I ran ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name test.vh1.vzwnet.com.;"
I then execute the nsupdate: [root@nj51rhidms16v ~]# ./bobtest.sh ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) [root@nj51rhidms16v ~]# cat ./bobtest.sh #!/bin/ksh # keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== print "update add test.vh1.vzwnet.com 90 CNAME txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile [root@nj51rhidms16v log]# tail daemon May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing keytab file [default]: Principal [host/ [email protected]] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to key table May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing keytab file [default]: Principal [host/ [email protected]] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to key table May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing keytab file [default]: Principal [host/ [email protected]] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing to key table On Tue, May 13, 2014 at 2:04 PM, Bob <[email protected]> wrote: > > I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. > > But my nsupdate results in this in the daemon log: > > > > May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN: sending > notifies (serial 1399928642) > May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: > request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) > May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing > keytab file [default]: Principal > [host/[email protected]] was not found. Unable > to create GSSAPI-encrypted LDAP connection. > May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key > table > > > It almost works. > > > > On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria <[email protected]>wrote: > >> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió: >> > I have many dozens of TSIG keys declared in our current bind. There >> > are hundreds of records that have been granted to those keys. All of >> > this predates me and I do not know who has these keys. The scope of >> > trying to work with the owners of these keys to convert their >> > processes to to use kerberos would be a large effort. It was my hope >> > to use IPA / IDM to provide multi master DNS, with each server being a >> > SOA. But this becomes a lot less desirable as a solution if I have to >> > track down our key holders. >> >> You can keep using your TSIG keys with IPA if that is what you're >> looking for. Just declare your TSIG keys in your IPA dns "update-policy" >> just as you would do with plain bind: >> >> ipa dnszone-mod example.com --update-policy="grant key1. subdomain >> a.example.com.; grant key2. name b.example.com.;" >> >> Also in IPA every DNS presents a different SOA, each with the name of >> the server being queried, so it can be used as a true multimaster DNS >> solution. >> >> Hope this helps >> >> >> >> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <[email protected]> wrote: >> > On 05/13/2014 09:59 AM, Bob wrote: >> > >> > > Is there anyway to do a nsupdate of a DNS records in a IPA >> > > server using a TSIG key without having a kerberos ticket? >> > > >> > > >> > > We were going to swap out bind in favor of IPA, but we need >> > > to be able to nsupdates. >> > > >> > > >> > > >> > >> > >> > If you are using IPA you can give you clients keytabs. >> > It is all automatic with RHEL, Fedora, Centos for last 5 >> > years. Enroll your clients using ipa-client-install. >> > If you have other operating systems some exploration would be >> > required but it should be doable too. >> > >> > > >> > > On Mon, May 12, 2014 at 10:11 AM, Bob <[email protected]> >> > > wrote: >> > > We use nsupdate to to move the location of some of >> > > our services around. For instance there might be two >> > > servers that exchange roles, like serv.east.abc.com >> > > and serv.west.abc.com and we will have a service >> > > name like wiki.abc.com. The owner of the application >> > > has been given an nsupdate key that allows them to >> > > update and delete on the the wiki.abc.com and have >> > > that records contain either an "A" record for one or >> > > the other of the two servers. >> > > >> > > >> > > I am very concerned that there might come a time >> > > when the SOA primary master server for this dynamic >> > > domain might be down when the application owner >> > > needs to do their nsupdate. >> > > >> > > >> > > One observation that we see is that Window AD and >> > > DNS make every AD DNS server an SOA for any domain >> > > that it servers. That any dynamic DNS update can be >> > > serviced by any Domain controller and that this >> > > update is replicated with LDAP to the other DCs. >> > > >> > > >> > > It was our hope that we could use IPA for our DNS >> > > servers for this dynamic domain. That we would have >> > > multiple forward statements from our main DNS >> > > servers to the IPA DNS servers and that any IPA >> > > server would be the SOA. This way the nsupdate would >> > > be processed by any available IPA server in the >> > > event that one or more of these IPA DNS servers >> > > would be down or unreachable. >> > > >> > > >> > > Is there a way to make each IPA system a SOA for the >> > > same domain and still have the DNS records replicate >> > > between them? >> > > >> > > >> > > thanks, >> > > >> > > >> > > Bob Harvey >> > > >> > > >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > Freeipa-users mailing list >> > > [email protected] >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > >> > -- >> > Thank you, >> > Dmitri Pal >> > >> > Sr. Engineering Manager IdM portfolio >> > Red Hat, Inc. >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Loris Santamaria linux user #70506 xmpp:[email protected] >> Links Global Services, C.A. http://www.lgs.com.ve >> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:[email protected] >> ------------------------------------------------------------ >> "If I'd asked my customers what they wanted, they'd have said >> a faster horse" - Henry Ford >> > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
