El mar, 13-05-2014 a las 14:12 -0400, Bob escribió: > I ran > > ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name > test.vh1.vzwnet.com.;" > > > I then execute the nsupdate: > > [root@nj51rhidms16v ~]# ./bobtest.sh > ; TSIG error with server: tsig indicates error > update failed: NOTAUTH(BADKEY) > > > [root@nj51rhidms16v ~]# cat ./bobtest.sh > #!/bin/ksh > # > keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== > print "update add test.vh1.vzwnet.com 90 CNAME > txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile
Did you add the key to the bind configuration? As with plain bind configurations, named has to know the key to verify the transaction's signature. I usually put the keys in a file only readable by named and include this file from named.conf: In /etc/named.conf include "/etc/named/bob-key.conf"; and in /etc/named/bob-key.conf: key bob-key { algorithm hmac-md5; secret "hkVEYuIRUG....."; }; > [root@nj51rhidms16v log]# tail daemon > May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. > Unable to create GSSAPI-encrypted LDAP connection. > May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing > to key table > May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running > program /usr/sbin/rhn_check > May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running > program /usr/sbin/rhn_check > May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. > Unable to create GSSAPI-encrypted LDAP connection. > May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing > to key table > May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running > program /usr/sbin/rhn_check > May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: > request has invalid signature: TSIG bob-key: tsig verify failure > (BADKEY) > May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not found. > Unable to create GSSAPI-encrypted LDAP connection. > May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing > to key table > > > > > > > > On Tue, May 13, 2014 at 2:04 PM, Bob <harv...@gmail.com> wrote: > > I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. > > > But my nsupdate results in this in the daemon log: > > > > > May 12 17:04:02 nj51rhidms16v named[27438]: zone > vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12 > 17:08:44 nj51rhidms16v named[27438]: client > 10.194.96.47#26576: request has invalid signature: TSIG > bob-key: tsig verify failure (BADKEY) May 12 17:15:16 > nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing > keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com] was not > found. Unable to create GSSAPI-encrypted LDAP connection. May > 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error > writing to key table > > > > It almost works. > > > On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria > <lo...@lgs.com.ve> wrote: > > El mar, 13-05-2014 a las 10:57 -0400, Bob escribió: > > I have many dozens of TSIG keys declared in our > current bind. There > > are hundreds of records that have been granted to > those keys. All of > > this predates me and I do not know who has these > keys. The scope of > > trying to work with the owners of these keys to > convert their > > processes to to use kerberos would be a large > effort. It was my hope > > to use IPA / IDM to provide multi master DNS, with > each server being a > > SOA. But this becomes a lot less desirable as a > solution if I have to > > track down our key holders. > > > You can keep using your TSIG keys with IPA if that is > what you're > looking for. Just declare your TSIG keys in your IPA > dns "update-policy" > just as you would do with plain bind: > > ipa dnszone-mod example.com --update-policy="grant > key1. subdomain > a.example.com.; grant key2. name b.example.com.;" > > Also in IPA every DNS presents a different SOA, each > with the name of > the server being queried, so it can be used as a true > multimaster DNS > solution. > > Hope this helps > > > > > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal > <d...@redhat.com> wrote: > > On 05/13/2014 09:59 AM, Bob wrote: > > > > > Is there anyway to do a nsupdate of a DNS > records in a IPA > > > server using a TSIG key without having a > kerberos ticket? > > > > > > > > > We were going to swap out bind in favor of > IPA, but we need > > > to be able to nsupdates. > > > > > > > > > > > > > > > If you are using IPA you can give you > clients keytabs. > > It is all automatic with RHEL, Fedora, > Centos for last 5 > > years. Enroll your clients using > ipa-client-install. > > If you have other operating systems some > exploration would be > > required but it should be doable too. > > > > > > > > On Mon, May 12, 2014 at 10:11 AM, Bob > <harv...@gmail.com> > > > wrote: > > > We use nsupdate to to move the > location of some of > > > our services around. For instance > there might be two > > > servers that exchange roles, like > serv.east.abc.com > > > and serv.west.abc.com and we will > have a service > > > name like wiki.abc.com. The owner > of the application > > > has been given an nsupdate key > that allows them to > > > update and delete on the the > wiki.abc.com and have > > > that records contain either an "A" > record for one or > > > the other of the two servers. > > > > > > > > > I am very concerned that there > might come a time > > > when the SOA primary master server > for this dynamic > > > domain might be down when the > application owner > > > needs to do their nsupdate. > > > > > > > > > One observation that we see is > that Window AD and > > > DNS make every AD DNS server an > SOA for any domain > > > that it servers. That any dynamic > DNS update can be > > > serviced by any Domain controller > and that this > > > update is replicated with LDAP to > the other DCs. > > > > > > > > > It was our hope that we could use > IPA for our DNS > > > servers for this dynamic domain. > That we would have > > > multiple forward statements from > our main DNS > > > servers to the IPA DNS servers and > that any IPA > > > server would be the SOA. This way > the nsupdate would > > > be processed by any available IPA > server in the > > > event that one or more of these > IPA DNS servers > > > would be down or unreachable. > > > > > > > > > Is there a way to make each IPA > system a SOA for the > > > same domain and still have the DNS > records replicate > > > between them? > > > > > > > > > thanks, > > > > > > > > > Bob Harvey > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > > Loris Santamaria linux user #70506 > xmpp:lo...@lgs.com.ve > Links Global Services, C.A. > http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 > sip:1...@lgs.com.ve > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd > have said > a faster horse" - Henry Ford > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users