subject:"Re\: \[Freeipa\-users\] DNS SOA Records"

Re: [Freeipa-users] DNS SOA Records

2014-05-19 Thread Loris Santamaria

El mar, 13-05-2014 a las 14:12 -0400, Bob escribió:
> I ran 
> 
> ipa dnszone-mod vh1.vzwnet.com  --update-policy="grant bob-key name
> test.vh1.vzwnet.com.;"
> 
> 
> I then execute the nsupdate:
> 
> [root@nj51rhidms16v ~]# ./bobtest.sh
> ; TSIG error with server: tsig indicates error
> update failed: NOTAUTH(BADKEY)
> 
> 
> [root@nj51rhidms16v ~]# cat ./bobtest.sh
> #!/bin/ksh
> #
> keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
> print "update add test.vh1.vzwnet.com 90 CNAME
> txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile

Did you add the key to the bind configuration? As with plain bind
configurations, named has to know the key to verify the transaction's
signature. I usually put the keys in a file only readable by named and
include this file from named.conf:

In /etc/named.conf

include "/etc/named/bob-key.conf";

and in /etc/named/bob-key.conf:

key bob-key {
algorithm hmac-md5;
secret "hkVEYuIRUG.";
};



> [root@nj51rhidms16v log]# tail daemon
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing
> to key table
> May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running
> program /usr/sbin/rhn_check
> May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running
> program /usr/sbin/rhn_check
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing
> to key table
> May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running
> program /usr/sbin/rhn_check
> May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
> request has invalid signature: TSIG bob-key: tsig verify failure
> (BADKEY)
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing
> to key table
> 
> 
> 
> 
> 
> 
> 
> On Tue, May 13, 2014 at 2:04 PM, Bob  wrote:
> 
> I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. 
> 
> 
> But my  nsupdate results in this in the daemon log:
> 
> 
> 
> 
> May 12 17:04:02 nj51rhidms16v named[27438]: zone
> vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12
> 17:08:44 nj51rhidms16v named[27438]: client
> 10.194.96.47#26576: request has invalid signature: TSIG
> bob-key: tsig verify failure (BADKEY) May 12 17:15:16
> nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing
> keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not
> found. Unable to create GSSAPI-encrypted LDAP connection. May
> 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error
> writing to key table
> 
> 
> 
> It almost works. 
> 
> 
> On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria
>  wrote:
> 
> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> > I have many dozens of TSIG keys declared in our
> current bind. There
> > are hundreds of records that have been granted to
> those keys. All of
> > this predates me and I do not know who has these
> keys. The scope of
> > trying to work with the owners of these keys to
> convert their
> > processes to to use kerberos would be a large
> effort. It was my hope
> > to use IPA / IDM to provide multi master DNS, with
> each server being a
> > SOA. But this becomes a lot less desirable as a
> solution if I have to
> > track down our key holders.
> 
> 
> You can keep using your TSIG keys with IPA if that is
> what you're
> looking for. Just declare your TSIG keys in your IPA
> dns "update-policy"
> just as you would do with plain bind:
> 
> ipa dnszone-mod example.com --update-policy="grant
> key1. subdomain
> a.example.com.; grant key2. name b.example.com.;"
> 
> Also in IPA every DNS presents a different SOA, each
> with the name of
> the server

Re: [Freeipa-users] DNS SOA Records

2014-05-15 Thread Jakub Hrozek

On Wed, May 14, 2014 at 10:57:04AM +0200, Petr Spacek wrote:
> On 13.5.2014 21:32, Dmitri Pal wrote:
> >On 05/13/2014 02:12 PM, Bob wrote:
> >>I ran
> >>
> >>ipa dnszone-mod vh1.vzwnet.com 
> >>--update-policy="grant bob-key name test.vh1.vzwnet.com.;"
> >>
> >>I then execute the nsupdate:
> >>
> >>[root@nj51rhidms16v ~]# ./bobtest.sh
> >>; TSIG error with server: tsig indicates error
> >>update failed: NOTAUTH(BADKEY)
> >>
> >>
> >>[root@nj51rhidms16v ~]# cat ./bobtest.sh
> >>#!/bin/ksh
> >>#
> >>keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
> >>print "update add test.vh1.vzwnet.com  90 CNAME
> >>txslxngda5.nss.vzwnet.com \n"|nsupdate -y
> >>$keyfile
> >>
> >>[root@nj51rhidms16v log]# tail daemon
> >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
> >>keytab file [default]: Principal
> >>[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com
> >>] was not found.
> >>Unable to create GSSAPI-encrypted LDAP connection.
> >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
> >>key table
> >>May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program 
> >>/usr/sbin/rhn_check
> >>May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program 
> >>/usr/sbin/rhn_check
> >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
> >>keytab file [default]: Principal
> >>[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com
> >>] was not found.
> >>Unable to create GSSAPI-encrypted LDAP connection.
> >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
> >>key table
> >>May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program 
> >>/usr/sbin/rhn_check
> >>May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
> All errors above are irrelevant to nsupdate. It points to an problem
> with SSSD configuration but this should not affect nsupdate with
> TSIG at all.

Hi,

sorry to come late to the thread, I'm catching up on freeipa-users. I
agree with Petr that this is a generic failure related to a wrong
keytab.

Does "klist -k" list the keys you would expect to have in the keytab?

Does "kinit -k" allow you to kinit using the keytab?

I would expect one or both of them to fail, in which case you should
either re-enroll the client or just fetch a new keytab using
ipa-getkeytab.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS SOA Records

2014-05-14 Thread Petr Spacek


On 13.5.2014 21:32, Dmitri Pal wrote:

On 05/13/2014 02:12 PM, Bob wrote:

I ran

ipa dnszone-mod vh1.vzwnet.com 
--update-policy="grant bob-key name test.vh1.vzwnet.com.;"

I then execute the nsupdate:

[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)


[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com  90 CNAME
txslxngda5.nss.vzwnet.com \n"|nsupdate -y
$keyfile

[root@nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com
] was not found.
Unable to create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com
] was not found.
Unable to create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
All errors above are irrelevant to nsupdate. It points to an problem with SSSD 
configuration but this should not affect nsupdate with TSIG at all.



request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing
My best guess is that you have modified update-policy to reference key 
"bob-key" but the key is not defined in named.conf.


Unfortunately, IPA doesn't support TSIG keys in LDAP. You have to define all 
keys on all servers in named.conf manually:


Add something like:

key "bob-key" {
  algorithm hmac-md5;
  secret "";
};

and restart named.

Then it should work.

If you want to see support for TSIG keys in LDAP then please open a FreeIPA 
ticket:

https://fedorahosted.org/freeipa/newticket

To speed things up, please describe your use case (in detail) and propose user 
interface.



Also, please note that hmac-md5 is not "the most secure algorithm in the 
world". GSS-TSIG should be more secure. I would recommend you to gradually 
migrate from TSIG to GSS-TSIG.


Have a nice day!

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Dmitri Pal

On 05/13/2014 02:12 PM, Bob wrote:

I ran

ipa dnszone-mod vh1.vzwnet.com  
--update-policy="grant bob-key name test.vh1.vzwnet.com.;"

I then execute the nsupdate:

[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com  90 
CNAME txslxngda5.nss.vzwnet.com 
\n"|nsupdate -y $keyfile

[root@nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error 
processing keytab file [default]: Principal 
[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com 
] was not 
found. Unable to create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing 
to key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program 
/usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program 
/usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error 
processing keytab file [default]: Principal 
[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com 
] was not 
found. Unable to create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing 
to key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program 
/usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: 
request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error 
processing keytab file [default]: Principal 
[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com 
] was not 
found. Unable to create GSSAPI-encrypted LDAP connection.
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing 
to key table

Several things:
The sssd failures indicate that you might have installed and configured 
SSSD via ipa-client and then wiped out the keytab, probably to emulate 
nsupdate without a keytab.
I am not sure it is relevant but I suggest that you try nsupdate from an 
unenrolled machine. If machine is enrolled the nsupdate would work 
anyways so you need to deal with the situation when you a running 
nspudate from a machine that does not have ipa-client configured so 
trying on a clean system would be better.

Can you validate that the key is actually correct on the both sides?

On Tue, May 13, 2014 at 2:04 PM, Bob > wrote:

I added: "grant bob-key nametest.vh1.vzwnet.com  
.;" in the IPA GUI.

But my  nsupdate results in this in the daemon log:

May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN
: sending notifies (serial 1399928642)
May 12 17:08:44 nj51rhidms16v named[27438]: client
10.194.96.47#26576: request has invalid signature: TSIG bob-key:
tsig verify failure (BADKEY) May 12 17:15:16 nj51rhidms16v
[sssd[ldap_child[10162]]]: Error processing keytab file [default]:
Principal [host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com
] was not
found. Unable to create GSSAPI-encrypted LDAP connection. May 12
17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to
key table

It almost works.

On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria
mailto:lo...@lgs.com.ve>> wrote:

El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> I have many dozens of TSIG keys declared in our current
bind. There
> are hundreds of records that have been granted to those
keys. All of
> this predates me and I do not know who has these keys. The
scope of
> trying to work with the owners of these keys to convert their
> processes to to use kerberos would be a large effort. It was
my hope
> to use IPA / IDM to provide multi master DNS, with each
server being a
> SOA. But this becomes a lot less desirable as a solution if
I have to
> track down our key holders.

You can keep using your TSIG keys with IPA if that is what you're
looking for. Just declare your TSIG keys in your IPA dns
"update-policy"
just as you would do with plain bind:

ipa dnszone-mod example.com 
--update-policy="grant key1. subdomain
a.example.com .; grant key2. name
b.example.com.;"

Also in IPA every DNS presents a different SOA, each with the
name of
the server being queried, so it can be used as a true

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Bob

I ran

ipa dnszone-mod vh1.vzwnet.com  --update-policy="grant bob-key name
test.vh1.vzwnet.com.;"

I then execute the nsupdate:

[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)


[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
#
keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
print "update add test.vh1.vzwnet.com 90 CNAME
txslxngda5.nss.vzwnet.com\n"|nsupdate
-y $keyfile

[root@nj51rhidms16v log]# tail daemon
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
key table
May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program
/usr/sbin/rhn_check
May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program
/usr/sbin/rhn_check
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
key table
May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program
/usr/sbin/rhn_check
May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing
keytab file [default]: Principal [host/
nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found. Unable to
create GSSAPI-encrypted LDAP connection.
May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing to
key table






On Tue, May 13, 2014 at 2:04 PM, Bob  wrote:

>
> I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.
>
> But my  nsupdate results in this in the daemon log:
>
>
>
> May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN: sending 
> notifies (serial 1399928642)
> May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: 
> request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY)
> May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing 
> keytab file [default]: Principal 
> [host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found. Unable 
> to create GSSAPI-encrypted LDAP connection.
> May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key 
> table
>
>
> It almost works.
>
>
>
> On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria wrote:
>
>> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
>> > I have many dozens of TSIG keys declared in our current bind. There
>> > are hundreds of records that have been granted to those keys. All of
>> > this predates me and I do not know who has these keys. The scope of
>> > trying to work with the owners of these keys to convert their
>> > processes to to use kerberos would be a large effort. It was my hope
>> > to use IPA / IDM to provide multi master DNS, with each server being a
>> > SOA. But this becomes a lot less desirable as a solution if I have to
>> > track down our key holders.
>>
>> You can keep using your TSIG keys with IPA if that is what you're
>> looking for. Just declare your TSIG keys in your IPA dns "update-policy"
>> just as you would do with plain bind:
>>
>> ipa dnszone-mod example.com --update-policy="grant key1. subdomain
>> a.example.com.; grant key2. name b.example.com.;"
>>
>> Also in IPA every DNS presents a different SOA, each with the name of
>> the server being queried, so it can be used as a true multimaster DNS
>> solution.
>>
>> Hope this helps
>>
>>
>>
>> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal  wrote:
>> > On 05/13/2014 09:59 AM, Bob wrote:
>> >
>> > > Is there anyway to do a nsupdate of a DNS records in a IPA
>> > > server using a TSIG key without having a kerberos ticket?
>> > >
>> > >
>> > > We were going to swap out bind in favor of IPA, but we need
>> > > to be able to nsupdates.
>> > >
>> > >
>> > >
>> >
>> >
>> > If you are using IPA you can give you clients keytabs.
>> > It is all automatic with RHEL, Fedora, Centos for last 5
>> > years. Enroll your clients using ipa-client-install.
>> > If you have other operating systems some exploration would be
>> > required but it should be doable too.
>> >
>> > >
>> > > On Mon, May 12, 2014 at 10:11 AM, Bob 
>> > > wrote:
>> > > We use nsupdate to to move the location of some of
>> > > our services around. For instance there might be two
>> > > servers that exchange roles, like serv.east.abc.com
>> > > and serv.west.abc.com  and we will have a service
>> > > name like wiki.abc.co

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Bob

I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.

But my  nsupdate results in this in the daemon log:


May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN:
sending notifies (serial 1399928642)
May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576:
request has invalid signature: TSIG bob-key: tsig verify failure
(BADKEY)
May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error
processing keytab file [default]: Principal
[host/nj51rhidms16v.nss.vzwnet@ipa.nss.vzwnet.com] was not found.
Unable to create GSSAPI-encrypted LDAP connection.
May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing
to key table


It almost works.



On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria  wrote:

> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> > I have many dozens of TSIG keys declared in our current bind. There
> > are hundreds of records that have been granted to those keys. All of
> > this predates me and I do not know who has these keys. The scope of
> > trying to work with the owners of these keys to convert their
> > processes to to use kerberos would be a large effort. It was my hope
> > to use IPA / IDM to provide multi master DNS, with each server being a
> > SOA. But this becomes a lot less desirable as a solution if I have to
> > track down our key holders.
>
> You can keep using your TSIG keys with IPA if that is what you're
> looking for. Just declare your TSIG keys in your IPA dns "update-policy"
> just as you would do with plain bind:
>
> ipa dnszone-mod example.com --update-policy="grant key1. subdomain
> a.example.com.; grant key2. name b.example.com.;"
>
> Also in IPA every DNS presents a different SOA, each with the name of
> the server being queried, so it can be used as a true multimaster DNS
> solution.
>
> Hope this helps
>
>
>
> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal  wrote:
> > On 05/13/2014 09:59 AM, Bob wrote:
> >
> > > Is there anyway to do a nsupdate of a DNS records in a IPA
> > > server using a TSIG key without having a kerberos ticket?
> > >
> > >
> > > We were going to swap out bind in favor of IPA, but we need
> > > to be able to nsupdates.
> > >
> > >
> > >
> >
> >
> > If you are using IPA you can give you clients keytabs.
> > It is all automatic with RHEL, Fedora, Centos for last 5
> > years. Enroll your clients using ipa-client-install.
> > If you have other operating systems some exploration would be
> > required but it should be doable too.
> >
> > >
> > > On Mon, May 12, 2014 at 10:11 AM, Bob 
> > > wrote:
> > > We use nsupdate to to move the location of some of
> > > our services around. For instance there might be two
> > > servers that exchange roles, like serv.east.abc.com
> > > and serv.west.abc.com  and we will have a service
> > > name like wiki.abc.com. The owner of the application
> > > has been given an nsupdate key that allows them to
> > > update and delete on the the wiki.abc.com and have
> > > that records contain either an "A" record for one or
> > > the other of the two servers.
> > >
> > >
> > > I am very concerned that there might come a time
> > > when the SOA primary master server for this dynamic
> > > domain might be down when the application owner
> > > needs to do their nsupdate.
> > >
> > >
> > > One observation that we see is that Window AD and
> > > DNS make every AD DNS server an SOA for any domain
> > > that it servers. That any dynamic DNS update can be
> > > serviced by any Domain controller and that this
> > > update is replicated with LDAP to the other DCs.
> > >
> > >
> > > It was our hope that we could use IPA for our DNS
> > > servers for this dynamic domain. That we would have
> > > multiple forward statements from our main DNS
> > > servers to the IPA DNS servers and that any IPA
> > > server would be the SOA. This way the nsupdate would
> > > be processed by any available IPA server in the
> > > event that one or more of these IPA DNS servers
> > > would be down or unreachable.
> > >
> > >
> > > Is there a way to make each IPA system a SOA for the
> > > same domain and still have the DNS records replicate
> > > between them?
> > >
> > >
> > > thanks,
> > >
> > >
> > > Bob Harvey
> > >
> > >
> > >
> >

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Loris Santamaria

El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> I have many dozens of TSIG keys declared in our current bind. There
> are hundreds of records that have been granted to those keys. All of
> this predates me and I do not know who has these keys. The scope of
> trying to work with the owners of these keys to convert their
> processes to to use kerberos would be a large effort. It was my hope
> to use IPA / IDM to provide multi master DNS, with each server being a
> SOA. But this becomes a lot less desirable as a solution if I have to
> track down our key holders.

You can keep using your TSIG keys with IPA if that is what you're
looking for. Just declare your TSIG keys in your IPA dns "update-policy"
just as you would do with plain bind:

ipa dnszone-mod example.com --update-policy="grant key1. subdomain
a.example.com.; grant key2. name b.example.com.;"

Also in IPA every DNS presents a different SOA, each with the name of
the server being queried, so it can be used as a true multimaster DNS
solution.

Hope this helps



> On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal  wrote:
> On 05/13/2014 09:59 AM, Bob wrote:
> 
> > Is there anyway to do a nsupdate of a DNS records in a IPA
> > server using a TSIG key without having a kerberos ticket?
> > 
> > 
> > We were going to swap out bind in favor of IPA, but we need
> > to be able to nsupdates.
> > 
> > 
> > 
> 
> 
> If you are using IPA you can give you clients keytabs.
> It is all automatic with RHEL, Fedora, Centos for last 5
> years. Enroll your clients using ipa-client-install.
> If you have other operating systems some exploration would be
> required but it should be doable too.
> 
> > 
> > On Mon, May 12, 2014 at 10:11 AM, Bob 
> > wrote:
> > We use nsupdate to to move the location of some of
> > our services around. For instance there might be two
> > servers that exchange roles, like serv.east.abc.com
> > and serv.west.abc.com  and we will have a service
> > name like wiki.abc.com. The owner of the application
> > has been given an nsupdate key that allows them to
> > update and delete on the the wiki.abc.com and have
> > that records contain either an "A" record for one or
> > the other of the two servers. 
> > 
> > 
> > I am very concerned that there might come a time
> > when the SOA primary master server for this dynamic
> > domain might be down when the application owner
> > needs to do their nsupdate.  
> > 
> > 
> > One observation that we see is that Window AD and
> > DNS make every AD DNS server an SOA for any domain
> > that it servers. That any dynamic DNS update can be
> > serviced by any Domain controller and that this
> > update is replicated with LDAP to the other DCs.
> > 
> > 
> > It was our hope that we could use IPA for our DNS
> > servers for this dynamic domain. That we would have
> > multiple forward statements from our main DNS
> > servers to the IPA DNS servers and that any IPA
> > server would be the SOA. This way the nsupdate would
> > be processed by any available IPA server in the
> > event that one or more of these IPA DNS servers
> > would be down or unreachable.
> > 
> > 
> > Is there a way to make each IPA system a SOA for the
> > same domain and still have the DNS records replicate
> > between them?
> > 
> > 
> > thanks,
> > 
> > 
> > Bob Harvey
> > 
> > 
> > 
> > 
> > 
> > 
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Loris Santa

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Bob

I have many dozens of TSIG keys declared in our current bind. There are
hundreds of records that have been granted to those keys. All of this
predates me and I do not know who has these keys. The scope of trying to
work with the owners of these keys to convert their processes to to use
kerberos would be a large effort. It was my hope to use IPA / IDM to
provide multi master DNS, with each server being a SOA. But this becomes a
lot less desirable as a solution if I have to track down our key holders.






On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal  wrote:

>  On 05/13/2014 09:59 AM, Bob wrote:
>
>  Is there anyway to do a nsupdate of a DNS records in a IPA server using
> a TSIG key without having a kerberos ticket?
>
>  We were going to swap out bind in favor of IPA, but we need to be able to
> nsupdates.
>
>
> If you are using IPA you can give you clients keytabs.
> It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll
> your clients using ipa-client-install.
> If you have other operating systems some exploration would be required but
> it should be doable too.
>
>
> On Mon, May 12, 2014 at 10:11 AM, Bob  wrote:
>
>>We use nsupdate to to move the location of some of our services
>> around. For instance there might be two servers that exchange roles, like
>> serv.east.abc.com and serv.west.abc.com  and we will have a service name
>> like wiki.abc.com. The owner of the application has been given an
>> nsupdate key that allows them to update and delete on the the
>> wiki.abc.com and have that records contain either an "A" record for one
>> or the other of the two servers.
>>
>>  I am very concerned that there might come a time when the SOA primary
>> master server for this dynamic domain might be down when the application
>> owner needs to do their nsupdate.
>>
>>  One observation that we see is that Window AD and DNS make every AD DNS
>> server an SOA for any domain that it servers. That any dynamic DNS update
>> can be serviced by any Domain controller and that this update is replicated
>> with LDAP to the other DCs.
>>
>>  It was our hope that we could use IPA for our DNS servers for this
>> dynamic domain. That we would have multiple forward statements from our
>> main DNS servers to the IPA DNS servers and that any IPA server would be
>> the SOA. This way the nsupdate would be processed by any available IPA
>> server in the event that one or more of these IPA DNS servers would be down
>> or unreachable.
>>
>>  Is there a way to make each IPA system a SOA for the same domain and
>> still have the DNS records replicate between them?
>>
>>  thanks,
>>
>>  Bob Harvey
>>
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Dmitri Pal


On 05/13/2014 09:59 AM, Bob wrote:
Is there anyway to do a nsupdate of a DNS records in a IPA server 
using a TSIG key without having a kerberos ticket?


We were going to swap out bind in favor of IPA, but we need to be able 
to nsupdates.




If you are using IPA you can give you clients keytabs.
It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll 
your clients using ipa-client-install.
If you have other operating systems some exploration would be required 
but it should be doable too.




On Mon, May 12, 2014 at 10:11 AM, Bob > wrote:


We use nsupdate to to move the location of some of our services
around. For instance there might be two servers that exchange
roles, like serv.east.abc.com  and
serv.west.abc.com   and we will have a
service name like wiki.abc.com . The owner of
the application has been given an nsupdate key that allows them to
update and delete on the the wiki.abc.com 
and have that records contain either an "A" record for one or the
other of the two servers.

I am very concerned that there might come a time when the SOA
primary master server for this dynamic domain might be down when
the application owner needs to do their nsupdate.

One observation that we see is that Window AD and DNS make every
AD DNS server an SOA for any domain that it servers. That any
dynamic DNS update can be serviced by any Domain controller and
that this update is replicated with LDAP to the other DCs.

It was our hope that we could use IPA for our DNS servers for this
dynamic domain. That we would have multiple forward statements
from our main DNS servers to the IPA DNS servers and that any IPA
server would be the SOA. This way the nsupdate would be processed
by any available IPA server in the event that one or more of these
IPA DNS servers would be down or unreachable.

Is there a way to make each IPA system a SOA for the same domain
and still have the DNS records replicate between them?

thanks,

Bob Harvey




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS SOA Records

2014-05-13 Thread Bob

Is there anyway to do a nsupdate of a DNS records in a IPA server using a
TSIG key without having a kerberos ticket?

We were going to swap out bind in favor of IPA, but we need to be able to
nsupdates.


On Mon, May 12, 2014 at 10:11 AM, Bob  wrote:

> We use nsupdate to to move the location of some of our services around.
> For instance there might be two servers that exchange roles, like
> serv.east.abc.com and serv.west.abc.com  and we will have a service name
> like wiki.abc.com. The owner of the application has been given an
> nsupdate key that allows them to update and delete on the the wiki.abc.comand 
> have that records contain either an "A" record for one or the other of
> the two servers.
>
> I am very concerned that there might come a time when the SOA primary
> master server for this dynamic domain might be down when the application
> owner needs to do their nsupdate.
>
> One observation that we see is that Window AD and DNS make every AD DNS
> server an SOA for any domain that it servers. That any dynamic DNS update
> can be serviced by any Domain controller and that this update is replicated
> with LDAP to the other DCs.
>
> It was our hope that we could use IPA for our DNS servers for this dynamic
> domain. That we would have multiple forward statements from our main DNS
> servers to the IPA DNS servers and that any IPA server would be the SOA.
> This way the nsupdate would be processed by any available IPA server in the
> event that one or more of these IPA DNS servers would be down or
> unreachable.
>
> Is there a way to make each IPA system a SOA for the same domain and still
> have the DNS records replicate between them?
>
> thanks,
>
> Bob Harvey
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

Re: [Freeipa-users] DNS SOA Records

10 matches

Site Navigation

Mail list logo

Footer information