[Freeipa-users] DNS SOA Records
Bob
harvero at gmail.com
Tue May 13 18:12:03 UTC 2014
I ran
ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name
test.vh1.vzwnet.com.;"
I then execute the nsupdate:
[root at nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[root at nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com 90 CNAME
txslxngda5.nss.vzwnet.com\n"|nsupdate
-y $keyfile
[root at nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program
/usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program
/usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program
/usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing to
key table
On Tue, May 13, 2014 at 2:04 PM, Bob <harvero at gmail.com> wrote:
>
> I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.
>
> But my nsupdate results in this in the daemon log:
>
>
>
> May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN: sending notifies (serial 1399928642)
> May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
> May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing keytab file [default]: Principal [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection.
> May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key table
>
>
> It almost works.
>
>
>
> On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria <loris at lgs.com.ve>wrote:
>
>> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
>> > I have many dozens of TSIG keys declared in our current bind. There
>> > are hundreds of records that have been granted to those keys. All of
>> > this predates me and I do not know who has these keys. The scope of
>> > trying to work with the owners of these keys to convert their
>> > processes to to use kerberos would be a large effort. It was my hope
>> > to use IPA / IDM to provide multi master DNS, with each server being a
>> > SOA. But this becomes a lot less desirable as a solution if I have to
>> > track down our key holders.
>>
>> You can keep using your TSIG keys with IPA if that is what you're
>> looking for. Just declare your TSIG keys in your IPA dns "update-policy"
>> just as you would do with plain bind:
>>
>> ipa dnszone-mod example.com --update-policy="grant key1. subdomain
>> a.example.com.; grant key2. name b.example.com.;"
>>
>> Also in IPA every DNS presents a different SOA, each with the name of
>> the server being queried, so it can be used as a true multimaster DNS
>> solution.
>>
>> Hope this helps
>>
>>
>>
>> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> > On 05/13/2014 09:59 AM, Bob wrote:
>> >
>> > > Is there anyway to do a nsupdate of a DNS records in a IPA
>> > > server using a TSIG key without having a kerberos ticket?
>> > >
>> > >
>> > > We were going to swap out bind in favor of IPA, but we need
>> > > to be able to nsupdates.
>> > >
>> > >
>> > >
>> >
>> >
>> > If you are using IPA you can give you clients keytabs.
>> > It is all automatic with RHEL, Fedora, Centos for last 5
>> > years. Enroll your clients using ipa-client-install.
>> > If you have other operating systems some exploration would be
>> > required but it should be doable too.
>> >
>> > >
>> > > On Mon, May 12, 2014 at 10:11 AM, Bob <harvero at gmail.com>
>> > > wrote:
>> > > We use nsupdate to to move the location of some of
>> > > our services around. For instance there might be two
>> > > servers that exchange roles, like serv.east.abc.com
>> > > and serv.west.abc.com and we will have a service
>> > > name like wiki.abc.com. The owner of the application
>> > > has been given an nsupdate key that allows them to
>> > > update and delete on the the wiki.abc.com and have
>> > > that records contain either an "A" record for one or
>> > > the other of the two servers.
>> > >
>> > >
>> > > I am very concerned that there might come a time
>> > > when the SOA primary master server for this dynamic
>> > > domain might be down when the application owner
>> > > needs to do their nsupdate.
>> > >
>> > >
>> > > One observation that we see is that Window AD and
>> > > DNS make every AD DNS server an SOA for any domain
>> > > that it servers. That any dynamic DNS update can be
>> > > serviced by any Domain controller and that this
>> > > update is replicated with LDAP to the other DCs.
>> > >
>> > >
>> > > It was our hope that we could use IPA for our DNS
>> > > servers for this dynamic domain. That we would have
>> > > multiple forward statements from our main DNS
>> > > servers to the IPA DNS servers and that any IPA
>> > > server would be the SOA. This way the nsupdate would
>> > > be processed by any available IPA server in the
>> > > event that one or more of these IPA DNS servers
>> > > would be down or unreachable.
>> > >
>> > >
>> > > Is there a way to make each IPA system a SOA for the
>> > > same domain and still have the DNS records replicate
>> > > between them?
>> > >
>> > >
>> > > thanks,
>> > >
>> > >
>> > > Bob Harvey
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Freeipa-users mailing list
>> > > Freeipa-users at redhat.com
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > --
>> > Thank you,
>> > Dmitri Pal
>> >
>> > Sr. Engineering Manager IdM portfolio
>> > Red Hat, Inc.
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
>> Links Global Services, C.A. http://www.lgs.com.ve
>> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
>> ------------------------------------------------------------
>> "If I'd asked my customers what they wanted, they'd have said
>> a faster horse" - Henry Ford
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/5b28eb9a/attachment.htm>
More information about the Freeipa-users
mailing list