Last active
February 20, 2024 18:24
-
-
Save ajorg/7a38ff16cb6098ba025e17f22e18ffc1 to your computer and use it in GitHub Desktop.
Update Active Directory DNS host records using machine / host / computer credentials and nsupdate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | |
# SPDX-License-Identifier: MIT-0 | |
fqdn="$(hostname -f)" | |
address="$(/sbin/ip addr show dev eth1 | awk -F'( +|/)' '/inet / {print $3}')" | |
if [[ "${address}" == "$(dig +short "${fqdn}")" && "${fqdn}." == "$(dig +short -x "${address}")" ]] | |
then | |
exit 0 | |
fi | |
TTL=21600 # 6 hours | |
export KRB5CCNAME="FILE:/tmp/krb5cc_0" | |
domain="$(hostname -d)" | |
# WARNING: It is possible for the Kerberos realm name to be other than the upper-cased DNS domain name | |
# The correct realm name can be discovered with `realm discover --client-software=<winbind|sssd>` | |
# or may be configured as the default_realm in /etc/krb5.conf | |
realm="${domain^^}" | |
master="$(dig +short NS "$domain" | head -n 1)" | |
host="$(hostname)" | |
kinit -t /etc/krb5.keytab -k "${host^^}\$@${domain^^}" | |
nsupdate -g <<EOF | |
server ${master} | |
realm ${realm} | |
update delete ${fqdn}. A | |
update delete ${fqdn}. AAAA | |
update add ${fqdn}. ${TTL} in A ${address} | |
send | |
EOF | |
reverse=$(awk -F. '{print $4"."$3"."$2"."$1".in-addr.arpa"}' <<<"${address}") | |
nsupdate -g <<EOF | |
server ${master} | |
realm ${realm} | |
update delete ${reverse}. PTR | |
update add ${reverse}. ${TTL} in PTR ${fqdn}. | |
send | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This script was super helpful and works great! One note, on my RHEL7 system, the host component of the principal is still limited to 15 char. As such, I did a minor tweak. If the kinit yields an error I cut it down to 15 char (host=
echo $host |cut -c1-15
) and retried. This lets the script work for both newer and older OS.