On 05/13/2014 02:12 PM, Bob wrote:
I ran
ipa dnszone-mod vh1.vzwnet.com <http://vh1.vzwnet.com>
--update-policy="grant bob-key name test.vh1.vzwnet.com.;"
I then execute the nsupdate:
[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com <http://test.vh1.vzwnet.com> 90
CNAME txslxngda5.nss.vzwnet.com
<http://txslxngda5.nss.vzwnet.com>\n"|nsupdate -y $keyfile
[root@nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
processing keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com
<mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not
found. Unable to create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing
to key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program
/usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program
/usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
processing keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com
<mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not
found. Unable to create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing
to key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program
/usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
processing keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com
<mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not
found. Unable to create GSSAPI-encrypted LDAP connection.
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing
to key table
Several things:
The sssd failures indicate that you might have installed and configured
SSSD via ipa-client and then wiped out the keytab, probably to emulate
nsupdate without a keytab.
I am not sure it is relevant but I suggest that you try nsupdate from an
unenrolled machine. If machine is enrolled the nsupdate would work
anyways so you need to deal with the situation when you a running
nspudate from a machine that does not have ipa-client configured so
trying on a clean system would be better.
Can you validate that the key is actually correct on the both sides?
On Tue, May 13, 2014 at 2:04 PM, Bob <harv...@gmail.com
<mailto:harv...@gmail.com>> wrote:
I added: "grant bob-key nametest.vh1.vzwnet.com
<http://test.vh1.vzwnet.com>.;" in the IPA GUI.
But my nsupdate results in this in the daemon log:
May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN
<http://vh1.vzwnet.com/IN>: sending notifies (serial 1399928642)
May 12 17:08:44 nj51rhidms16v named[27438]: client
10.194.96.47#26576: request has invalid signature: TSIG bob-key:
tsig verify failure (BADKEY) May 12 17:15:16 nj51rhidms16v
[sssd[ldap_child[10162]]]: Error processing keytab file [default]:
Principal [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com
<mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not
found. Unable to create GSSAPI-encrypted LDAP connection. May 12
17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to
key table
It almost works.
On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria
<lo...@lgs.com.ve <mailto:lo...@lgs.com.ve>> wrote:
El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> I have many dozens of TSIG keys declared in our current
bind. There
> are hundreds of records that have been granted to those
keys. All of
> this predates me and I do not know who has these keys. The
scope of
> trying to work with the owners of these keys to convert their
> processes to to use kerberos would be a large effort. It was
my hope
> to use IPA / IDM to provide multi master DNS, with each
server being a
> SOA. But this becomes a lot less desirable as a solution if
I have to
> track down our key holders.
You can keep using your TSIG keys with IPA if that is what you're
looking for. Just declare your TSIG keys in your IPA dns
"update-policy"
just as you would do with plain bind:
ipa dnszone-mod example.com <http://example.com>
--update-policy="grant key1. subdomain
a.example.com <http://a.example.com>.; grant key2. name
b.example.com.;"
Also in IPA every DNS presents a different SOA, each with the
name of
the server being queried, so it can be used as a true
multimaster DNS
solution.
Hope this helps
> On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal
<d...@redhat.com <mailto:d...@redhat.com>> wrote:
> On 05/13/2014 09:59 AM, Bob wrote:
>
> > Is there anyway to do a nsupdate of a DNS records
in a IPA
> > server using a TSIG key without having a kerberos
ticket?
> >
> >
> > We were going to swap out bind in favor of IPA,
but we need
> > to be able to nsupdates.
> >
> >
> >
>
>
> If you are using IPA you can give you clients keytabs.
> It is all automatic with RHEL, Fedora, Centos for last 5
> years. Enroll your clients using ipa-client-install.
> If you have other operating systems some exploration
would be
> required but it should be doable too.
>
> >
> > On Mon, May 12, 2014 at 10:11 AM, Bob
<harv...@gmail.com <mailto:harv...@gmail.com>>
> > wrote:
> > We use nsupdate to to move the location of
some of
> > our services around. For instance there
might be two
> > servers that exchange roles, like
serv.east.abc.com <http://serv.east.abc.com>
> > and serv.west.abc.com
<http://serv.west.abc.com> and we will have a service
> > name like wiki.abc.com
<http://wiki.abc.com>. The owner of the application
> > has been given an nsupdate key that allows
them to
> > update and delete on the the wiki.abc.com
<http://wiki.abc.com> and have
> > that records contain either an "A" record
for one or
> > the other of the two servers.
> >
> >
> > I am very concerned that there might come
a time
> > when the SOA primary master server for
this dynamic
> > domain might be down when the application
owner
> > needs to do their nsupdate.
> >
> >
> > One observation that we see is that Window
AD and
> > DNS make every AD DNS server an SOA for
any domain
> > that it servers. That any dynamic DNS
update can be
> > serviced by any Domain controller and that
this
> > update is replicated with LDAP to the
other DCs.
> >
> >
> > It was our hope that we could use IPA for
our DNS
> > servers for this dynamic domain. That we
would have
> > multiple forward statements from our main DNS
> > servers to the IPA DNS servers and that
any IPA
> > server would be the SOA. This way the
nsupdate would
> > be processed by any available IPA server
in the
> > event that one or more of these IPA DNS
servers
> > would be down or unreachable.
> >
> >
> > Is there a way to make each IPA system a
SOA for the
> > same domain and still have the DNS records
replicate
> > between them?
> >
> >
> > thanks,
> >
> >
> > Bob Harvey
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
<mailto:Freeipa-users@redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve
<mailto:xmpp%3alo...@lgs.com.ve>
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve
<mailto:sip%3a...@lgs.com.ve>
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
