<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/13/2014 02:12 PM, Bob wrote:<br>
</div>
<blockquote
cite="mid:CAE9nUPhnthj1xLidKpFamfuo3=Ek73nxUipXYgKQEEeFJn9tEA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I ran <br>
<br>
ipa dnszone-mod <a moz-do-not-send="true"
href="http://vh1.vzwnet.com">vh1.vzwnet.com</a>
--update-policy="grant bob-key name test.vh1.vzwnet.com.;"<br>
<br>
</div>
I then execute the nsupdate:<br>
<br>
[root@nj51rhidms16v ~]# ./bobtest.sh<br>
; TSIG error with server: tsig indicates error<br>
update failed: NOTAUTH(BADKEY)<br>
<br>
<br>
[root@nj51rhidms16v ~]# cat ./bobtest.sh<br>
#!/bin/ksh<br>
#<br>
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==<br>
print "update add <a moz-do-not-send="true"
href="http://test.vh1.vzwnet.com">test.vh1.vzwnet.com</a> 90
CNAME <a moz-do-not-send="true"
href="http://txslxngda5.nss.vzwnet.com">txslxngda5.nss.vzwnet.com</a>\n"|nsupdate
-y $keyfile<br>
<br>
[root@nj51rhidms16v log]# tail daemon<br>
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
processing keytab file [default]: Principal [host/<a
moz-do-not-send="true"
href="mailto:nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM">nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM</a>]
was not found. Unable to create GSSAPI-encrypted LDAP
connection.<br>
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
writing to key table<br>
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program
/usr/sbin/rhn_check<br>
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program
/usr/sbin/rhn_check<br>
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
processing keytab file [default]: Principal [host/<a
moz-do-not-send="true"
href="mailto:nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM">nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM</a>]
was not found. Unable to create GSSAPI-encrypted LDAP
connection.<br>
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
writing to key table<br>
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program
/usr/sbin/rhn_check<br>
May 13 14:07:59 nj51rhidms16v named[27438]: client
10.194.96.47#15739: request has invalid signature: TSIG bob-key:
tsig verify failure (BADKEY)<br>
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
processing keytab file [default]: Principal [host/<a
moz-do-not-send="true"
href="mailto:nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM">nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM</a>]
was not found. Unable to create GSSAPI-encrypted LDAP
connection.<br>
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
writing to key table<br>
<br>
<br>
<br>
</div>
</blockquote>
<br>
Several things:<br>
The sssd failures indicate that you might have installed and
configured SSSD via ipa-client and then wiped out the keytab,
probably to emulate nsupdate without a keytab.<br>
I am not sure it is relevant but I suggest that you try nsupdate
from an unenrolled machine. If machine is enrolled the nsupdate
would work anyways so you need to deal with the situation when you a
running nspudate from a machine that does not have ipa-client
configured so trying on a clean system would be better.<br>
<br>
Can you validate that the key is actually correct on the both sides?<br>
<br>
<blockquote
cite="mid:CAE9nUPhnthj1xLidKpFamfuo3=Ek73nxUipXYgKQEEeFJn9tEA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, May 13, 2014 at 2:04 PM, Bob <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:harvero@gmail.com" target="_blank">harvero@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
<div dir="ltr"><br>
<pre><span>I added: "grant bob-key name <a moz-do-not-send="true" href="http://test.vh1.vzwnet.com" target="_blank">test.vh1.vzwnet.com</a>.;" in the IPA GUI.
</span></pre>
<pre><span>But my nsupdate results in this in the daemon log:
</span><div>
<span>May 12 17:04:02 nj51rhidms16v named[27438]: zone <a moz-do-not-send="true" href="http://vh1.vzwnet.com/IN" target="_blank">vh1.vzwnet.com/IN</a>: sending notifies (serial 1399928642)
May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing keytab file [default]: Principal [host/<a moz-do-not-send="true" href="mailto:nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM" target="_blank">nj51rhidms16v.nss.vzwnet.com@IPA.NSS.VZWNET.COM</a>] was not found. Unable to create GSSAPI-encrypted LDAP connection.
May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key table
</span></div></pre>
<pre><span>It almost works.
</span></pre>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div class="">
On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:loris@lgs.com.ve" target="_blank">loris@lgs.com.ve</a>></span>
wrote:<br>
</div>
<div>
<div class="h5">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
El mar, 13-05-2014 a las 10:57 -0400, Bob
escribió:<br>
<div>> I have many dozens of TSIG keys declared
in our current bind. There<br>
> are hundreds of records that have been
granted to those keys. All of<br>
> this predates me and I do not know who has
these keys. The scope of<br>
> trying to work with the owners of these
keys to convert their<br>
> processes to to use kerberos would be a
large effort. It was my hope<br>
> to use IPA / IDM to provide multi master
DNS, with each server being a<br>
> SOA. But this becomes a lot less desirable
as a solution if I have to<br>
> track down our key holders.<br>
<br>
</div>
You can keep using your TSIG keys with IPA if that
is what you're<br>
looking for. Just declare your TSIG keys in your
IPA dns "update-policy"<br>
just as you would do with plain bind:<br>
<br>
ipa dnszone-mod <a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>
--update-policy="grant key1. subdomain<br>
<a moz-do-not-send="true"
href="http://a.example.com" target="_blank">a.example.com</a>.;
grant key2. name b.example.com.;"<br>
<br>
Also in IPA every DNS presents a different SOA,
each with the name of<br>
the server being queried, so it can be used as a
true multimaster DNS<br>
solution.<br>
<br>
Hope this helps<br>
<div>
<div><br>
<br>
<br>
> On Tue, May 13, 2014 at 10:04 AM, Dmitri
Pal <<a moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>>
wrote:<br>
> On 05/13/2014 09:59 AM, Bob
wrote:<br>
><br>
> > Is there anyway to do a
nsupdate of a DNS records in a IPA<br>
> > server using a TSIG key
without having a kerberos ticket?<br>
> ><br>
> ><br>
> > We were going to swap out
bind in favor of IPA, but we need<br>
> > to be able to nsupdates.<br>
> ><br>
> ><br>
> ><br>
><br>
><br>
> If you are using IPA you can give
you clients keytabs.<br>
> It is all automatic with RHEL,
Fedora, Centos for last 5<br>
> years. Enroll your clients using
ipa-client-install.<br>
> If you have other operating
systems some exploration would be<br>
> required but it should be doable
too.<br>
><br>
> ><br>
> > On Mon, May 12, 2014 at
10:11 AM, Bob <<a moz-do-not-send="true"
href="mailto:harvero@gmail.com"
target="_blank">harvero@gmail.com</a>><br>
> > wrote:<br>
> > We use nsupdate to
to move the location of some of<br>
> > our services around.
For instance there might be two<br>
> > servers that
exchange roles, like <a
moz-do-not-send="true"
href="http://serv.east.abc.com"
target="_blank">serv.east.abc.com</a><br>
> > and <a
moz-do-not-send="true"
href="http://serv.west.abc.com"
target="_blank">serv.west.abc.com</a> and
we will have a service<br>
> > name like <a
moz-do-not-send="true"
href="http://wiki.abc.com" target="_blank">wiki.abc.com</a>.
The owner of the application<br>
> > has been given an
nsupdate key that allows them to<br>
> > update and delete on
the the <a moz-do-not-send="true"
href="http://wiki.abc.com" target="_blank">wiki.abc.com</a>
and have<br>
> > that records contain
either an "A" record for one or<br>
> > the other of the two
servers.<br>
> ><br>
> ><br>
> > I am very concerned
that there might come a time<br>
> > when the SOA primary
master server for this dynamic<br>
> > domain might be down
when the application owner<br>
> > needs to do their
nsupdate.<br>
> ><br>
> ><br>
> > One observation that
we see is that Window AD and<br>
> > DNS make every AD
DNS server an SOA for any domain<br>
> > that it servers.
That any dynamic DNS update can be<br>
> > serviced by any
Domain controller and that this<br>
> > update is replicated
with LDAP to the other DCs.<br>
> ><br>
> ><br>
> > It was our hope that
we could use IPA for our DNS<br>
> > servers for this
dynamic domain. That we would have<br>
> > multiple forward
statements from our main DNS<br>
> > servers to the IPA
DNS servers and that any IPA<br>
> > server would be the
SOA. This way the nsupdate would<br>
> > be processed by any
available IPA server in the<br>
> > event that one or
more of these IPA DNS servers<br>
> > would be down or
unreachable.<br>
> ><br>
> ><br>
> > Is there a way to
make each IPA system a SOA for the<br>
> > same domain and
still have the DNS records replicate<br>
> > between them?<br>
> ><br>
> ><br>
> > thanks,<br>
> ><br>
> ><br>
> > Bob Harvey<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> >
_______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
> > <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager IdM
portfolio<br>
> Red Hat, Inc.<br>
><br>
>
_______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
>
_______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
--<br>
</div>
</div>
Loris Santamaria linux user #70506 <a
moz-do-not-send="true"
href="mailto:xmpp%3Aloris@lgs.com.ve"
target="_blank">xmpp:loris@lgs.com.ve</a><br>
Links Global Services, C.A. <a
moz-do-not-send="true"
href="http://www.lgs.com.ve" target="_blank">http://www.lgs.com.ve</a><br>
Tel: 0286 952.06.87 Cel: 0414 095.00.10 <a
moz-do-not-send="true"
href="mailto:sip%3A103@lgs.com.ve"
target="_blank">sip:103@lgs.com.ve</a><br>
------------------------------------------------------------<br>
"If I'd asked my customers what they wanted,
they'd have said<br>
a faster horse" - Henry Ford<br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>