Safe dynamic update of records on MS DNS from Linux

Introduction

In the process of setting up AD service clients running Ubuntu Linux, I encountered an untimely update of records on the DNS server using Samba, as well as the incorrect operation of the “net ads dns register” command. What causes problems when working with domain computers.

For example, the presence of two DNS servers in dhclient.conf results in the error “ERROR_DNS_GSS_ERROR” after running “net ads dns register -P”.

In search of a solution to this problem, I re-read many articles and bug reports, and came across the article Warlock_ua "Secure dynamic update of DNS records in the Windows domain from Linux (GSS-TSIG)" . The idea seemed interesting to me. But I did not like the solution with the creation of a separate domain user account, which has the right to modify all records of the DNS zone. Firstly, it is potentially unsafe. Secondly, in Windows, there is already a ready-made solution: each computer account has the right to change its record on the DNS. Why not take advantage of this?
')
I took the learn-address.sh script from Warlock_ua as a basis , and finalized it to suit my needs.

About infrastructure

We have AD service running Windows Server 2008 R2 Standard, as well as MS DNS server. They are managed by Windows administrators. DHCP server is based on Cisco. This is managed by network administrators. What is it, for me it is all somewhere in the cloud, and a bit like a black box. We also have clients running Ubuntu 14.04 (Trusty), with Samba 4.1.6 installed, isc-dhcp-client. This is my part.

Script for updating DNS records

I will not describe the entire procedure for entering into the AD domain computers running Ubuntu, since this is beyond the scope of the article. I will describe only the key points.

The computer that will update its DNS record must be entered into the domain. Those. he must have a domain account. First you need to get a password for your computer account from Trivial DataBase. This can be done using the tdbdump utility:

sudo tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN /var/lib/samba/private/secrets.tdb | sed 's/\\\00$//' 

After that, you need to create a keytab file with machine credentials using the ktutil utility:

 ktutil <<EOF addent -password -p $cn@DOMAIN.LOCAL -k 1 -e rc4-hmac $MPAS write_kt $keytab_file quit EOF 

Next you need to get a kerberos ticket :

 kinit -k -t $keytab_file $user 

And you can update the DNS record for a specific computer account.

Nsupdate-gsstsig overview

 nsupdate-gsstsig update <ip> <hostname> 

Listing nsupdate-gsstsig

 #!/bin/bash ### ###       ### dnsserver=dc1 fwdzone=domain.local #       . #  ,     . #revzone=115.70.10.in-addr.arpa ttl=300 op=$1 addr=$2 #revaddr=`echo $addr | sed -re 's:([0-9]+).([0-9]+).([0-9]+).([0-9]+):4.3.2.1.in-addr.arpa:'` cn=$3 fqdn=$cn.$fwdzone addfile=add_$addr delfile=del_$addr # ,       AD, # CNAME     user=$cn keytab_file=./machine_krb5.keytab ### ###      ### MPAS=`sudo tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN /var/lib/samba/private/secrets.tdb | sed 's/\\\00$//'` ### ###  keytab- ### ktutil <<EOF addent -password -p $cn@DOMAIN.LOCAL -k 1 -e rc4-hmac $MPAS write_kt $keytab_file quit EOF ### ###    DNS ### addRecord() { kinit -k -t $keytab_file $user cat <<EOF > $addfile gsstsig server $dnsserver zone $fwdzone update delete $fqdn a update add $fqdn $ttl a $addr send EOF #zone $revzone #update delete $revaddr ptr #update add $revaddr $ttl ptr $fqdn #send #EOF cat <<EOF > $delfile gsstsig server $dnsserver zone $fwdzone update delete $fqdn a send EOF #zone $revzone #update delete $revaddr ptr #send #EOF nsupdate -v $addfile rm -f $addfile rm -f $delfile } delRecord() { kinit -k -t $keytab_file $user nsupdate -v $delfile rm -f $delfile } case $op in add|update) addRecord ;; delete) delRecord ;; *) echo "Unable to handle operation $op. Exiting" exit 1 esac rm $keytab_file 

Running script

For easy launch, I placed the script in / bin / nsupdate-gsstsig.
To update the DNS information automatically, I created a regdns script and put it in /etc/network/if-up.d/.

Listing regdns

 #!/bin/sh #      SHOST=`cat /etc/hostname` #  IP-  lo    IP=$(ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}') #    DNS- nsupdate-gsstsig update $IP $SHOST