[Samba] samba_dlz: Failed to connect

[Robert Moskowitz]

Progress on dns_dlz. At least I got things loading. If I don't include
the dlz info bind starts, but if I do I get:

Sep 03 13:31:57 homebase.home.htt named[21920]: Loading 'AD DNS Zone'
using driver dlopen
Sep 03 13:31:58 homebase.home.htt named[21920]: samba_dlz: Failed to
connect to /var/lib/samba/private/dns/sam.ldb


permissions seem right:

# ls -ls /var/lib/samba/private/dns/sam*
2944 -rw-rw---- 1 root named 3014656 Aug 27 18:07
/var/lib/samba/private/dns/sam.ldb

/var/lib/samba/private/dns/sam.ldb.d:
total 26312
8112 -rw-rw---- 1 root named 8306688 Aug 27 18:07
CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
8236 -rw-rw---- 1 root named 8433664 Aug 27 18:07
CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
4148 -rw-rw---- 2 root named 4247552 Aug 27 18:07
DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
4148 -rw-rw---- 2 root named 4247552 Aug 27 18:07
DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
1256 -rw-rw---- 1 root named 1286144 Aug 27 18:07 DC=HOME,DC=HTT.ldb
412 -rw-rw---- 2 root named 421888 Aug 28 12:02 metadata.tdb

The include is really simple:

dlz "AD DNS Zone" {

# For BIND 9.9.x
database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";

};



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

What are the permissions on /var/lib/samba/private/dns ?

Rowland

[Robert Moskowitz]

# ls -ls /var/lib/samba/private
total 12484
4 drwxrwx--- 3 root named 4096 Aug 27 18:07 dns

I fixed a recursion problem to get general forwarding working then
reactiveated the include and this time the failure was a little more
informative:


Sep 03 13:56:30 homebase.home.htt named[22668]: Loading 'AD DNS Zone'
using driver dlopen
Sep 03 13:56:31 homebase.home.htt named[22668]: samba_dlz: Failed to
connect to /var/lib/samba/private/dns/sam.ldb
Sep 03 13:56:31 homebase.home.htt named[22668]: dlz_dlopen of 'AD DNS
Zone' failed
Sep 03 13:56:31 homebase.home.htt named[22668]: SDLZ driver failed to load.
Sep 03 13:56:31 homebase.home.htt named[22668]: DLZ driver failed to load.

[Robert Moskowitz]

On 09/03/2015 01:59 PM, Sketch wrote:

> On Thu, 3 Sep 2015, Rowland Penny wrote:
>
>> What are the permissions on /var/lib/samba/private/dns ?
>

> Also don't forget the permissions on /var/lib/samba/private
>
> If you're using sernet's packages, you'll have to chgrp it to to named
> or give it o+x perms.

chown root:named /var/lib/samba/private

Wow that was it!

DLZ is up and running. Lots more to get right in the bind config....

Is there a web app to front end samba-tools for maintaining at least the
dns portion?

Anyway, next to DHCP...

I have installed it. But need to config. Rowland, can you send me your
sample config you mentioned?

[Sketch]

On Thu, 3 Sep 2015, Rowland Penny wrote:

> What are the permissions on /var/lib/samba/private/dns ?

Also don't forget the permissions on /var/lib/samba/private

If you're using sernet's packages, you'll have to chgrp it to to named or give
it o+x perms.

[Rowland Penny]

On 03/09/15 19:05, Robert Moskowitz wrote:
>
>
> On 09/03/2015 01:59 PM, Sketch wrote:
>> On Thu, 3 Sep 2015, Rowland Penny wrote:
>>
>>> What are the permissions on /var/lib/samba/private/dns ?
>>
>> Also don't forget the permissions on /var/lib/samba/private
>>
>> If you're using sernet's packages, you'll have to chgrp it to to
>> named or give it o+x perms.
>
> chown root:named /var/lib/samba/private
>
> Wow that was it!
>
> DLZ is up and running. Lots more to get right in the bind config....
>
> Is there a web app to front end samba-tools for maintaining at least
> the dns portion?

Yes, it is called RSAT and runs on windows :-D

>
> Anyway, next to DHCP...
>
> I have installed it. But need to config. Rowland, can you send me
> your sample config you mentioned?
>
>
>

default-lease-time 14400;
max-lease-time 14400;
authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.21 192.168.0.229;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option time-offset 0;
option routers 192.168.0.1;
option domain-name "example.com";
option domain-name-servers 192.168.0.2;
option domain-search "example.com";
option netbios-name-servers 192.168.0.2;
option ntp-servers 192.168.0.2;
}

on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ",
ClientName));
execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

Rowland

[Robert Moskowitz]

So a quick test:

# dig homebase.home.htt

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> homebase.home.htt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15588
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;homebase.home.htt. IN A

;; ANSWER SECTION:
homebase.home.htt. 900 IN A 192.168.192.2

;; AUTHORITY SECTION:
home.htt. 900 IN NS homebase.home.htt.

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 03 14:08:30 EDT 2015
;; MSG SIZE rcvd: 76

[Rowland Penny]

I have just thought, this is the ARM build isn't it? So, is your version
of named built to use the dlz option ?

Rowland

[Robert Moskowitz]

I had investigated that last week, and seemed good. Actually I think
the .so file comes from the sernet rpm, and that was done on a arm qemm
where we are doing our os builds and there were no errors.

Anyway, you can see it is now working and I can actually do a lookup
against the ldap database!

[Rowland Penny]

Yeah, straight after I posted, your post popped up saying you had fixed
it, wish they were all so easy to fix :-D

Rowland

[Robert Moskowitz]

On 09/03/2015 02:17 PM, Rowland Penny wrote:
> On 03/09/15 19:05, Robert Moskowitz wrote:
>>
>>
>> On 09/03/2015 01:59 PM, Sketch wrote:
>>> On Thu, 3 Sep 2015, Rowland Penny wrote:
>>>
>>>> What are the permissions on /var/lib/samba/private/dns ?
>>>
>>> Also don't forget the permissions on /var/lib/samba/private
>>>
>>> If you're using sernet's packages, you'll have to chgrp it to to
>>> named or give it o+x perms.
>>
>> chown root:named /var/lib/samba/private
>>
>> Wow that was it!
>>
>> DLZ is up and running. Lots more to get right in the bind config....
>>
>> Is there a web app to front end samba-tools for maintaining at least
>> the dns portion?
>
> Yes, it is called RSAT and runs on windows :-D

Very funny. THAT IS NOT a web app front end to samba-tools. What about
webmin? But have to see if it is build specific...

[Rowland Penny]

On 03/09/15 19:21, Robert Moskowitz wrote:
>
>
> On 09/03/2015 02:17 PM, Rowland Penny wrote:
>> On 03/09/15 19:05, Robert Moskowitz wrote:
>>>
>>>
>>> On 09/03/2015 01:59 PM, Sketch wrote:
>>>> On Thu, 3 Sep 2015, Rowland Penny wrote:
>>>>
>>>>> What are the permissions on /var/lib/samba/private/dns ?
>>>>
>>>> Also don't forget the permissions on /var/lib/samba/private
>>>>
>>>> If you're using sernet's packages, you'll have to chgrp it to to
>>>> named or give it o+x perms.
>>>
>>> chown root:named /var/lib/samba/private
>>>
>>> Wow that was it!
>>>
>>> DLZ is up and running. Lots more to get right in the bind config....
>>>
>>> Is there a web app to front end samba-tools for maintaining at least
>>> the dns portion?
>>
>> Yes, it is called RSAT and runs on windows :-D
>
>
> Very funny. THAT IS NOT a web app front end to samba-tools. What
> about webmin? But have to see if it is build specific...
>
>

As far as I know RSAT is the only option at the moment, Webmin doesn't
seem to know anything about dlz, but then again Samba 4 AD has been out
nearly 3 years now and Webmin still doesn't work with it.

Rowland

[Robert Moskowitz]

On 09/03/2015 02:33 PM, Rowland Penny wrote:
> On 03/09/15 19:21, Robert Moskowitz wrote:
>>
>>
>> On 09/03/2015 02:17 PM, Rowland Penny wrote:
>>> On 03/09/15 19:05, Robert Moskowitz wrote:
>>>>
>>>>
>>>> On 09/03/2015 01:59 PM, Sketch wrote:
>>>>> On Thu, 3 Sep 2015, Rowland Penny wrote:
>>>>>
>>>>>> What are the permissions on /var/lib/samba/private/dns ?
>>>>>
>>>>> Also don't forget the permissions on /var/lib/samba/private
>>>>>
>>>>> If you're using sernet's packages, you'll have to chgrp it to to
>>>>> named or give it o+x perms.
>>>>
>>>> chown root:named /var/lib/samba/private
>>>>
>>>> Wow that was it!
>>>>
>>>> DLZ is up and running. Lots more to get right in the bind config....
>>>>
>>>> Is there a web app to front end samba-tools for maintaining at
>>>> least the dns portion?
>>>
>>> Yes, it is called RSAT and runs on windows :-D
>>
>>
>> Very funny. THAT IS NOT a web app front end to samba-tools. What
>> about webmin? But have to see if it is build specific...
>>
>>
>
> As far as I know RSAT is the only option at the moment, Webmin doesn't
> seem to know anything about dlz, but then again Samba 4 AD has been
> out nearly 3 years now and Webmin still doesn't work with it.

Well does Webmin know about ldap and can update the ldap directly?

Grumble.

[Rowland Penny]

On 03/09/15 19:28, Robert Moskowitz wrote:
>
>
> On 09/03/2015 02:17 PM, Rowland Penny wrote:

> I can't find dhcp-dyndns.sh
>
> where does it come from?
>
>

I thought that might be your next question, I wrote it, based on what I
found here:

http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

#!/bin/bash

# /usr/local/sbin/dhcp-dyndns.sh
# This script is for secure DDNS updates using GSS/TSIG on Samba 4
# Version: 0.8.3 (includes TXTRR records)
# Updated with suggestions from L. v. Belle lo...@van-belle.nl
# method to check for valid kerberos ticket changed

LOG="/var/log/dyndns.log"

if [ -f /var/log/dyndns.log ]; then
:
else
touch /var/log/dyndns.log
fi

exec >> $LOG 2>&1

## CONFIGURATION ##

# Samba 4 realm, change this to YOUR realm.
SETREALM=EXAMPLE.COM
## define the dhcp user that will be used for the Dynamic updates to samba4
## this will create a Principal like : user@realm
SETDHCPUSER=dhcpduser
# DNS domain, change this to YOUR dns domain
domain=example.com
# TXT RRs (rfc4701)
# Set to YES to use TXT RRs
TXTRRS="NO"
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
#NSUPDFLAGS="-d"
# DNS nameserver
ns=127.0.0.1
#
## Do not change anything below here
# Kerberos principal
SETPRINCIPAL=$SETDHCPUSER@$SETREALM
# Kerberos keytab
SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
# Default DNS resource records TTL
RRTTL="3600"

# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"

## Command locations, with full paths it speeds up processing.
## ( tested on Ubuntu 14.04, Debian 7.5 )
CMDSORT="$(which sort)"
CMDAWK="$(which awk)"
CMDHEAD="$(which head)"
CMDECHO="$(which echo)"
CMDDATE="$(which date)"
CMDKINIT="$(which kinit)"
CMDKLIST="$(which klist)"
CMDGREP="$(which grep)"
CMDGETENT="$(which getent)"
CMDSAMBATOOL="$(which samba-tool)"
CMDCHOWN="$(which chown)"
CMDCHMOD="$(which chmod)"
CMDHOST="$(which host)"
CMDNSUPDATE="$(which nsupdate)"

TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
echo "No dhcp user exists, need to create it first.. exiting."
echo "you can do this by typing the following commands"
echo "${CMDKINIT} Administrator@${SETREALM}"
echo "${CMDSAMBATOOL} user create ${SETDHCPUSER}
--description=\"Unprivileged user for DNS updates via ISC DHCP server\""
echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
exit 1
fi

# Check for Kerberos keytab
if [ -f "${SETDHCPKEYTAB}" ]; then
:
else
echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be
created."
echo "Use the following commands as root"
echo "${CMDSAMBATOOL} domain exportkeytab
--principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
testos=$(uname -a | grep 'Debian')
if [ -z "$testos" ]; then
echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
fi
exit 1
fi

## VARIABLES ##

# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}

usage()
{
echo "USAGE:"
echo " `basename $0` add ip-address dhcid|mac-address hostname"
echo " `basename $0` delete ip-address dhcid|mac-address"
}

_KERBEROS () {
# get current time as a number
test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)

# Check for valid kerberos ticket
echo "$test [dyndns] : Running check for valid kerberos ticket"
klist -c "$KRB5CCNAME" -s
if [ "$?" != "0" ]; then
echo "$test [dyndns] : Getting new ticket, old one has expired"
kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
if [ "$?" != "0" ]; then
echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
exit 1;
fi
else
echo "$test [dyndns] : New ticket not required, old one still valid"
fi

}

# Exit if no ip address or mac-address
if [ -z "$ip" ] || [ -z "$DHCID" ]; then
usage
exit 1
fi

# Exit if no computer name supplied, unless the action is 'delete'
if [ "$name" = "" ]; then
if [ "$action" = "delete" ]; then
name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' |
${CMDAWK} -F '.' '{print $1}')
else
usage
exit 1;
fi
fi

# Set PTR address
ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
$4"."$3"."$2"."$1".in-addr.arpa"}')

# Create RRTXT record
RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
RRTXT="000101${RRTXT%% *}"
# extract txt record, if there is one
RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')

## ${CMDNSUPDATE} ##

case "$action" in
add)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
# if string is not null
if [ -n "$RRTXTOLD" ]; then
# if old RRTXT is not the same as $RRTXT then exit
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: adding records for $ip ($name.$domain)
FAILED: has A record but DHCID is wrong"
exit 1
fi
fi
else
TXTRRS=";"
fi

_KERBEROS

${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
update add $name.$domain $RRTTL A $ip
send
UPDATE
result1=$?

${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
zone 0.168.192.in-addr.arpa
update delete $ptr $RRTTL PTR
update add $ptr $RRTTL PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
if [ -n "$RRTXTOLD" ]; then
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: removing records for $ip
($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
else
TXTRRS=";"
fi
else
TXTRRS=";"
fi

_KERBEROS

${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $ptr $RRTTL PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac

result="$result1$result2"

if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
else
echo "DHCP-DNS Update succeeded"
logger "DHCP-DNS Update succeeded"
fi

exit $result

[Rowland Penny]

It is no good grumbling on here, you could try grumbling at Webmin :-)

Also, using ldap is not as simple as that, try reading dns.py, it is in
/usr/share/pyshared/samba/netcmd on debian
I know it is written in python and uses ldb, but it might help you to
understand just how difficult it is to work with dns & samba.

Rowland

[Robert Moskowitz]

Thanks. I will give this a try. Hopefully there won't be any
dependency problems!

Consider putting it up on some server or such....

[Robert Moskowitz]

My first item is to add the A and CNAME records for some of the
statically addressed systems in my home.htt domain.

For 2 of them I COULD use dhcp with MAC - IP address mapping. Have you
used that and gotten the A record added? That probably won't handle the
CNAME (and MX) though.

[Rowland Penny]

Try 'samba-tool dns add --help'
The first line it prints is this:

Usage: samba-tool dns add <server> <zone> <name>
<A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>

>
> For 2 of them I COULD use dhcp with MAC - IP address mapping. Have you
> used that and gotten the A record added? That probably won't handle
> the CNAME (and MX) though.
>

Never tried it, so cannot comment :-)

Rowland

[Robert Moskowitz]

dhcp is working. but what does this mean:

Sep 03 15:58:44 homebase.home.htt dhcpd[22993]: Not searching LDAP since
ldap-server, ldap-port and ldap-base-dn were not specified in the config
file

???

On 09/03/2015 02:43 PM, Rowland Penny wrote:
> On 03/09/15 19:28, Robert Moskowitz wrote:
>>
>>
>> On 09/03/2015 02:17 PM, Rowland Penny wrote:
>>> On 03/09/15 19:05, Robert Moskowitz wrote:
>>>>
>>>> Anyway, next to DHCP...
>>>>
>>>> I have installed it. But need to config. Rowland, can you send me
>>>> your sample config you mentioned?
>>>>
>>>>
>>>>
>>>
>>> default-lease-time 14400;
>>> max-lease-time 14400;

>>> authoritative; an't find dhcp-dyndns.sh

>>
>> where does it come from?
>>
>>
>
> I thought that might be your next question, I wrote it, based on what
> I found here:

[Robert Moskowitz]

What is server? localhost?

>
>>
>> For 2 of them I COULD use dhcp with MAC - IP address mapping. Have
>> you used that and gotten the A record added? That probably won't
>> handle the CNAME (and MX) though.
>>
>
> Never tried it, so cannot comment :-)

I may, and then I may not.

[Reindl Harald]

Am 03.09.2015 um 22:09 schrieb Robert Moskowitz:
> dhcp is working. but what does this mean:
>
> Sep 03 15:58:44 homebase.home.htt dhcpd[22993]: Not searching LDAP since
> ldap-server, ldap-port and ldap-base-dn were not specified in the config
> file

what it says - nothing in 99.9% of all setups - seems like you never
before hat running a dhcpd.....

[Robert Moskowitz]

https://wiki.samba.org/index.php/DNS_administration

Just did not find it with my first searchs.

thanks

On 09/03/2015 04:21 PM, Robert Moskowitz wrote:

> Like 10 years ago. When I built my own firewalls. Since then dhcpd
> was a commercial firewall process.
>
> Well a little with Amahi, but that was also years ago when I was
> contributing to that work.
>
> Did dhpc6 and RADVD. Still have the config files, but they are old.

[Robert Moskowitz]

On 09/03/2015 04:14 PM, Reindl Harald wrote:
>
>

Like 10 years ago. When I built my own firewalls. Since then dhcpd was
a commercial firewall process.

Well a little with Amahi, but that was also years ago when I was
contributing to that work.

Did dhpc6 and RADVD. Still have the config files, but they are old.

[Robert Moskowitz]

But need to add '-U administrator' to the end of this command!

Got an A record added, so moving along.

Next to get the zone to slave to the regular dns server. Got old notes
on that, so it should just be some cutting and pasting. Did this years
ago for Amahi.

[Rowland Penny]

You can use:
localhost
127.0.0.1
the ip of the samba DC
the short hostname of the DC
the fqdn of the DC

[Robert Moskowitz]

First I am having a couple challenges with your script here:

On 09/03/2015 02:43 PM, Rowland Penny wrote:
>

> I thought that might be your next question, I wrote it, based on what
> I found here:
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
>
> #!/bin/bash
>
> # /usr/local/sbin/dhcp-dyndns.sh
> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
> # Version: 0.8.3 (includes TXTRR records)
> # Updated with suggestions from L. v. Belle lo...@van-belle.nl
> # method to check for valid kerberos ticket changed
>
> LOG="/var/log/dyndns.log"

> if [ -f /var/log/dyndns.log ]; then
> :
> else
> touch /var/log/dyndns.log
> fi

Of course this file did not exist, and the 'touch' command failed on
permissions.

I assume dhcpd is running this script as user dhcpd, group dhcpd, so I
don't see how it can create the file. I have to create it and set the
owner to root:dhcpd


>
> exec >> $LOG 2>&1

Then this line fails and soforth.

Sep 3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 64:
dhcpduser: command not found
Sep 3 19:27:09 homebase dhcpd: (current) UNIX password: passwd:
Authentication token manipulation error
Sep 3 19:27:09 homebase dhcpd: No dhcp user exists, need to create it
first.. exiting.
Sep 3 19:27:09 homebase dhcpd: you can do this by typing the following
commands
Sep 3 19:27:09 homebase dhcpd: Admini...@EXAMPLE.COM
Sep 3 19:27:09 homebase dhcpd: user create dhcpduser

--description="Unprivileged user for DNS updates via ISC DHCP server"

Sep 3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
Sep 3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
Sep 3 19:27:09 homebase dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh
exit status 256

Is this what I need to do. That is create the dhcpduser? There is no
'user' command. Is this 'adduser'?

Sep 3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21
(192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
Sep 3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to
02:97:09:02:23:a2 (cubieboard2) via eth0
Sep 3 19:27:12 homebase named[22720]: client 192.168.192.21#36919
(0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN' denied

Oops, Looks like I have acl problems in named. That I know how to fix...

[Jim Seymour]

On Thu, 3 Sep 2015 13:38:55 -0400
Robert Moskowitz <r...@htt-consult.com> wrote:

> Progress on dns_dlz. At least I got things loading. If I don't
> include the dlz info bind starts, but if I do I get:
>
> Sep 03 13:31:57 homebase.home.htt named[21920]: Loading 'AD DNS
> Zone' using driver dlopen
> Sep 03 13:31:58 homebase.home.htt named[21920]: samba_dlz: Failed
> to connect to /var/lib/samba/private/dns/sam.ldb
>
>
> permissions seem right:

[snip]

When I had that exact problem, I also had a apparmor message in the
log. I added the appropriate apparmor config, restarted apparmor,
and away it went.

HTH.

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

[Robert Moskowitz]

I am reading through the script and see some things I did not change...

Will do that and try again. As well as create the log file manually.

[Robert Moskowitz]

This will be it for tonight...

Sep 3 20:35:30 homebase dhcpd: DHCPDISCOVER from 02:97:09:02:23:a2
(cubieboard2) via eth0
Sep 3 20:35:31 homebase dhcpd: DHCPOFFER on 192.168.192.21 to

02:97:09:02:23:a2 (cubieboard2) via eth0

Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 17:
/var/log/dyndns.log: Permission denied
Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 49:
which: command not found

# ls -ls /var/log/dy*
0 -rw-r--r-- 1 root dhcpd 0 Sep 3 20:27 /var/log/dyndns.log

# grep dhc /etc/passwd
dhcpd:x:177:177:DHCP server:/:/sbin/nologin

# systemctl status dhcpd
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled)
Active: active (running) since Thu 2015-09-03 15:58:44 EDT; 4h 46min ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 22993 (dhcpd)
Status: "Dispatching packets..."
CGroup: /system.slice/dhcpd.service
└─22993 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user
dhcpd -group dhcpd ...

So why does the script figure no log file and then tries to 'touch' it?

Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 62:
which: command not found
Sep 3 20:35:31 homebase dhcpd: Internet Systems Consortium DHCP Server
4.2.5
Sep 3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems
Consortium.
Sep 3 20:35:31 homebase dhcpd: All rights reserved.
Sep 3 20:35:31 homebase dhcpd: For info, please visit
https://www.isc.org/software/dhcp/
Sep 3 20:35:31 homebase dhcpd: (current) UNIX password: Internet
Systems Consortium DHCP Server 4.2.5
Sep 3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems
Consortium.
Sep 3 20:35:31 homebase dhcpd: All rights reserved.
Sep 3 20:35:31 homebase dhcpd: For info, please visit
https://www.isc.org/software/dhcp/
Sep 3 20:35:31 homebase dhcpd: unable to create icmp socket: Operation
not permitted
Sep 3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf:
Permission denied
Sep 3 20:35:31 homebase dhcpd: This version of ISC DHCP is based on the
release available
Sep 3 20:35:31 homebase dhcpd: on ftp.isc.org. Features have been
added and other changes
Sep 3 20:35:31 homebase dhcpd: have been made to the base software
release in order to make
Sep 3 20:35:31 homebase dhcpd: it work better with this distribution.
Sep 3 20:35:31 homebase dhcpd: Please report for this software via the
CentOS Bugs Database:
Sep 3 20:35:31 homebase dhcpd: http://bugs.centos.org/
Sep 3 20:35:31 homebase dhcpd: unable to create icmp socket: Operation
not permitted
Sep 3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf:
Permission denied
Sep 3 20:35:31 homebase dhcpd:

Huh? Is it restarting dhcpd? And why now complaining about permissions
for /etc/dhcp/dhcpd.conf; it opened it earlier? It is created
root:root, not root:dhcpd.

Sep 3 20:35:33 homebase dhcpd: passwd: Authentication token
manipulation error
Sep 3 20:35:33 homebase dhcpd: No dhcp user exists, need to create it
first.. exiting.
Sep 3 20:35:33 homebase dhcpd: you can do this by typing the following
commands
Sep 3 20:35:33 homebase dhcpd: Admini...@home.htt
Sep 3 20:35:33 homebase dhcpd: user create dhcpd

--description="Unprivileged user for DNS updates via ISC DHCP server"

Sep 3 20:35:33 homebase dhcpd: user setexpiry dhcpd --noexpiry
Sep 3 20:35:33 homebase dhcpd: group addmembers DnsAdmins dhcpd
Sep 3 20:35:33 homebase dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh
exit status 256

So what is needed here for the user? And where is it being created? Is
this in kerberos? Is there a separate kerberos daemon with sernet?

Sep 3 20:35:34 homebase dhcpd: Wrote 1 leases to leases file.
Sep 3 20:35:34 homebase dhcpd: DHCPREQUEST for 192.168.192.21

(192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0

Sep 3 20:35:34 homebase dhcpd: DHCPACK on 192.168.192.21 to

02:97:09:02:23:a2 (cubieboard2) via eth0

Sep 3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 17:
/var/log/dyndns.log: Permission denied
Sep 3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 49:
which: command not found

Looks like it is looping around again... Same set of messages as the
first set.

Please help here. thanks.

[Rowland Penny]

The script was written to run on debian, you are using something else,
you will need to work out the changes required.