Re: [Freeipa-users] DNS SOA Records

Wed, 14 May 2014 02:00:28 -0700 

On 13.5.2014 21:32, Dmitri Pal wrote:

On 05/13/2014 02:12 PM, Bob wrote:

I ran

ipa dnszone-mod vh1.vzwnet.com <http://vh1.vzwnet.com>
--update-policy="grant bob-key name test.vh1.vzwnet.com.;"

I then execute the nsupdate:

[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)


[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com <http://test.vh1.vzwnet.com> 90 CNAME
txslxngda5.nss.vzwnet.com <http://txslxngda5.nss.vzwnet.com>\n"|nsupdate -y
$keyfile

[root@nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com
<mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not found.
Unable to create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com
<mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not found.
Unable to create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
All errors above are irrelevant to nsupdate. It points to an problem with SSSD configuration but this should not affect nsupdate with TSIG at all. 


request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing
My best guess is that you have modified update-policy to reference key "bob-key" but the key is not defined in named.conf.
Unfortunately, IPA doesn't support TSIG keys in LDAP. You have to define all keys on all servers in named.conf manually: 

Add something like:

key "bob-key" {
          algorithm hmac-md5;
          secret "<your-secret>";
};

and restart named.

Then it should work.
If you want to see support for TSIG keys in LDAP then please open a FreeIPA ticket: 
https://fedorahosted.org/freeipa/newticket
To speed things up, please describe your use case (in detail) and propose user interface.
Also, please note that hmac-md5 is not "the most secure algorithm in the world". GSS-TSIG should be more secure. I would recommend you to gradually migrate from TSIG to GSS-TSIG. 

Have a nice day!

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to