Skip to content

Latest commit

 

History

History
180 lines (153 loc) · 6.79 KB

proc_configuring-dynamic-dns-update-with-gss-tsig-authentication.adoc

File metadata and controls

180 lines (153 loc) · 6.79 KB

Configuring Dynamic DNS Update with GSS-TSIG Authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the {ProductName} base operating system.

Prerequisites

  • You must ensure the IdM server is deployed and the host-based firewall is configured correctly.

  • You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.

  • You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see {InstallingServerDocURL}configuring-server_{project-context}[Configuring {ProjectServer}].

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos Principal on the IdM Server

  1. Obtain a Kerberos ticket for the account obtained from the IdM administrator:

    # kinit idm_user

  2. Create a new Kerberos principal for {ProductName} to use to authenticate on the IdM server.

    # ipa service-add {smartproxy-example-com}
# ipa service-add _{smart-proxy-principal}/{foreman-example-com}_
Installing and Configuring the IdM Client

  1. On the base operating system of either the {Project} or {SmartProxy} that is managing the DNS service for your deployment, install the ipa-client package:

    # {project-package-install} ipa-client

  2. Configure the IdM client by running the installation script and following the on-screen prompts:

    # ipa-client-install

  3. Obtain a Kerberos ticket:

    # kinit admin

  4. Remove any preexisting keytab:

    # rm /etc/foreman-proxy/dns.keytab

  5. Obtain the keytab for this system:

    # ipa-getkeytab -p {smart-proxy-principal}/{foreman-example-com}@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab
    Note

    When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

  6. For the dns.keytab file, set the group and owner to foreman-proxy:

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

  7. Optional: To verify that the keytab file is valid, enter the following command:

    # kinit -kt /etc/foreman-proxy/dns.keytab \
{smart-proxy-principal}/{foreman-example-com}@EXAMPLE.COM
Configuring DNS Zones in the IdM web UI

  1. Create and configure the zone that you want to manage:

    1. Navigate to Network Services > DNS > DNS Zones.

    2. Select Add and enter the zone name. For example, example.com.

    3. Click Add and Edit.

    4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:

      grant {smart-proxy-principal}\047{foreman-example-com}@EXAMPLE.COM wildcard * ANY;

    5. Set Dynamic update to True.

    6. Enable Allow PTR sync.

    7. Click Save to save the changes.

  2. Create and configure the reverse zone:

    1. Navigate to Network Services > DNS > DNS Zones.

    2. Click Add.

    3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.

    4. Click Add and Edit.

    5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:

      grant {smart-proxy-principal}\047{foreman-example-com}@EXAMPLE.COM wildcard * ANY;

    6. Set Dynamic update to True.

    7. Click Save to save the changes.

Configuring the {Project} or {SmartProxyServerTitle} that Manages the DNS Service for the Domain

  1. Use the {foreman-installer} command to configure the {Project} or {SmartProxy} that manages the DNS Service for the domain:

    • On {Project}, enter the following command:

      # {installer-scenario} \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-tsig-principal="{smart-proxy-principal}/{foreman-example-com}@EXAMPLE.COM" \
--foreman-proxy-dns=true

    • On {SmartProxy}, enter the following command:

      # {installer-scenario-smartproxy} \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-tsig-principal="{smart-proxy-principal}/{foreman-example-com}@EXAMPLE.COM" \
--foreman-proxy-dns=true

After you run the {foreman-installer} command to make any changes to your {SmartProxy} configuration, you must update the configuration of each affected {SmartProxy} in the {ProjectWebUI}.

Updating the Configuration in the {ProjectWebUI}

  1. In the {ProjectWebUI}, navigate to Infrastructure > {SmartProxies}, locate the {ProductName}, and from the list in the Actions column, select Refresh.

  2. Configure the domain:

    1. In the {ProjectWebUI}, navigate to Infrastructure > Domains and select the domain name.

    2. In the Domain tab, ensure DNS {SmartProxy} is set to the {SmartProxy} where the subnet is connected.

  3. Configure the subnet:

    1. In the {ProjectWebUI}, navigate to Infrastructure > Subnets and select the subnet name.

    2. In the Subnet tab, set IPAM to None.

    3. In the Domains tab, select the domain that you want to manage using the IdM server.

    4. In the {SmartProxies} tab, ensure Reverse DNS {SmartProxy} is set to the {SmartProxy} where the subnet is connected.

    5. Click Submit to save the changes.