SHOW:
|
|
- or go back to the newest paste.
1 | #!/bin/sh | |
2 | ||
3 | - | #exit 0 |
3 | + | |
4 | # Kerberos realm | |
5 | realm="DOMAIN.LAN" | |
6 | # Kerberos principal | |
7 | principal="dhcpduser@$realm" | |
8 | # Kerberos keytab | |
9 | keytab="/etc/dhcp/dhcpd.keytab" | |
10 | # Kerberos credentials cache | |
11 | krb5cc="/run/dhcp-server/dhcpd.krb5cc" | |
12 | # Use MIT kerberos args instead of heimdal. | |
13 | #KRB5MIT="YES" | |
14 | ||
15 | # Domain appended to hostname | |
16 | domain="domain.lan" | |
17 | # Space separated list of DNS servers for sending updates to | |
18 | NSRVS="ns1.domain.lan ns2.domain.lan" | |
19 | # Default DNS resource records TTL | |
20 | RRTTL="3600" | |
21 | # Do not use TXT RRs (rfc4701) | |
22 | NOTXTRRS="YES" | |
23 | ||
24 | - | #NOTXTRRS="YES" |
24 | + | |
25 | #NSUPDFLAGS="-d" | |
26 | # Run in the foreground (for manual run only!!!), it's better to use "-d" as script's first argument | |
27 | #DEBUG="YES" | |
28 | ||
29 | ###################################################### | |
30 | ||
31 | ## VARIABLES ## | |
32 | [ "$1" = "-d" ] && DEBUG="YES" && shift | |
33 | action=$1 | |
34 | ip=$2 | |
35 | DHCID=$3 | |
36 | name=${4%%.*} | |
37 | [ -n "$5" ] && RRTTL="$5" | |
38 | ||
39 | - | echo " `basename $0` add ip-address dhcid|mac-address hostname [dns-ttl]" |
39 | + | |
40 | - | echo " `basename $0` delete ip-address dhcid|mac-address" |
40 | + | |
41 | echo " `basename $0` [-d] add ip-address dhcid|mac-address hostname [dns-ttl]" | |
42 | echo " `basename $0` [-d] delete ip-address dhcid|mac-address" | |
43 | } | |
44 | ||
45 | _kerberos() { | |
46 | export KRB5_KTNAME="$keytab" | |
47 | export KRB5CCNAME="$krb5cc" | |
48 | - | klist -s || kinit $principal -k -t $keytab |
48 | + | |
49 | if [ "$KRB5MIT" = "YES" ]; then | |
50 | - | klist -t || kinit -t $keytab $principal |
50 | + | KLISTARG="-s" |
51 | else | |
52 | KLISTARG="-t" | |
53 | fi | |
54 | ||
55 | klist $KLISTARG || kinit -k -t "$keytab" -c "$krb5cc" "$principal" || { echo "DDNS: kinit failed"; exit 1; } | |
56 | } | |
57 | ||
58 | _main() { | |
59 | umask 77 | |
60 | ||
61 | if [ -z "$ip" ] || [ -z "$DHCID" ]; then | |
62 | _usage | |
63 | exit 1 | |
64 | fi | |
65 | ||
66 | ||
67 | - | RRAOLD=`host $name.$domain | awk '/has address/ {print $4}'` |
67 | + | |
68 | case "$action" in | |
69 | - | RRTXTOLD=`host -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` |
69 | + | |
70 | - | [ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0 |
70 | + | RRPTR="$name.$domain" |
71 | if [ "$NOTXTRRS" != "YES" ]; then | |
72 | - | RRTXT=`echo "$DHCID$name.$domain" | sha256sum` |
72 | + | |
73 | RRAOLD=`host $RRPTR | awk '/has address/ {print $4}'` | |
74 | - | [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0 |
74 | + | |
75 | RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` | |
76 | - | RRTXT=`echo "$DHCID$name.$domain" | sha256sum` |
76 | + | [ -z "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1 |
77 | ||
78 | RRTXT=`echo "$DHCID$RRPTR" | sha256sum` | |
79 | RRTXT="000101${RRTXT%% *}" | |
80 | [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1 | |
81 | else | |
82 | RRTXT=`echo "$DHCID$RRPTR" | sha256sum` | |
83 | RRTXT="000101${RRTXT%% *}" | |
84 | fi | |
85 | else | |
86 | NOTXTRRS=";" | |
87 | fi | |
88 | ||
89 | RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'` | |
90 | ||
91 | - | update delete $name.$domain. $RRTTL A |
91 | + | |
92 | - | ${NOTXTRRS}update delete $name.$domain. $RRTTL TXT |
92 | + | |
93 | - | ${NOTXTRRS}update add $name.$domain. $RRTTL TXT $RRTXT |
93 | + | |
94 | - | update add $name.$domain. $RRTTL A $ip |
94 | + | |
95 | server $NSRV | |
96 | realm $realm | |
97 | update delete $RRPTR. $RRTTL A | |
98 | ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT | |
99 | ${NOTXTRRS}update add $RRPTR. $RRTTL TXT $RRTXT | |
100 | update add $RRPTR. $RRTTL A $ip | |
101 | - | [ "$result" -eq "0" ] && break |
101 | + | |
102 | update delete $RRPTRNAME. $RRTTL PTR | |
103 | update add $RRPTRNAME. $RRTTL PTR $name.$domain. | |
104 | send | |
105 | UPDATE | |
106 | result=$? | |
107 | [ "$result" -eq "0" ] && echo "DDNS: adding records for $ip ($RRPTR) succeeded" && exit 0 | |
108 | done | |
109 | ||
110 | - | [ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0 |
110 | + | [ "$result" != "0" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result" |
111 | ;; | |
112 | delete) | |
113 | RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'` | |
114 | - | [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0 |
114 | + | |
115 | NOTXTRRS="" | |
116 | - | echo "$ip has no PTR, can not determine address record." && exit 0 |
116 | + | |
117 | RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` | |
118 | [ -z "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1 | |
119 | ||
120 | RRTXT=`echo "$DHCID$RRPTR" | sha256sum` | |
121 | RRTXT="000101${RRTXT%% *}" | |
122 | [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1 | |
123 | else | |
124 | echo "DDNS: removing records for $ip FAILED: has no PTR, can not determine A record" && exit 1 | |
125 | fi | |
126 | else | |
127 | NOTXTRRS=";" | |
128 | fi | |
129 | ||
130 | RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'` | |
131 | ||
132 | _kerberos | |
133 | ||
134 | for NSRV in $NSRVS; do | |
135 | nsupdate -g $NSUPDFLAGS << UPDATE | |
136 | server $NSRV | |
137 | - | [ "$result" -eq "0" ] && break |
137 | + | |
138 | update delete $RRPTR. $RRTTL A | |
139 | ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT | |
140 | send | |
141 | update delete $RRPTRNAME. $RRTTL PTR | |
142 | send | |
143 | UPDATE | |
144 | result=$? | |
145 | - | [ "$result" != "0" ] && echo "GSS-TSIG DNS update failed: $result" |
145 | + | [ "$result" -eq "0" ] && echo "DDNS: removing records for $ip ($RRPTR) succeeded" && exit 0 |
146 | - | exit $result |
146 | + | |
147 | ||
148 | [ "$result" != "0" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result" | |
149 | - | _main |
149 | + | |
150 | *) | |
151 | _usage && exit 1 | |
152 | ;; | |
153 | esac | |
154 | } | |
155 | ||
156 | if [ "$DEBUG" = "YES" ]; then | |
157 | _main | |
158 | else | |
159 | : | |
160 | _main | logger -s -t dhcpd & | |
161 | fi |