[Freeipa-users] DNS SOA Records
Dmitri Pal
dpal at redhat.com
Tue May 13 19:32:24 UTC 2014
On 05/13/2014 02:12 PM, Bob wrote:
> I ran
>
> ipa dnszone-mod vh1.vzwnet.com <http://vh1.vzwnet.com>
> --update-policy="grant bob-key name test.vh1.vzwnet.com.;"
>
> I then execute the nsupdate:
>
> [root at nj51rhidms16v ~]# ./bobtest.sh
> ; TSIG error with server: tsig indicates error
> update failed: NOTAUTH(BADKEY)
>
>
> [root at nj51rhidms16v ~]# cat ./bobtest.sh
> #!/bin/ksh
> #
> keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
> print "update add test.vh1.vzwnet.com <http://test.vh1.vzwnet.com> 90
> CNAME txslxngda5.nss.vzwnet.com
> <http://txslxngda5.nss.vzwnet.com>\n"|nsupdate -y $keyfile
>
> [root at nj51rhidms16v log]# tail daemon
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
> <mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not
> found. Unable to create GSSAPI-encrypted LDAP connection.
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing
> to key table
> May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program
> /usr/sbin/rhn_check
> May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program
> /usr/sbin/rhn_check
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
> <mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not
> found. Unable to create GSSAPI-encrypted LDAP connection.
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing
> to key table
> May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program
> /usr/sbin/rhn_check
> May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
> request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
> <mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not
> found. Unable to create GSSAPI-encrypted LDAP connection.
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing
> to key table
>
>
>
Several things:
The sssd failures indicate that you might have installed and configured
SSSD via ipa-client and then wiped out the keytab, probably to emulate
nsupdate without a keytab.
I am not sure it is relevant but I suggest that you try nsupdate from an
unenrolled machine. If machine is enrolled the nsupdate would work
anyways so you need to deal with the situation when you a running
nspudate from a machine that does not have ipa-client configured so
trying on a clean system would be better.
Can you validate that the key is actually correct on the both sides?
>
>
>
> On Tue, May 13, 2014 at 2:04 PM, Bob <harvero at gmail.com
> <mailto:harvero at gmail.com>> wrote:
>
>
> I added: "grant bob-key nametest.vh1.vzwnet.com <http://test.vh1.vzwnet.com>.;" in the IPA GUI.
>
>
> But my nsupdate results in this in the daemon log:
>
>
>
> May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN
> <http://vh1.vzwnet.com/IN>: sending notifies (serial 1399928642)
> May 12 17:08:44 nj51rhidms16v named[27438]: client
> 10.194.96.47#26576: request has invalid signature: TSIG bob-key:
> tsig verify failure (BADKEY) May 12 17:15:16 nj51rhidms16v
> [sssd[ldap_child[10162]]]: Error processing keytab file [default]:
> Principal [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
> <mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not
> found. Unable to create GSSAPI-encrypted LDAP connection. May 12
> 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to
> key table
>
> It almost works.
>
>
>
> On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria
> <loris at lgs.com.ve <mailto:loris at lgs.com.ve>> wrote:
>
> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> > I have many dozens of TSIG keys declared in our current
> bind. There
> > are hundreds of records that have been granted to those
> keys. All of
> > this predates me and I do not know who has these keys. The
> scope of
> > trying to work with the owners of these keys to convert their
> > processes to to use kerberos would be a large effort. It was
> my hope
> > to use IPA / IDM to provide multi master DNS, with each
> server being a
> > SOA. But this becomes a lot less desirable as a solution if
> I have to
> > track down our key holders.
>
> You can keep using your TSIG keys with IPA if that is what you're
> looking for. Just declare your TSIG keys in your IPA dns
> "update-policy"
> just as you would do with plain bind:
>
> ipa dnszone-mod example.com <http://example.com>
> --update-policy="grant key1. subdomain
> a.example.com <http://a.example.com>.; grant key2. name
> b.example.com.;"
>
> Also in IPA every DNS presents a different SOA, each with the
> name of
> the server being queried, so it can be used as a true
> multimaster DNS
> solution.
>
> Hope this helps
>
>
>
> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal
> <dpal at redhat.com <mailto:dpal at redhat.com>> wrote:
> > On 05/13/2014 09:59 AM, Bob wrote:
> >
> > > Is there anyway to do a nsupdate of a DNS records
> in a IPA
> > > server using a TSIG key without having a kerberos
> ticket?
> > >
> > >
> > > We were going to swap out bind in favor of IPA,
> but we need
> > > to be able to nsupdates.
> > >
> > >
> > >
> >
> >
> > If you are using IPA you can give you clients keytabs.
> > It is all automatic with RHEL, Fedora, Centos for last 5
> > years. Enroll your clients using ipa-client-install.
> > If you have other operating systems some exploration
> would be
> > required but it should be doable too.
> >
> > >
> > > On Mon, May 12, 2014 at 10:11 AM, Bob
> <harvero at gmail.com <mailto:harvero at gmail.com>>
> > > wrote:
> > > We use nsupdate to to move the location of
> some of
> > > our services around. For instance there
> might be two
> > > servers that exchange roles, like
> serv.east.abc.com <http://serv.east.abc.com>
> > > and serv.west.abc.com
> <http://serv.west.abc.com> and we will have a service
> > > name like wiki.abc.com
> <http://wiki.abc.com>. The owner of the application
> > > has been given an nsupdate key that allows
> them to
> > > update and delete on the the wiki.abc.com
> <http://wiki.abc.com> and have
> > > that records contain either an "A" record
> for one or
> > > the other of the two servers.
> > >
> > >
> > > I am very concerned that there might come
> a time
> > > when the SOA primary master server for
> this dynamic
> > > domain might be down when the application
> owner
> > > needs to do their nsupdate.
> > >
> > >
> > > One observation that we see is that Window
> AD and
> > > DNS make every AD DNS server an SOA for
> any domain
> > > that it servers. That any dynamic DNS
> update can be
> > > serviced by any Domain controller and that
> this
> > > update is replicated with LDAP to the
> other DCs.
> > >
> > >
> > > It was our hope that we could use IPA for
> our DNS
> > > servers for this dynamic domain. That we
> would have
> > > multiple forward statements from our main DNS
> > > servers to the IPA DNS servers and that
> any IPA
> > > server would be the SOA. This way the
> nsupdate would
> > > be processed by any available IPA server
> in the
> > > event that one or more of these IPA DNS
> servers
> > > would be down or unreachable.
> > >
> > >
> > > Is there a way to make each IPA system a
> SOA for the
> > > same domain and still have the DNS records
> replicate
> > > between them?
> > >
> > >
> > > thanks,
> > >
> > >
> > > Bob Harvey
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
> <mailto:xmpp%3Aloris at lgs.com.ve>
> Links Global Services, C.A. http://www.lgs.com.ve
> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
> <mailto:sip%3A103 at lgs.com.ve>
> ------------------------------------------------------------
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/9916fa52/attachment.htm>
More information about the Freeipa-users
mailing list