I ran

ipa dnszone-mod vh1.vzwnet.com  --update-policy="grant bob-key name
test.vh1.vzwnet.com.;"

I then execute the nsupdate:

[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)


[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com 90 CNAME
txslxngda5.nss.vzwnet.com\n"|nsupdate
-y $keyfile

[root@nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program
/usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program
/usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program
/usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing to
key table






On Tue, May 13, 2014 at 2:04 PM, Bob <harv...@gmail.com> wrote:

>
> I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.
>
> But my  nsupdate results in this in the daemon log:
>
>
>
> May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN: sending 
> notifies (serial 1399928642)
> May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: 
> request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
> May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing 
> keytab file [default]: Principal 
> [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. Unable 
> to create GSSAPI-encrypted LDAP connection.
> May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key 
> table
>
>
> It almost works.
>
>
>
> On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria <lo...@lgs.com.ve>wrote:
>
>> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
>> > I have many dozens of TSIG keys declared in our current bind. There
>> > are hundreds of records that have been granted to those keys. All of
>> > this predates me and I do not know who has these keys. The scope of
>> > trying to work with the owners of these keys to convert their
>> > processes to to use kerberos would be a large effort. It was my hope
>> > to use IPA / IDM to provide multi master DNS, with each server being a
>> > SOA. But this becomes a lot less desirable as a solution if I have to
>> > track down our key holders.
>>
>> You can keep using your TSIG keys with IPA if that is what you're
>> looking for. Just declare your TSIG keys in your IPA dns "update-policy"
>> just as you would do with plain bind:
>>
>> ipa dnszone-mod example.com --update-policy="grant key1. subdomain
>> a.example.com.; grant key2. name b.example.com.;"
>>
>> Also in IPA every DNS presents a different SOA, each with the name of
>> the server being queried, so it can be used as a true multimaster DNS
>> solution.
>>
>> Hope this helps
>>
>>
>>
>> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <d...@redhat.com> wrote:
>> >         On 05/13/2014 09:59 AM, Bob wrote:
>> >
>> >         > Is there anyway to do a nsupdate of a DNS records in a IPA
>> >         > server using a TSIG key without having a kerberos ticket?
>> >         >
>> >         >
>> >         > We were going to swap out bind in favor of IPA, but we need
>> >         > to be able to nsupdates.
>> >         >
>> >         >
>> >         >
>> >
>> >
>> >         If you are using IPA you can give you clients keytabs.
>> >         It is all automatic with RHEL, Fedora, Centos for last 5
>> >         years. Enroll your clients using ipa-client-install.
>> >         If you have other operating systems some exploration would be
>> >         required but it should be doable too.
>> >
>> >         >
>> >         > On Mon, May 12, 2014 at 10:11 AM, Bob <harv...@gmail.com>
>> >         > wrote:
>> >         >         We use nsupdate to to move the location of some of
>> >         >         our services around. For instance there might be two
>> >         >         servers that exchange roles, like serv.east.abc.com
>> >         >         and serv.west.abc.com  and we will have a service
>> >         >         name like wiki.abc.com. The owner of the application
>> >         >         has been given an nsupdate key that allows them to
>> >         >         update and delete on the the wiki.abc.com and have
>> >         >         that records contain either an "A" record for one or
>> >         >         the other of the two servers.
>> >         >
>> >         >
>> >         >         I am very concerned that there might come a time
>> >         >         when the SOA primary master server for this dynamic
>> >         >         domain might be down when the application owner
>> >         >         needs to do their nsupdate.
>> >         >
>> >         >
>> >         >         One observation that we see is that Window AD and
>> >         >         DNS make every AD DNS server an SOA for any domain
>> >         >         that it servers. That any dynamic DNS update can be
>> >         >         serviced by any Domain controller and that this
>> >         >         update is replicated with LDAP to the other DCs.
>> >         >
>> >         >
>> >         >         It was our hope that we could use IPA for our DNS
>> >         >         servers for this dynamic domain. That we would have
>> >         >         multiple forward statements from our main DNS
>> >         >         servers to the IPA DNS servers and that any IPA
>> >         >         server would be the SOA. This way the nsupdate would
>> >         >         be processed by any available IPA server in the
>> >         >         event that one or more of these IPA DNS servers
>> >         >         would be down or unreachable.
>> >         >
>> >         >
>> >         >         Is there a way to make each IPA system a SOA for the
>> >         >         same domain and still have the DNS records replicate
>> >         >         between them?
>> >         >
>> >         >
>> >         >         thanks,
>> >         >
>> >         >
>> >         >         Bob Harvey
>> >         >
>> >         >
>> >         >
>> >         >
>> >         >
>> >         >
>> >         > _______________________________________________
>> >         > Freeipa-users mailing list
>> >         > Freeipa-users@redhat.com
>> >         > https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> >         --
>> >         Thank you,
>> >         Dmitri Pal
>> >
>> >         Sr. Engineering Manager IdM portfolio
>> >         Red Hat, Inc.
>> >
>> >         _______________________________________________
>> >         Freeipa-users mailing list
>> >         Freeipa-users@redhat.com
>> >         https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
>> Links Global Services, C.A.            http://www.lgs.com.ve
>> Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
>> ------------------------------------------------------------
>> "If I'd asked my customers what they wanted, they'd have said
>> a faster horse" - Henry Ford
>>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to