El mar, 13-05-2014 a las 14:12 -0400, Bob escribió:
> I ran 
> 
> ipa dnszone-mod vh1.vzwnet.com  --update-policy="grant bob-key name
> test.vh1.vzwnet.com.;"
> 
> 
> I then execute the nsupdate:
> 
> [root@nj51rhidms16v ~]# ./bobtest.sh
> ; TSIG error with server: tsig indicates error
> update failed: NOTAUTH(BADKEY)
> 
> 
> [root@nj51rhidms16v ~]# cat ./bobtest.sh
> #!/bin/ksh
> #
> keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
> print "update add test.vh1.vzwnet.com 90 CNAME
> txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile

Did you add the key to the bind configuration? As with plain bind
configurations, named has to know the key to verify the transaction's
signature. I usually put the keys in a file only readable by named and
include this file from named.conf:

In /etc/named.conf

include "/etc/named/bob-key.conf";

and in /etc/named/bob-key.conf:

key bob-key {
        algorithm hmac-md5;
        secret "hkVEYuIRUG.....";
};



> [root@nj51rhidms16v log]# tail daemon
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing
> to key table
> May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running
> program /usr/sbin/rhn_check
> May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running
> program /usr/sbin/rhn_check
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing
> to key table
> May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running
> program /usr/sbin/rhn_check
> May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
> request has invalid signature: TSIG bob-key: tsig verify failure
> (BADKEY)
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing
> to key table
> 
> 
> 
> 
> 
> 
> 
> On Tue, May 13, 2014 at 2:04 PM, Bob <harv...@gmail.com> wrote:
>         
>         I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. 
>         
>         
>         But my  nsupdate results in this in the daemon log:
>         
>         
>         
>         
>         May 12 17:04:02 nj51rhidms16v named[27438]: zone
>         vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12
>         17:08:44 nj51rhidms16v named[27438]: client
>         10.194.96.47#26576: request has invalid signature: TSIG
>         bob-key: tsig verify failure (BADKEY) May 12 17:15:16
>         nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing
>         keytab file [default]: Principal
>         [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not
>         found. Unable to create GSSAPI-encrypted LDAP connection. May
>         12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error
>         writing to key table
>         
>         
>         
>         It almost works. 
>         
>         
>         On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria
>         <lo...@lgs.com.ve> wrote:
>         
>                 El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
>                 > I have many dozens of TSIG keys declared in our
>                 current bind. There
>                 > are hundreds of records that have been granted to
>                 those keys. All of
>                 > this predates me and I do not know who has these
>                 keys. The scope of
>                 > trying to work with the owners of these keys to
>                 convert their
>                 > processes to to use kerberos would be a large
>                 effort. It was my hope
>                 > to use IPA / IDM to provide multi master DNS, with
>                 each server being a
>                 > SOA. But this becomes a lot less desirable as a
>                 solution if I have to
>                 > track down our key holders.
>                 
>                 
>                 You can keep using your TSIG keys with IPA if that is
>                 what you're
>                 looking for. Just declare your TSIG keys in your IPA
>                 dns "update-policy"
>                 just as you would do with plain bind:
>                 
>                 ipa dnszone-mod example.com --update-policy="grant
>                 key1. subdomain
>                 a.example.com.; grant key2. name b.example.com.;"
>                 
>                 Also in IPA every DNS presents a different SOA, each
>                 with the name of
>                 the server being queried, so it can be used as a true
>                 multimaster DNS
>                 solution.
>                 
>                 Hope this helps
>                 
>                 
>                 
>                 > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal
>                 <d...@redhat.com> wrote:
>                 >         On 05/13/2014 09:59 AM, Bob wrote:
>                 >
>                 >         > Is there anyway to do a nsupdate of a DNS
>                 records in a IPA
>                 >         > server using a TSIG key without having a
>                 kerberos ticket?
>                 >         >
>                 >         >
>                 >         > We were going to swap out bind in favor of
>                 IPA, but we need
>                 >         > to be able to nsupdates.
>                 >         >
>                 >         >
>                 >         >
>                 >
>                 >
>                 >         If you are using IPA you can give you
>                 clients keytabs.
>                 >         It is all automatic with RHEL, Fedora,
>                 Centos for last 5
>                 >         years. Enroll your clients using
>                 ipa-client-install.
>                 >         If you have other operating systems some
>                 exploration would be
>                 >         required but it should be doable too.
>                 >
>                 >         >
>                 >         > On Mon, May 12, 2014 at 10:11 AM, Bob
>                 <harv...@gmail.com>
>                 >         > wrote:
>                 >         >         We use nsupdate to to move the
>                 location of some of
>                 >         >         our services around. For instance
>                 there might be two
>                 >         >         servers that exchange roles, like
>                 serv.east.abc.com
>                 >         >         and serv.west.abc.com  and we will
>                 have a service
>                 >         >         name like wiki.abc.com. The owner
>                 of the application
>                 >         >         has been given an nsupdate key
>                 that allows them to
>                 >         >         update and delete on the the
>                 wiki.abc.com and have
>                 >         >         that records contain either an "A"
>                 record for one or
>                 >         >         the other of the two servers.
>                 >         >
>                 >         >
>                 >         >         I am very concerned that there
>                 might come a time
>                 >         >         when the SOA primary master server
>                 for this dynamic
>                 >         >         domain might be down when the
>                 application owner
>                 >         >         needs to do their nsupdate.
>                 >         >
>                 >         >
>                 >         >         One observation that we see is
>                 that Window AD and
>                 >         >         DNS make every AD DNS server an
>                 SOA for any domain
>                 >         >         that it servers. That any dynamic
>                 DNS update can be
>                 >         >         serviced by any Domain controller
>                 and that this
>                 >         >         update is replicated with LDAP to
>                 the other DCs.
>                 >         >
>                 >         >
>                 >         >         It was our hope that we could use
>                 IPA for our DNS
>                 >         >         servers for this dynamic domain.
>                 That we would have
>                 >         >         multiple forward statements from
>                 our main DNS
>                 >         >         servers to the IPA DNS servers and
>                 that any IPA
>                 >         >         server would be the SOA. This way
>                 the nsupdate would
>                 >         >         be processed by any available IPA
>                 server in the
>                 >         >         event that one or more of these
>                 IPA DNS servers
>                 >         >         would be down or unreachable.
>                 >         >
>                 >         >
>                 >         >         Is there a way to make each IPA
>                 system a SOA for the
>                 >         >         same domain and still have the DNS
>                 records replicate
>                 >         >         between them?
>                 >         >
>                 >         >
>                 >         >         thanks,
>                 >         >
>                 >         >
>                 >         >         Bob Harvey
>                 >         >
>                 >         >
>                 >         >
>                 >         >
>                 >         >
>                 >         >
>                 >         >
>                 _______________________________________________
>                 >         > Freeipa-users mailing list
>                 >         > Freeipa-users@redhat.com
>                 >         >
>                 https://www.redhat.com/mailman/listinfo/freeipa-users
>                 >
>                 >
>                 >         --
>                 >         Thank you,
>                 >         Dmitri Pal
>                 >
>                 >         Sr. Engineering Manager IdM portfolio
>                 >         Red Hat, Inc.
>                 >
>                 >
>                 _______________________________________________
>                 >         Freeipa-users mailing list
>                 >         Freeipa-users@redhat.com
>                 >
>                 https://www.redhat.com/mailman/listinfo/freeipa-users
>                 >
>                 >
>                 > _______________________________________________
>                 > Freeipa-users mailing list
>                 > Freeipa-users@redhat.com
>                 >
>                 https://www.redhat.com/mailman/listinfo/freeipa-users
>                 
>                 --
>                 
>                 Loris Santamaria   linux user #70506
>                 xmpp:lo...@lgs.com.ve
>                 Links Global Services, C.A.
>                  http://www.lgs.com.ve
>                 Tel: 0286 952.06.87  Cel: 0414 095.00.10
>                  sip:1...@lgs.com.ve
>                 ------------------------------------------------------------
>                 "If I'd asked my customers what they wanted, they'd
>                 have said
>                 a faster horse" - Henry Ford
>         
>         
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to