deeper level.

  16. Michael Kuron Post author

    @Charles:
    Yup, this needs to be an existing domain user. I don’t know whether ktutil itself verifies the credentials, but it definitely needs to exist when you try to kinit with it.

  17. Bill Smith

    @Michael
    using smbclient -k I am getting the message NT_STATUS_ACCESS_DENIED – the domain has a user bill, i have generateda keytab file that is forwardable; i can use kinit ‘user’ and get a ticket and the share has bill as a user – what am i doing wrong!!!

    @charles – if you are going to generate the keytab file in windows be careful – do not use the -pass * option as this seems to write a random password into the windows database.

    Regards

    Bill

  18. Michael Kuron Post author

    @Bill: Take a look at your Windows Server’s logs. Sorry, with the information I have there’s really not much else I can suggest.

  19. Bill Smith

    @Michael – this gets stranger – if i use smbclient , i am prompted for the password for bill and then it connects fine. If I use -k option then i get a tree connect failed: NT_STATUS_ACCESS_DENIED message.

  20. Michael Kuron Post author

    @Bill: Is the user for whom the Kerberos ticket was obtained even allowed to access that share? That’s what the error seems to suggest.

  21. Bill Smith

    @Michael, checked and double checked and smbclient prompts me for a password then connects – its only smbclient -k that doesnt work.
    BTW I get no messages in the event log when smbclient fails!

  22. Bill Smith

    @Michael
    The syntax is used for ktpass was -princ w2k8dc/bill.dhcptest.com@dhcptest.com – cryto all – mapuser bill

    looking around, I have the feeling that this is wrong – what do you think?

    Regards

    Bill

  23. Charles Tryon

    I made sure that the dhcpduser user was added to the domain with the proper password, and recreated the keytab as root, using the same principal name and password. I’m still getting the same error from kinit
    ? kinit -F -k -t /etc/dhcpd/dhcpduser.keytab dhcpduser@BBAGGINS.NET
    kinit: Key table entry not found while getting initial credentials

    One thing to note is that I’m using the Kerberos and DC from the Samba4 project.

  24. Charles Tryon

    This is what I get from the /var/log/messages file:

    Jan 19 15:31:10 samba dhcpd[21605]: Commit: IP: 192.168.2.108 Mac: 0:18:f8:b7:e9:41 Name: merry
    Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[0] = /etc/dhcpd/dhcp-dyndns.sh
    Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[1] = add
    Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[2] = 192.168.2.108
    Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[3] = merry
    Jan 19 15:31:10 samba dhcpd[21605]: execute_statement argv[4] = 0:18:f8:b7:e9:41
    Jan 19 15:31:11 samba dhcpd[21605]: Getting new ticket, old one expired 0, now is 1327005071
    Jan 19 15:31:11 samba dhcpd[21605]: kinit: Permission denied while getting initial credentials
    Jan 19 15:31:11 samba dhcpd[21605]: Setting merry.bbaggins.net to 192.168.2.108 on samba.bbaggins.net
    Jan 19 15:31:11 samba dhcpd[21605]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Bad format in credentials cache.
    Jan 19 15:31:11 samba dhcpd[21605]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Bad format in credentials cache.

  25. Michael Kuron Post author

    @Charles:
    kinit: Permission denied while getting initial credentials
    It fails at the very first step.
    kinit: Key table entry not found while getting initial credentials
    Very clear: the keytab doesn’t contain that user’s password.

  26. Charles Tryon

    @Michael: Very clear: the keytab doesn’t contain that user’s password.
    Right. I went through the ktutil steps listed above to create the keytab (ktutil -> addent -password … -> wkt …). I used the same password as when I created the user. What am I missing???

    ? sudo klist -k dhcpduser.keytab
    Keytab name: WRFILE:dhcpduser.keytab
    KVNO Principal
    —- ————————————————————————–
    1 dhcpduser@BBAGGINS.NET

    (Also, I am assuming that it creates the cache file when you first successfully get the key.)

  27. Bill Smith

    @Charles if this is a Windows user then I recommend using ktpass on Windows but be careful – if you dont specify the password, ktpass writes a random password into the account.

    @Michael, with regards to your user in your windows system, did you do anything other than create the user in windows i.e. did you run setspn and map dns to that user?

    regards

    Bill

  28. Bill Smith

    @Michael, I presume the user is a member of DNS Admins?

    This is driving me nuts – i have an ordinary user who is part of DNS Admins – I have assigned specific righst to that user – i have even tried using setspn and mapping the DNS service to that user – nothing works.

  29. Michael Kuron Post author

    It’s not even a DNS admin, just a plain domain user. I just created it manually in AD Users and Computers and specified a random password, then used ktutil on my Linux box to write the keytab.

    What Linux distro and which versions of Bind/nsupdate and Kerberos are you running?

  30. Charles Tryon

    I was able to finally generate a valid keytab, this time using the samba4 “samba-tool” utility. I was able to get the updates to work between dhcp and dns, but in order to get permissions, I had to add the “dhcpduser” to the Domain Admins group, which makes me REALLY nervous. Is this really necessary?

    The way the script was originally written, it seems like the dhcpd process is assumed to be running as “root” (access to the “/root” directory). I changed this to run everything out of a new directory called “/etc/dhcpd”, which is owned by the user and group dhcpd:dhcpd. This will at least keep other users from seeing the cache and keytab files.

    (Now that I’ve got something working, I’m going to do some more testing with dialing back permissions and such.)

  31. Michael Kuron Post author

    Congratulations on finally getting it to work.

    In my setup (with a plain W2k8R2), dhcpduser is simply a normal domain user. No admin, not even a DNS admin. Did you take a look at the Permissions on the zone in DNS Admin on your Windows server and did you change anything from the Windows defaults previously?

    Yes, dhcpd runs as root on Debian, which is why the script makes that assumption (I never moved the stuff out of /root), but as you did, that’s easy to fix.

  32. Bill Smith

    @Michael & Charles

    Congrats Charles, with regards to your setup, did you do any Samba config work, any BIND work? – I cannot get this to work on my system.

    Michael, how do I get the version number (I thought it was Kerberos 5 but you have me worried now).

  33. Michael Kuron Post author

    Kerberos 5 is the protocol version, 1.9.2 is the version number of MIT’s Kerberos 5 implementation. If you built it from source, check the name of the tarball you downloaded. If you installed from Fedora’s package manager, it shoul tell you there. If I remember correctly, there’s no simple kinit –version that would tell you.

  34. Bill Smith

    version is krb5-workstation-1.9.1-14-fc15 (x86-64)

    as I asked Charles, do I need to do any Samba config work or BIND config work?

    Regards

    Bill

  35. Michael Kuron Post author

    No. As I said, I don’t even have winbind installed and no full Bind either, just the utilities package with dig, host, nslookup, nsupdate.

  36. Bill Smith

    @Charles – could you tell me what syntax you used for the samba-tool please?

    Regards

    Bill

  37. Charles Tryon

    I’m planning on uploading my version of the script here in a little bit after I’ve tested a couple more tweaks.

    One thing to remember is that I’m not actually dealing with a Windows AD server, though the documented method for managing the Samba4 server is to use the Windows AD tools. I didn’t do any special configuration on my Samba instance, or on the named.conf other than the additions suggested by the Samba4 HOWTO.

    I did use the samba-tool to create the dhcpduser and add that user into the administrative groups. I added into the DnsUpdateProxy (that didn’t work by itself), the DnsAdmins and Domain Admins groups. It’s the last one the makes me nervous, and which I want to try to eliminate if possible. I don’t know how to check the permissions on the zone in the DNS admin, but that’s definitely something to look into.

    The Samba-tool command had to be executed as root, which created a file only readable by root. Since dhcpd runs as the user “dhcpd”, I changed the ownership so that process could read it.

    sudo /usr/local/samba/bin/samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab –principal=dhcpduser

    (One interesting note – this command will append to the file if it’s already there rather than overwrite it. Not sure what complications that might create…)

    I’m still getting two blocks of messages in the /var/log/messages file — one from the script using the kerberos key, and one from what looks like the old method. The kerberos key succeeds, and the second one fails. I’m looking at the dhcpd.conf file to see if I can turn off the second (broken) update method.

    (UPDATE: I’m now getting “denied” messages in the var/log/messages, so I’m investigating…. :-/ )

  38. Michael Kuron Post author

    @Charles: For DNS zone permissions, use DNS Admin on Windows, right-click the zone and click the Security tab (assuming Samba4 even implements this). On Windows 2k8R2 Server, by default “Authenticated Users” have permission to “Create child objects”, a.k.a. add records. On the record level, the owner (i.e. the creator, in our case dhcpduser) of a record also “Full Control” permissions, i.e. may edit and delete the record.

  39. Charles Tryon

    Interesting…

    I always hate it when I do something to fix a problem, but when I un-do my fix, it doesn’t break the problem again… 🙁 I’m never sure if my fix was what caused the problem to go away or not. I removed the dhcpduser from the various administrative groups, and it’s still working….

    Second observation may be more related to DNS policy. I’m getting a denied update, but I realized that it is trying to remove an A record with a different name. I have a network printer that is trying to remove my manually created record and replace it with its own name. This is being denied. I suspect that I will need to manually remove my record, replace it with the name the device calls itself, and then create a CNAME with my preferred alias.

    I also have a strange situation where it says that the update succeeded, but then it says it failed. Maybe an error in the return code on the script??

    Jan 24 11:51:16 samba dhcpd[19306]: Commit: IP: 192.168.2.145 Mac: 0:40:f4:2a:6c:85 Name: rivendell
    Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[0] = /etc/dhcpd/dhcp-dyndns.sh
    Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[1] = add
    Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[2] = 192.168.2.145
    Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[3] = rivendell
    Jan 24 11:51:16 samba dhcpd[19306]: execute_statement argv[4] = 0:40:f4:2a:6c:85
    Jan 24 11:51:16 samba dhcpd[19306]: Getting new ticket, old one expired 1327423666, now is 1327423876
    Jan 24 11:51:16 samba dhcpd[19306]: Setting rivendell.bbaggins.net to 192.168.2.145 on samba.bbaggins.net
    Jan 24 11:51:16 samba named[7220]: samba_dlz: starting transaction on zone bbaggins.net
    Jan 24 11:51:16 samba named[7220]: samba_dlz: allowing update of signer=dhcpduser\@BBAGGINS.NET name=rivendell.bbaggins.net tcpaddr=192.168.2.6 type=A key=3293761836.sig-samba.bbaggins.net/160/0
    Jan 24 11:51:16 samba named[7220]: samba_dlz: allowing update of signer=dhcpduser\@BBAGGINS.NET name=rivendell.bbaggins.net tcpaddr=192.168.2.6 type=A key=3293761836.sig-samba.bbaggins.net/160/0
    Jan 24 11:51:16 samba named[7220]: samba_dlz: allowing update of signer=dhcpduser\@BBAGGINS.NET name=rivendell.bbaggins.net tcpaddr=192.168.2.6 type=A key=3293761836.sig-samba.bbaggins.net/160/0
    Jan 24 11:51:16 samba named[7220]: client 192.168.2.6#51297: updating zone ‘bbaggins.net/NONE’: deleting rrset at ‘rivendell.bbaggins.net’ A
    Jan 24 11:51:16 samba named[7220]: samba_dlz: subtracted rdataset rivendell.bbaggins.net ‘rivendell.bbaggins.net.#0113600#011IN#011A#011192.168.2.145’
    Jan 24 11:51:16 samba named[7220]: client 192.168.2.6#51297: updating zone ‘bbaggins.net/NONE’: deleting rrset at ‘rivendell.bbaggins.net’ A
    Jan 24 11:51:16 samba named[7220]: client 192.168.2.6#51297: updating zone ‘bbaggins.net/NONE’: adding an RR at ‘rivendell.bbaggins.net’ A
    Jan 24 11:51:16 samba named[7220]: samba_dlz: cancelling transaction on zone bbaggins.net
    Jan 24 11:51:16 samba dhcpd[19306]: update failed: SERVFAIL
    Jan 24 11:51:16 samba dhcpd[19306]: update failed: NOTAUTH
    Jan 24 11:51:16 samba dhcpd[19306]: DHCP-DNS Update failed: 22
    Jan 24 11:51:17 samba logger: DHCP-DNS Update failed: 22
    Jan 24 11:51:17 samba dhcpd: execute: /etc/dhcpd/dhcp-dyndns.sh exit status 5632
    Jan 24 11:51:17 samba dhcpd[19306]: execute: /etc/dhcpd/dhcp-dyndns.sh exit status 5632
    Jan 24 11:51:17 samba dhcpd: DHCPREQUEST for 192.168.2.145 from 00:40:f4:2a:6c:85 (rivendell) via eth0
    Jan 24 11:51:17 samba dhcpd[19306]: DHCPREQUEST for 192.168.2.145 from 00:40:f4:2a:6c:85 (rivendell) via eth0
    Jan 24 11:51:17 samba dhcpd: DHCPACK on 192.168.2.145 to 00:40:f4:2a:6c:85 (rivendell) via eth0
    Jan 24 11:51:17 samba dhcpd[19306]: DHCPACK on 192.168.2.145 to 00:40:f4:2a:6c:85 (rivendell) via eth0

  40. Charles Tryon

    The dhcpduser must at least be a member of the DnsAdmins group. It is not necessary to update existing records, but required if you are adding a NEW DNS “A” record.

  41. Bill Smith

    Hi

    As I said I am using krb5-workstation-1.9.1-14 – is this the version you guys are using (should I upgrade)?

    Regards

    Bill

  42. Michael Kuron Post author

    I’m running 1.8.3 because that’s what Debian Squeeze offers (I prefer stability, security and long-term updates over bleeding edge features). However, I just compiled 1.9.1 from source and it works just fine too. FYI, klist-ing the ticket cache reveals a krbtgt for the realm and a DNS ticket for the DNS server.

  43. Bill Smith

    Hi
    I too get a ticket from krbtgt and a ticket from DNS but then it all falls in a heap with a TSIG failure (I have tried mapping the DNS service to the user with no success) One thing I have noticed is that Charles said he isnt using an AD; my DNS server is a W2K8 R2 integrated DNS Service – will this make a difference?

    regards

    Bill

  44. Michael Kuron Post author

    As I said, I’m running a plain W2k8R2 with AD, AD-integrated DNS and nothing else. Must be your your BIND/nsupdate version then (9.7.3 works fine for me)? Or did you modify any of the DNS permissions from their defaults?

  45. Bill Smith

    I created a user DDNS1, assigned it to the DNS Admins and gave it explicit rights to update the DNS Server and still it wouldnt work – i get tickets but then TSIG verify failures – I will look into the version of BIND.

    Cheers

    Bill

Leave a Reply

Your email address will not be published. Required fields are marked *