From 0a49af87f108d88944a551190213d5ed468093f0 Mon Sep 17 00:00:00 2001 From: Dimitris Aragiorgis Date: Sun, 24 Aug 2014 00:02:58 +0300 Subject: [PATCH] Add kerberos authentication support for nsupdate Up until now snf-network used nsupdate with a keyfile to dynamically update DNS entries on an external nameserver (bind9). This patch adds support for authenticating against an AD controller using Kerberos. Specifically we use "k5start -H" to ensure there is a happy ticket, otherwise use a keytab containing the password to obtain a ticket automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option and with KRB5CCNAME environment variable pointing to the ticket obtained previously by k5start) to update AD-integrated DNS server. The keytab file can be added with: # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL Signed-off-by: Dimitris Aragiorgis --- common.sh | 8 +++++++- snf-network-dnshook | 19 ++++++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/common.sh b/common.sh index 86bcf02..8ed33fd 100755 --- a/common.sh +++ b/common.sh @@ -372,7 +372,13 @@ send_command () { local command="$1" log "* $command" - nsupdate -k $KEYFILE > /dev/null << EOF + if [ -e "$KEYFILE" ]; then + nsupdate_command="nsupdate -k $KEYFILE" + elif [ -n "$KERBEROS_PRINCIPAL" ]; then + nsupdate_command="KR5BCCNAME=$KERBEROS_TICKET nsupdate -g" + k5start -k $KERBEROS_TICKET -u $KERBEROS_PRINCIPAL -f $KERBEROS_KEYTAB $KERBEROS_KSTART_ARGS + fi + $nsupdate_command > /dev/null << EOF server $SERVER $command send diff --git a/snf-network-dnshook b/snf-network-dnshook index a83e8c0..2a68501 100755 --- a/snf-network-dnshook +++ b/snf-network-dnshook @@ -45,10 +45,27 @@ FZONE="" KEYFILE="" MAC2EUI64="/usr/bin/mac2eui64" +# kerberos authentication settings +# Will be used with kstart and ktutil +KERBEROS_PRINCIPAL= +KERBEROS_KEYTAB=/etc/krb5.keytab +KERBEROS_KSTART_ARGS="-H 1 -l 1h" +KERBEROS_TICKET=/var/lib/snf-network/snf-network-kerberos.tkt + source /etc/default/snf-network source /usr/lib/snf-network/common.sh -if [ -z "$SERVER" -o -z "$FZONE" -o ! -e "$KEYFILE" ]; then +if [ -z "$SERVER" -o -z "$FZONE" ]; then + log "SERVER and FZONE not defined! Aborting.." + exit 0 +fi + +if [ -e "$KEYFILE" ]; then + log "Will use $KEYFILE keyfile for nsupdate." +elif [ -n "$KERBEROS_PRINCIPAL" ]; then + log "Will use $KERBEROS_PRINCIPAL kerberos principal for nsupdate." +else + log "Neither KEYFILE nor KERBEROS_PRINCIPAL defined! Aborting.." exit 0 fi -- GitLab