OS : Raspbian Stretch Samba version : 4.10.4 BIND9 version :9.11.5-P4-5~bpo9+1-Debian (Extended Support Version) Hi team, I am unable to perform DNS Updates with the dhcp-dyndns.sh script. I have the DNS AD account and its keytab with the right content (I recreated them just in case, still happening) I read that nsupdate only supports HMAC-MD5 encyption, so I modified my krb5.conf file and regenerate a dns.keytab by using samba_upgradedns with specifying BIND_DLZ. Still no luck.. I verified permissions, but all seems alright to me. Any ideas ? Thanks ! #### File Outputs # tail /var/log/syslog Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[1] = add Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[2] = 10.10.10.10 Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[3] = aa:bb:cc:dd:ee:ff Jun 15 22:44:20 garuda dhcpd[2133]: execute_statement argv[4] = hostname Jun 15 22:44:20 garuda root: DHCP-DNS Update failed: 11 Jun 15 22:44:20 garuda dhcpd[2133]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816 Jun 15 22:44:20 garuda dhcpd[2133]: reuse_lease: lease age 412 (secs) under 25% threshold, reply with unaltered, existing lease for 10.10.10.10 Jun 15 22:44:20 garuda dhcpd[2133]: DHCPREQUEST for 10.10.10.10 from aa:bb:cc:dd:ee:ff (hostname) via eth0 Jun 15 22:44:20 garuda dhcpd[2133]: DHCPACK on 10.10.10.10 to aa:bb:cc:dd:ee:ff (hostname) via eth0 # samba_dnsupdate --verbose --all-names IPs: ['10.10.10.1'] force update: A dc1.example.com 10.10.10.1 force update: NS example.com dc1.example.com force update: NS _msdcs.example.com dc1.example.com force update: A example.com 10.10.10.1 force update: SRV _ldap._tcp.example.com dc1.example.com 389 force update: SRV _ldap._tcp.dc._msdcs.example.com dc1.example.com 389 force update: SRV _ldap._tcp.d4e80749-ea98-46e6-9f89-8a14439c2960.domains._msdcs.example.com dc1.example.com 389 force update: SRV _kerberos._tcp.example.com dc1.example.com 88 force update: SRV _kerberos._udp.example.com dc1.example.com 88 force update: SRV _kerberos._tcp.dc._msdcs.example.com dc1.example.com 88 force update: SRV _kpasswd._tcp.example.com dc1.example.com 464 force update: SRV _kpasswd._udp.example.com dc1.example.com 464 force update: CNAME cc6e40c6-3abb-4aa2-976c-f5ac1beee921._msdcs.example.com dc1.example.com force update: SRV _ldap._tcp.HomeSweetHome._sites.example.com dc1.example.com 389 force update: SRV _ldap._tcp.HomeSweetHome._sites.dc._msdcs.example.com dc1.example.com 389 force update: SRV _kerberos._tcp.HomeSweetHome._sites.example.com dc1.example.com 88 force update: SRV _kerberos._tcp.HomeSweetHome._sites.dc._msdcs.example.com dc1.example.com 88 force update: SRV _ldap._tcp.pdc._msdcs.example.com dc1.example.com 389 force update: A gc._msdcs.example.com 10.10.10.1 force update: SRV _gc._tcp.example.com dc1.example.com 3268 force update: SRV _ldap._tcp.gc._msdcs.example.com dc1.example.com 3268 force update: SRV _gc._tcp.HomeSweetHome._sites.example.com dc1.example.com 3268 force update: SRV _ldap._tcp.HomeSweetHome._sites.gc._msdcs.example.com dc1.example.com 3268 force update: A DomainDnsZones.example.com 10.10.10.1 force update: SRV _ldap._tcp.DomainDnsZones.example.com dc1.example.com 389 force update: SRV _ldap._tcp.HomeSweetHome._sites.DomainDnsZones.example.com dc1.example.com 389 force update: A ForestDnsZones.example.com 10.10.10.1 force update: SRV _ldap._tcp.ForestDnsZones.example.com dc1.example.com 389 force update: SRV _ldap._tcp.HomeSweetHome._sites.ForestDnsZones.example.com dc1.example.com 389 29 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc1.example.com as dc1$ update(nsupdate): A dc1.example.com 10.10.10.1 Calling nsupdate for A dc1.example.com 10.10.10.1 (add) Successfully obtained Kerberos ticket to DNS/dc1.example.com as dc1$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: dc1.example.com. 900 IN A 10.10.10.1 dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Failed update of 29 entries # klist -kte /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (des-cbc-crc) 1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (des-cbc-crc) 1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (des-cbc-md5) 1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (des-cbc-md5) 1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (arcfour-hmac) 1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (arcfour-hmac) 1 15/06/2019 22:25:24 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 15/06/2019 22:25:24 dns-dc1@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 15/06/2019 22:25:25 DNS/dc1.EXAMPLE.COM@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 15/06/2019 22:25:25 dns-dc1@EXAMPLE.COM (aes256-cts-hmac-sha1-96) The LDAP request for the account dns-dc1 : # ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-dc1' dn # record 1 dn: CN=dns-dc1,CN=Users,DC=example,DC=com # Referral ref: ldap://example.com/CN=Configuration,DC=example,DC=com # Referral ref: ldap://example.com/DC=DomainDnsZones,DC=example,DC=com # Referral ref: ldap://example.com/DC=ForestDnsZones,DC=example,DC=com # returned 4 records # 1 entries # 3 referrals #### Permissions Permissions for samba root folder and its subfolders : # ls -lat /usr/local/samba/ total 48 drwxr-x--- 3 bind bind 4096 juin 15 22:51 bind-dns drwxr-xr-x+ 8 root bind 4096 juin 15 22:29 private drwxrwsr-x 12 root staff 4096 juin 15 22:28 .. drwxr-sr-x 3 root staff 4096 juin 15 21:04 etc drwxr-sr-x 2 root staff 4096 juin 15 20:54 bin drwxr-sr-x 2 root staff 4096 juin 15 20:54 sbin drwxr-sr-x 18 root staff 4096 juin 15 20:54 lib drwxr-sr-x 7 root staff 4096 juin 15 20:39 include drwxr-sr-x 8 root staff 4096 juil. 21 2018 var drwxr-sr-x 5 root staff 4096 juil. 21 2018 share drwxr-xr-x+ 12 root staff 4096 juil. 21 2018 . drwxr-sr-x 3 root staff 4096 juil. 21 2018 libexec And private folder perms : # ls -lat /usr/local/samba/private/ total 11244 drwx--S--- 2 root root 4096 juin 15 22:52 msg.sock -rw------- 1 root root 12288 juin 15 22:34 schannel_store.tdb drwxr-xr-x+ 8 root bind 4096 juin 15 22:29 . srwxrwxrwx 1 root root 0 juin 15 22:29 ldapi drwxr-s--- 2 root root 4096 juin 15 22:29 ldap_priv -rw------- 1 root root 4792 juin 15 22:29 netlogon_creds_cli.tdb drwxr-x---+ 2 root bind 4096 juin 15 22:25 sam.ldb.d -rw------- 1 root root 1286144 juin 15 22:25 secrets.ldb -rw-r----- 2 root bind 732 juin 15 22:25 dns.keytab drwxr-x---+ 2 root bind 4096 juin 15 19:36 dns -rw------- 1 root root 1609728 juin 15 16:24 idmap.ldb drwxr-sr-x 2 root root 4096 juil. 21 2018 tls -rw------- 1 root root 1717 juil. 21 2018 dns_update_cache drwxr-sr-x 2 root root 4096 juil. 21 2018 smbd.tmp -rw------- 1 root root 430080 juil. 21 2018 secrets.tdb -rw------- 1 root root 1067 juil. 21 2018 secrets.keytab -rw-r--r-- 1 root root 3663 juil. 21 2018 dns_update_list -rw-r--r-- 1 root root 955 juil. 21 2018 spn_update_list -rw-r--r-- 1 root root 91 juil. 21 2018 krb5.conf -rw-rw---- 1 root bind 4247552 juil. 21 2018 sam.ldb -rw------- 1 root root 1286144 juil. 21 2018 privilege.ldb -rw------- 1 root root 1286144 juil. 21 2018 hklm.ldb -rw------- 1 root root 1286144 juil. 21 2018 share.ldb -rw------- 1 root root 16 juil. 21 2018 encrypted_secrets.key drwxr-xr-x+ 12 root staff 4096 juil. 21 2018 .. bind-dns folder permissions : # ls -lat /usr/local/samba/bind-dns/ total 28 drwxr-x--- 3 bind bind 4096 juin 15 23:00 . -rw-r--r-- 1 root root 830 juin 15 22:25 named.conf -rw-r--r-- 1 root root 2096 juin 15 22:25 named.txt drwxrwx--- 3 root bind 4096 juin 15 22:25 dns -rw-r----- 2 root bind 732 juin 15 22:25 dns.keytab -r--r--r-- 1 root root 219 juin 15 21:05 named.conf.update -rw------- 1 root root 0 juin 15 21:02 dns.keytabox1mq7g3XXXXXX -rw------- 1 root root 0 juin 15 21:02 dns.keytabq9z2m444XXXXXX drwxr-xr-x+ 12 root staff 4096 juil. 21 2018 . krb5.conf permissions : # ls -l /etc/krb5.conf -rw-r--r-- 1 root bind 132 juin 15 22:22 /etc/krb5.conf ##### CONFIGURATION FILES # cat /etc/krb5.conf [libdefaults] default_realm = HYRULE.LAN dns_lookup_realm = false dns_lookup_kdc = true default_tgs_enctypes = arcfour-hmac-md5 # cat /etc/bind/named.conf.options options { tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; }
Sorry but I have just become aware of this. I am closing this bug because this is the wrong place for problems with my script. The correct place is the samba mailing list. If you are still having problems, please post to the mailing list.