SHOW:
|
|
- or go back to the newest paste.
1 | #!/bin/sh | |
2 | ||
3 | #exit 0 | |
4 | ||
5 | ## CONFIGURATION ## | |
6 | # Kerberos realm | |
7 | realm="DOMAIN.LAN" | |
8 | # Kerberos principal | |
9 | principal="dhcpduser@$realm" | |
10 | # Kerberos keytab | |
11 | keytab="/etc/dhcp/dhcpd.keytab" | |
12 | # Kerberos credentials cache | |
13 | krb5cc="/run/dhcp-server/dhcpd.krb5cc" | |
14 | # Use MIT kerberos args instead of heimdal. | |
15 | #KRB5MIT="YES" | |
16 | ||
17 | # Domain appended to hostname | |
18 | domain="domain.lan" | |
19 | - | NSUPDFLAGS="-d" |
19 | + | |
20 | NSRVS="ns1.domain.lan ns2.domain.lan" | |
21 | # Default DNS resource records TTL | |
22 | RRTTL="3600" | |
23 | # Do not use TXT RRs (rfc4701) | |
24 | #NOTXTRRS="YES" | |
25 | # Additional nsupdate flags (-g already applied), e.g. "-d" for debug | |
26 | #NSUPDFLAGS="-d" | |
27 | ||
28 | ###################################################### | |
29 | - | ## KERBEROS ## |
29 | + | |
30 | ## VARIABLES ## | |
31 | action=$1 | |
32 | ip=$2 | |
33 | DHCID=$3 | |
34 | - | # Heimdal |
34 | + | |
35 | - | klist -t || kinit -t $keytab $principal |
35 | + | |
36 | - | # MIT (not tested) |
36 | + | |
37 | - | #klist -s || kinit $principal -k -t $keytab |
37 | + | |
38 | echo "Usage:" | |
39 | echo " `basename $0` add ip-address dhcid|mac-address hostname [dns-ttl]" | |
40 | echo " `basename $0` delete ip-address dhcid|mac-address" | |
41 | } | |
42 | ||
43 | _kerberos() { | |
44 | export KRB5_KTNAME="$keytab" | |
45 | export KRB5CCNAME="$krb5cc" | |
46 | ||
47 | if [ "$KRB5MIT" = "YES" ]; then | |
48 | klist -s || kinit $principal -k -t $keytab | |
49 | else | |
50 | klist -t || kinit -t $keytab $principal | |
51 | fi | |
52 | } | |
53 | ||
54 | _main() { | |
55 | umask 77 | |
56 | ||
57 | if [ -z "$ip" ] || [ -z "$DHCID" ]; then | |
58 | - | RRAOLD=`host $name.$domain | awk '/has address/ {print $4}'` |
58 | + | |
59 | - | if [ -n "$RRAOLD" ]; then |
59 | + | |
60 | - | RRTXTOLD=`host -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` |
60 | + | |
61 | - | [ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0 |
61 | + | |
62 | ## NSUPDATE ## | |
63 | - | RRTXT=`echo "$DHCID$name$domain" | sha256sum` |
63 | + | |
64 | - | RRTXT="000101${RRTXT%% *}" |
64 | + | |
65 | - | [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0 |
65 | + | if [ "$NOTXTRRS" != "YES" ]; then |
66 | NOTXTRRS="" | |
67 | - | RRTXT=`echo "$DHCID$name$domain" | sha256sum` |
67 | + | RRAOLD=`host $name.$domain | awk '/has address/ {print $4}'` |
68 | - | RRTXT="000101${RRTXT%% *}" |
68 | + | if [ -n "$RRAOLD" ]; then |
69 | RRTXTOLD=`host -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` | |
70 | [ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0 | |
71 | ||
72 | RRTXT=`echo "$DHCID$name.$domain" | sha256sum` | |
73 | RRTXT="000101${RRTXT%% *}" | |
74 | [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0 | |
75 | else | |
76 | RRTXT=`echo "$DHCID$name.$domain" | sha256sum` | |
77 | RRTXT="000101${RRTXT%% *}" | |
78 | fi | |
79 | else | |
80 | - | update delete $name.$domain. $RRTTL TXT |
80 | + | NOTXTRRS=";" |
81 | - | update add $name.$domain. $RRTTL TXT $RRTXT |
81 | + | |
82 | ||
83 | RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'` | |
84 | ||
85 | _kerberos | |
86 | ||
87 | for NSRV in $NSRVS; do | |
88 | nsupdate -g $NSUPDFLAGS << UPDATE | |
89 | server $NSRV | |
90 | realm $realm | |
91 | update delete $name.$domain. $RRTTL A | |
92 | ${NOTXTRRS}update delete $name.$domain. $RRTTL TXT | |
93 | ${NOTXTRRS}update add $name.$domain. $RRTTL TXT $RRTXT | |
94 | - | if [ -n "$RRPTR" ]; then |
94 | + | |
95 | - | RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` |
95 | + | |
96 | - | [ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0 |
96 | + | |
97 | update add $RRPTRNAME. $RRTTL PTR $name.$domain. | |
98 | - | RRTXT=`echo "$DHCID$RRPTR" | sha256sum` |
98 | + | |
99 | - | RRTXT="000101${RRTXT%% *}" |
99 | + | |
100 | - | [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0 |
100 | + | |
101 | [ "$result" -eq "0" ] && break | |
102 | - | echo "$ip has no PTR, can not determine address record." && exit 0 |
102 | + | |
103 | ;; | |
104 | delete) | |
105 | RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'` | |
106 | if [ "$NOTXTRRS" != "YES" ]; then | |
107 | NOTXTRRS="" | |
108 | if [ -n "$RRPTR" ]; then | |
109 | RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'` | |
110 | [ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0 | |
111 | ||
112 | RRTXT=`echo "$DHCID$RRPTR" | sha256sum` | |
113 | RRTXT="000101${RRTXT%% *}" | |
114 | - | update delete $RRPTR. $RRTTL TXT |
114 | + | [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0 |
115 | else | |
116 | echo "$ip has no PTR, can not determine address record." && exit 0 | |
117 | fi | |
118 | else | |
119 | NOTXTRRS=";" | |
120 | fi | |
121 | ||
122 | RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'` | |
123 | ||
124 | _kerberos | |
125 | ||
126 | for NSRV in $NSRVS; do | |
127 | nsupdate -g $NSUPDFLAGS << UPDATE | |
128 | server $NSRV | |
129 | realm $realm | |
130 | update delete $RRPTR. $RRTTL A | |
131 | ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT | |
132 | send | |
133 | update delete $RRPTRNAME. $RRTTL PTR | |
134 | send | |
135 | UPDATE | |
136 | result=$? | |
137 | [ "$result" -eq "0" ] && break | |
138 | done | |
139 | ;; | |
140 | *) | |
141 | _usage && exit 1 | |
142 | ;; | |
143 | esac | |
144 | ||
145 | [ "$result" != "0" ] && echo "GSS-TSIG DNS update failed: $result" | |
146 | exit $result | |
147 | } | |
148 | ||
149 | _main |