Messages

1

Directory and Authentication / Re: [SOLVED] Configuring DNS updates for all DHCP leases (not just domain members)?

« on: August 29, 2019, 10:14:13 pm »

@sangamc: I had a similar error. In my case i had to correct the file access rights. The error message (unknown enctype) is a bit misleading as it also appears when the user is not allowed to read the file.

On Zentyal it is the "dhcpd" user and the "dhcpd" group. Maybe on your server another user is used?
Also try to generate the dhcpduser.keytab file again, maybe its corrupted?

Code: [Select]

sudo chown [user].[group] /etc/dhcpduser.keytab
sudo chmod 400 /etc/dhcpduser.keytab


2

Directory and Authentication / Re: [SOLVED] Configuring DNS updates for all DHCP leases (not just domain members)?

« on: August 29, 2019, 04:18:02 pm »

I tried it with Zentyal 6.0 and it works so far. This was my Approach:

Login to your Zentyal Server via SSH.

First create the file "/usr/local/bin/dhcp-dyndns.sh" with

Code: [Select]

sudo nano /usr/local/bin/dhcp-dyndns.sh   
copy, paste (and save) the following script into it:

Code: [Select]

#!/bin/bash

# /usr/local/bin/dhcp-dyndns.sh

# This script is for secure DDNS updates on Samba 4
# Version: 0.8.9

# Use a valid Zentyal Domainuser here, like the DNS Service Account
DOMUSER=dns-dc01
KEYTAB=/etc/dhcpduser.keytab

# Uncomment the next line if using a self compiled Samba and adjust for your PREFIX
#PATH="/usr/local/samba/bin:/usr/local/samba/sbin:$PATH"
BINDIR=$(samba -b | grep 'BINDIR' | grep -v 'SBINDIR' | awk '{print $NF}')
WBINFO="$BINDIR/wbinfo"

# DNS domain
domain=$(hostname -d)
if [ -z ${domain} ]; then
    logger "Cannot obtain domain name, is DNS set up correctly?"
    logger "Cannot continue... Exiting."
    exit 1
fi

# Samba 4 realm
REALM=$(echo ${domain^^})

# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
NSUPDFLAGS="-d"

# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"

# Kerberos principal
SETPRINCIPAL="${DOMUSER}@${REALM}"
# Kerberos keytab
# /etc/dhcpduser.keytab
# krbcc ticket cache
# /tmp/dhcp-dyndns.cc
TESTUSER="$($WBINFO -u) | grep '${DOMUSER}')"
if [ -z "${TESTUSER}" ]; then
    logger "No AD dhcp user exists, need to create it first.. exiting."
    logger "you can do this by typing the following commands"
    logger "kinit Administrator@${REALM}"
    logger "samba-tool user create dhcpduser --random-password --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
    logger "samba-tool user setexpiry dhcpduser --noexpiry"
    logger "samba-tool group addmembers DnsAdmins dhcpduser"
    exit 1
fi

# Check for Kerberos keytab
if [ ! -f ${KEYTAB} ]; then
    echo "Required keytab ${KEYTAB} not found, it needs to be created."
    echo "Use the following commands as root"
    echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL} ${KEYTAB}"
    echo "chown XXXX:XXXX ${KEYTAB}"
    echo "Replace 'XXXX:XXXX' with the user & group that dhcpd runs as on your distro"
    echo "chmod 400 ${KEYTAB}"
    exit 1
fi

# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}

usage()
{
echo "USAGE:"
echo "  $(basename $0) add ip-address dhcid|mac-address hostname"
echo "  $(basename $0) delete ip-address dhcid|mac-address"
}

_KERBEROS () {
# get current time as a number
test=$(date +%d'-'%m'-'%y' '%H':'%M':'%S)
# Note: there have been problems with this
# check that 'date' returns something like
# 04-09-15 09:38:14

# Check for valid kerberos ticket
#logger "${test} [dyndns] : Running check for valid kerberos ticket"
klist -c /tmp/dhcp-dyndns.cc -s
if [ "$?" != "0" ]; then
    logger "${test} [dyndns] : Getting new ticket, old one has expired"
    kinit -F -k -t ${KEYTAB} -c /tmp/dhcp-dyndns.cc "${SETPRINCIPAL}"
    if [ "$?" != "0" ]; then
        logger "${test} [dyndns] : dhcpd kinit for dynamic DNS failed"
        exit 1;
    fi
fi

}

# Exit if no ip address or mac-address
if [ -z "${ip}" ] || [ -z "${DHCID}" ]; then
    usage
    exit 1
fi

# Exit if no computer name supplied, unless the action is 'delete'
if [ "${name}" = "" ]; then
    if [ "${action}" = "delete" ]; then
        name=$(host -t PTR "${ip}" | awk '{print $NF}' | awk -F '.' '{print $1}')
    else
        usage
        exit 1;
    fi
fi

# Set PTR address
ptr=$(echo ${ip} | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')

## nsupdate ##
case "${action}" in
add)
    _KERBEROS

nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${name}.${domain} 3600 A
update add ${name}.${domain} 3600 A ${ip}
send
UPDATE
result1=$?

nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${ptr} 3600 PTR
update add ${ptr} 3600 PTR ${name}.${domain}
send
UPDATE
result2=$?
;;
delete)
     _KERBEROS

nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${name}.${domain} 3600 A
send
UPDATE
result1=$?

nsupdate -g ${NSUPDFLAGS} << UPDATE
server 127.0.0.1
realm ${REALM}
update delete ${ptr} 3600 PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac

result="${result1}${result2}"

if [ "${result}" != "00" ]; then
    logger "DHCP-DNS Update failed: ${result}"
else
    logger "DHCP-DNS Update succeeded"
fi

exit ${result}

Edit the script to your needs and insert a valid domainuser into variable DOMUSER at the top of the script.
To find a suitable domainuser use the following command:

   

Code: [Select]

sudo samba-tool user list | grep dns
this command should give you the username of the Zentyal "DNS Service Account"-User.
In my case the hostname was "dc01" so the DNS-User was "dns-dc01".

save the script and make the script executable:

   

Code: [Select]

sudo chmod a+x /usr/local/bin/dhcp-dyndns.sh
Now we generate the keytab file and change ownership and accessrights.
Fill the placeholders ([yourDomainUser]@[yourDomain]) like: dns-dc01@mydomain.local :

Code: [Select]

sudo samba-tool domain exportkeytab --principal=[yourDomainUser]@[yourDomain] > /etc/dhcpduser.keytab
sudo chown dhcpd:dhcpd /etc/dhcpduser.keytab
sudo chmod 400 /etc/dhcpduser.keytab   
Ok! So far so good. Now we test the new script:

Log in to your Zentyal Server Webfrontend and look up a ip adress from a dhcp-client that was not properly registered.
Then use the following command on the Zentyal Server SSH Session:

Code: [Select]

sudo /usr/local/bin/dhcp-dyndns.sh add 192.168.1.100 dhcid testhost   
the Output should contain someting like this:

Code: [Select]

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:   5818
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;testhost.mydomain.tld.           IN      SOA

;; AUTHORITY SECTION:
mydomain.tld.            0       IN      SOA     dc01.mydomain.tld. hostmaster.mydomain.tld. 82 900 600 86400 3600

Found zone name: mydomain.tld
The master is: dc01.mydomain.tld
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   5813
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1989803804.sig-dc01.mydomain.tld. ANY   TKEY

if there are errors about the file /tmp/dhcp-dyndns.cc like this one:
   
   klist: krb5_cc_get_principal: Refuses to open cache files not own by myself FILE:/tmp/dhcp-dyndns.cc (owned by 113)
   
simply delete the file and try again. in fact - just run the follwoing command NOW! ;-)

Code: [Select]

sudo rm /tmp/dhcp-dyndns.cc   
Ok! Now we have to modify the dhcpd Configuration. Zentyal builds all of its configuration files from templates,
so i made one with the needed changes. create the following file:

Code: [Select]

sudo nano /usr/share/zentyal/stubs/dhcp/dhcp-dyndns.mas
...and copy/paste the following part:

Code: [Select]

                on commit {
                        set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
                        set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
                        set ClientDHCID = concat (
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
                        );
                        set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
                        log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
                        execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
                }

                on release {
                        set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
                        set ClientDHCID = concat (
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
                        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
                        );
                        log(concat("Release: IP: ", ClientIP));
                        execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
                }

                on expiry {
                        set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
                        # cannot get a ClientMac here, apparently this only works when actually receiving a packet
                        log(concat("Expired: IP: ", ClientIP));
                        # cannot get a ClientName here, for some reason that always fails
                        execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
                }

save the file.
now open the file /usr/share/zentyal/stubs/dhcp/shared-network.mas:

Code: [Select]

sudo nano /usr/share/zentyal/stubs/dhcp/shared-network.mas
add the line "<& dhcp-dyndns.mas &>" right after the line with "<& subnet.mas" like this:   

Code: [Select]

<%args>
        $iface
        %ifaces
</%args>
shared-network <% $iface %> {
<& includes.mas, iface => $iface &>
<& subnet.mas, info => $ifaces{$iface} &>
<& dhcp-dyndns.mas &>
}

save the file.
Now log into the Zentyal Webfrontend, go to DHCP and toggle the "activated" checkbox twice.
Zentyal will offer you to save the "changes". If you klick the red "Save" Button, Zentyal will
rebuild the /etc/dhcp/dhcpd.conf file. You can check the success if you browse the /etc/dhcp/dhcpd.conf and
search for the same lines we saved in cat /usr/share/zentyal/stubs/dhcp/dhcp-dyndns.mas

Code: [Select]

sudo less /usr/share/zentyal/stubs/dhcp/dhcp-dyndns.masand

Code: [Select]

sudo less /etc/dhcp/dhcpd.conf   
Ok! Finished! You can watch what's going on with

Code: [Select]

sudo tail -f /var/log/syslog   
if you get errors like:
   
   klist: krb5_cc_get_principal: get-principal open(/tmp/dhcp-dyndns.cc): Permission denied

just delete the file:

Code: [Select]

sudo rm /tmp/dhcp-dyndns.cc
Have Fun!