View difference between Paste ID: <a href="/GY333pmr">GY333pmr</a> and <a href="/9C7EXmnF">9C7EXmnF</a>

#!/bin/sh
1		#!/bin/sh
2
3		#exit 0
4
5		## CONFIGURATION ##
6		# Kerberos realm
7		realm="DOMAIN.LAN"
8		# Kerberos principal
9		principal="dhcpduser@$realm"
10		# Kerberos keytab
11		keytab="/etc/dhcp/dhcpd.keytab"
12		# Kerberos credentials cache
13		krb5cc="/run/dhcp-server/dhcpd.krb5cc"
14		# Use MIT kerberos args instead of heimdal.
15		#KRB5MIT="YES"
16
17		# Domain appended to hostname
18		domain="domain.lan"
19	-	NSUPDFLAGS="-d"
19	+
20		NSRVS="ns1.domain.lan ns2.domain.lan"
21		# Default DNS resource records TTL
22		RRTTL="3600"
23		# Do not use TXT RRs (rfc4701)
24		#NOTXTRRS="YES"
25		# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
26		#NSUPDFLAGS="-d"
27
28		######################################################
29	-	## KERBEROS ##
29	+
30		## VARIABLES ##
31		action=$1
32		ip=$2
33		DHCID=$3
34	-	# Heimdal
34	+
35	-	klist -t \|\| kinit -t $keytab $principal
35	+
36	-	# MIT (not tested)
36	+
37	-	#klist -s \|\| kinit $principal -k -t $keytab
37	+
38		echo "Usage:"
39		echo " `basename $0` add ip-address dhcid\|mac-address hostname [dns-ttl]"
40		echo " `basename $0` delete ip-address dhcid\|mac-address"
41		}
42
43		_kerberos() {
44		export KRB5_KTNAME="$keytab"
45		export KRB5CCNAME="$krb5cc"
46
47		if [ "$KRB5MIT" = "YES" ]; then
48		klist -s \|\| kinit $principal -k -t $keytab
49		else
50		klist -t \|\| kinit -t $keytab $principal
51		fi
52		}
53
54		_main() {
55		umask 77
56
57		if [ -z "$ip" ] \|\| [ -z "$DHCID" ]; then
58	-	RRAOLD=`host $name.$domain \| awk '/has address/ {print $4}'`
58	+
59	-	if [ -n "$RRAOLD" ]; then
59	+
60	-	RRTXTOLD=`host -t txt "$name.$domain" \| sed -n '/descriptive text/s/^.[[:space:]]descriptive text[[:space:]]"\(.*\)"$/\1/p'`
60	+
61	-	[ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0
61	+
62		## NSUPDATE ##
63	-	RRTXT=`echo "$DHCID$name$domain" \| sha256sum`
63	+
64	-	RRTXT="000101${RRTXT%% *}"
64	+
65	-	[ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0
65	+	if [ "$NOTXTRRS" != "YES" ]; then
66		NOTXTRRS=""
67	-	RRTXT=`echo "$DHCID$name$domain" \| sha256sum`
67	+	RRAOLD=`host $name.$domain \| awk '/has address/ {print $4}'`
68	-	RRTXT="000101${RRTXT%% *}"
68	+	if [ -n "$RRAOLD" ]; then
69		RRTXTOLD=`host -t txt "$name.$domain" \| sed -n '/descriptive text/s/^.[[:space:]]descriptive text[[:space:]]"\(.*\)"$/\1/p'`
70		[ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0
71
72		RRTXT=`echo "$DHCID$name.$domain" \| sha256sum`
73		RRTXT="000101${RRTXT%% *}"
74		[ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0
75		else
76		RRTXT=`echo "$DHCID$name.$domain" \| sha256sum`
77		RRTXT="000101${RRTXT%% *}"
78		fi
79		else
80	-	update delete $name.$domain. $RRTTL TXT
80	+	NOTXTRRS=";"
81	-	update add $name.$domain. $RRTTL TXT $RRTXT
81	+
82
83		RRPTRNAME=`echo $ip \| awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
84
85		_kerberos
86
87		for NSRV in $NSRVS; do
88		nsupdate -g $NSUPDFLAGS << UPDATE
89		server $NSRV
90		realm $realm
91		update delete $name.$domain. $RRTTL A
92		${NOTXTRRS}update delete $name.$domain. $RRTTL TXT
93		${NOTXTRRS}update add $name.$domain. $RRTTL TXT $RRTXT
94	-	if [ -n "$RRPTR" ]; then
94	+
95	-	RRTXTOLD=`host -t txt "$RRPTR" \| sed -n '/descriptive text/s/^.[[:space:]]descriptive text[[:space:]]"\(.*\)"$/\1/p'`
95	+
96	-	[ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0
96	+
97		update add $RRPTRNAME. $RRTTL PTR $name.$domain.
98	-	RRTXT=`echo "$DHCID$RRPTR" \| sha256sum`
98	+
99	-	RRTXT="000101${RRTXT%% *}"
99	+
100	-	[ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0
100	+
101		[ "$result" -eq "0" ] && break
102	-	echo "$ip has no PTR, can not determine address record." && exit 0
102	+
103		;;
104		delete)
105		RRPTR=`host $ip \| awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'`
106		if [ "$NOTXTRRS" != "YES" ]; then
107		NOTXTRRS=""
108		if [ -n "$RRPTR" ]; then
109		RRTXTOLD=`host -t txt "$RRPTR" \| sed -n '/descriptive text/s/^.[[:space:]]descriptive text[[:space:]]"\(.*\)"$/\1/p'`
110		[ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0
111
112		RRTXT=`echo "$DHCID$RRPTR" \| sha256sum`
113		RRTXT="000101${RRTXT%% *}"
114	-	update delete $RRPTR. $RRTTL TXT
114	+	[ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0
115		else
116		echo "$ip has no PTR, can not determine address record." && exit 0
117		fi
118		else
119		NOTXTRRS=";"
120		fi
121
122		RRPTRNAME=`echo $ip \| awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
123
124		_kerberos
125
126		for NSRV in $NSRVS; do
127		nsupdate -g $NSUPDFLAGS << UPDATE
128		server $NSRV
129		realm $realm
130		update delete $RRPTR. $RRTTL A
131		${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
132		send
133		update delete $RRPTRNAME. $RRTTL PTR
134		send
135		UPDATE
136		result=$?
137		[ "$result" -eq "0" ] && break
138		done
139		;;
140		*)
141		_usage && exit 1
142		;;
143		esac
144
145		[ "$result" != "0" ] && echo "GSS-TSIG DNS update failed: $result"
146		exit $result
147		}
148
149		_main