banners
From Free IPA
This short tutorial will teach you how to setup your name server so that you can dynamically update the resource records with the help of IPA.
Contents |
Introduction
Our network looks like this:
Subnet: 192.168.122.0/24 Domain: ipatest.com Kerberos realm: IPATEST.COM IPA server: server.ipatest.com DNS server: dns.ipatest.com Client: fedorads.ipatest.com
Configuring the name server
First, we have to configure the bind on our dns server. /etc/named.conf must contain this:
options {
...
tkey-gssapi-credential "DNS/dns.ipatest.com";
tkey-domain "dns.ipatest.com";
...
};
zone "122.168.192.in-addr.arpa" IN {
...
update-policy {
grant IPATEST.COM krb5-subdomain 122.168.192.in-addr.arpa. PTR;
};
...
};
zone "ipatest.com" {
...
update-policy {
grant IPATEST.COM krb5-self * A;
};
...
};
/etc/sysconfig/named must contain a path to the kerberos keytab, for example:
KEYTAB_FILE="/etc/krb5.keytab"
If this is not done, named will not start and won't give you any error message.
Next we must add the DNS service and acquire the keytab. We'll also add the host service for our client.
# kinit admin Password for admin@IPATEST.COM: # ipa-addservice DNS/dns.ipatest.com # ipa-addservice host/fedorads.ipatest.com # ipa-getkeytab -s server.ipatest.com -p DNS/dns.ipatest.com -k /etc/krb5.keytab Keytab successfully retrieved and stored in: /etc/krb5.keytab
Note: Only ipa-getkeytab must be executed with root privileges and on the dns server.
Now we can start named and set it up to always start when booting:
# service named start Starting named: [ OK ] # chkconfig named on
This configuration practically says that anyone in the IPATEST.COM realm has a right to change his own A record and change any PTR record of a subdomain 122.168.192.in-addr.arpa which means that everyone in the IPATEST.COM realm can for example change the IP address 192.168.122.10 to point to something.ipatest.com even if it is not the truth. We can however make some exceptions with a deny clause so that only the records of clients can be changed, we don't care about dynamically changing records of servers. By anyone, I mean that you have to aquire the principal in the form of host/fqdn@IPATEST.COM as we will see in the next section. In our case, this will be host/fedorads.ipatest.com@IPATEST.COM.
Configuring the client
We will now get the keytab on the client and use it right away with kinit:
# kinit admin Password for admin@IPATEST.COM: # ipa-getkeytab -s server.ipatest.com -p host/server.ipatest.com -k /etc/krb5.keytab # kinit -k -t /etc/krb5.keytab host/fedorads.ipatest.com@IPATEST.COM
Notice that we aren't required to type any password. Now we are ready to use nsupdate utility to update resource records. nsupdate can be used as a shell-type utility with prompt, or we can place all the commands in a file and then give the file to nsupdate.
File a_update:
server dns.ipatest.com zone ipatest.com. prereq yxrrset fedorads.ipatest.com. IN A update delete fedorads.ipatest.com. IN A send update add fedorads.ipatest.com. 86400 IN A 192.168.122.120 send
File ptr_update:
server dns.ipatest.com zone 122.168.192.in-addr.arpa. prereq yxrrset 120.122.168.192.in-addr.arpa. IN PTR update delete 120.122.168.192.in-addr.arpa. IN PTR send update add 120.122.168.192.in-addr.arpa. 86400 IN PTR fedorads.ipatest.com. send
Here, the "server dns.ipatest.com" command tells nsupdate to update the specified dns server, but be aware that when doing lookups, it will still use the default server as specified in /etc/resolv.conf. See nsupdate(8) for more information about other nsupdate commands.
If we will now want to update our A record, we will execute nsupdate like this:
nsupdate -g a_update
If we want to update our PTR record we'll just replace a_update with ptr_update. The -g option is not documented in the man page.
Troubleshooting
If you have troubles with nsupdate, try some additional debugging flags, for example:
nsupdate -d -D -l 99 a_update
The -D and -l flags are not documented, however, if you have problems with kerberos you need to use the -l flag in order to get GSS-API major and minor error messages.
