I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.
But my nsupdate results in this in the daemon log: May 12 17:04:02 nj51rhidms16v named: zone vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12 17:08:44 nj51rhidms16v named: client 10.194.96.47#26576: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) May 12 17:15:16 nj51rhidms16v [sssd[ldap_child]]: Error processing keytab file [default]: Principal [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 12 17:15:16 nj51rhidms16v [sssd[ldap_child]]: Error writing to key table It almost works. On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria <lo...@lgs.com.ve> wrote: > El mar, 13-05-2014 a las 10:57 -0400, Bob escribió: > > I have many dozens of TSIG keys declared in our current bind. There > > are hundreds of records that have been granted to those keys. All of > > this predates me and I do not know who has these keys. The scope of > > trying to work with the owners of these keys to convert their > > processes to to use kerberos would be a large effort. It was my hope > > to use IPA / IDM to provide multi master DNS, with each server being a > > SOA. But this becomes a lot less desirable as a solution if I have to > > track down our key holders. > > You can keep using your TSIG keys with IPA if that is what you're > looking for. Just declare your TSIG keys in your IPA dns "update-policy" > just as you would do with plain bind: > > ipa dnszone-mod example.com --update-policy="grant key1. subdomain > a.example.com.; grant key2. name b.example.com.;" > > Also in IPA every DNS presents a different SOA, each with the name of > the server being queried, so it can be used as a true multimaster DNS > solution. > > Hope this helps > > > > > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <d...@redhat.com> wrote: > > On 05/13/2014 09:59 AM, Bob wrote: > > > > > Is there anyway to do a nsupdate of a DNS records in a IPA > > > server using a TSIG key without having a kerberos ticket? > > > > > > > > > We were going to swap out bind in favor of IPA, but we need > > > to be able to nsupdates. > > > > > > > > > > > > > > > If you are using IPA you can give you clients keytabs. > > It is all automatic with RHEL, Fedora, Centos for last 5 > > years. Enroll your clients using ipa-client-install. > > If you have other operating systems some exploration would be > > required but it should be doable too. > > > > > > > > On Mon, May 12, 2014 at 10:11 AM, Bob <harv...@gmail.com> > > > wrote: > > > We use nsupdate to to move the location of some of > > > our services around. For instance there might be two > > > servers that exchange roles, like serv.east.abc.com > > > and serv.west.abc.com and we will have a service > > > name like wiki.abc.com. The owner of the application > > > has been given an nsupdate key that allows them to > > > update and delete on the the wiki.abc.com and have > > > that records contain either an "A" record for one or > > > the other of the two servers. > > > > > > > > > I am very concerned that there might come a time > > > when the SOA primary master server for this dynamic > > > domain might be down when the application owner > > > needs to do their nsupdate. > > > > > > > > > One observation that we see is that Window AD and > > > DNS make every AD DNS server an SOA for any domain > > > that it servers. That any dynamic DNS update can be > > > serviced by any Domain controller and that this > > > update is replicated with LDAP to the other DCs. > > > > > > > > > It was our hope that we could use IPA for our DNS > > > servers for this dynamic domain. That we would have > > > multiple forward statements from our main DNS > > > servers to the IPA DNS servers and that any IPA > > > server would be the SOA. This way the nsupdate would > > > be processed by any available IPA server in the > > > event that one or more of these IPA DNS servers > > > would be down or unreachable. > > > > > > > > > Is there a way to make each IPA system a SOA for the > > > same domain and still have the DNS records replicate > > > between them? > > > > > > > > > thanks, > > > > > > > > > Bob Harvey > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipafirstname.lastname@example.org > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipaemail@example.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipafirstname.lastname@example.org > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said > a faster horse" - Henry Ford >
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users