Register a Linux host in a windows DNS server

This post is intended for Linux hosts that don’t have samba running but do want to register themselves on a windows DNS server (2003) that is allowing secure dns updates.
From what I heard does the DNS server by default only allows secure updates. You can also disable this on the DNS server.

1. Make sure you have the following software (packages) and their dependencies installed on your Linux machine.

perl-GSSAPI
perl-Net-DNS
Kerberos5
nsupdate-gss
perl-Authen-Krb5

(Packages for OpenSuSE and SLE are available from the OpenSUSE Build service, you can find them via http://software.opensuse.org/search).

2. Configure your kerberos configuration file for your (windows)domain. This configuration file is /etc/krb5.conf
The content of this file should look like this:

[libdefaults]
default_realm = mylan.BE
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5

[realms]
mylan.BE = {
kdc = hn038
admin_server = hn038
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

The most important settings are the realm which is your domain, it’s important that you specify DOMAIN.TLD, the kdc and admin_server should point to your Windows2003 server (Active Directory). You don’t need to specify the default_realm but it will make typing your username shorter because it’s automatically appended.

3. Obtain a Kerberos ticket with kinit, you need your windows login & password (e.g u0101011)

kinit u0101011

If your password is correct you’ll receive a ticket that is stored under /tmp/krb5cc_

4. As soon as you have your ticket you can update the DNS for your machine, therefore you first need to know your ip address and hostname.

/bin/ip address show dev eth0
/bin/hostname -s

Use this information in the nsupdate-gss command

5. Update the entry

nsupdate-gss hostname DOMAIN your_ip TTL nameserver
e.g nsupdate-gss camper mylan 10.1.10.113 3800 10.8.91.2

You’ll see some output (maybe some warnings/errors) but as long as the last line says something like “Update gave rcode NOERROR” everything should be ok.

6. Verify if your changes are working correctly with the host or dig command

You could put all this stuff in a NetworkManager dispatcher script to perform all this stuff automatically.

(Kudos to dag for making the existing script a little bit more user friendly)

May 17th, 2008 - Posted in linux, opensuse | | 0 Comments