From 0a49af87f108d88944a551190213d5ed468093f0 Mon Sep 17 00:00:00 2001
From: Dimitris Aragiorgis <dimara@grnet.gr>
Date: Sun, 24 Aug 2014 00:02:58 +0300
Subject: [PATCH] Add kerberos authentication support for nsupdate

Up until now snf-network used nsupdate with a keyfile to
dynamically update DNS entries on an external nameserver
(bind9). This patch adds support for authenticating against an
AD controller using Kerberos.

Specifically we use "k5start -H" to ensure there is a happy ticket,
otherwise use a keytab containing the password to obtain a ticket
automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option
and with KRB5CCNAME environment variable pointing to the ticket
obtained previously by k5start) to update AD-integrated DNS server.

The keytab file can be added with:

 # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
---
 common.sh           |  8 +++++++-
 snf-network-dnshook | 19 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/common.sh b/common.sh
index 86bcf02..8ed33fd 100755
--- a/common.sh
+++ b/common.sh
@@ -372,7 +372,13 @@ send_command () {
 
   local command="$1"
   log "* $command"
-  nsupdate -k $KEYFILE > /dev/null << EOF
+  if [ -e "$KEYFILE" ]; then
+    nsupdate_command="nsupdate -k $KEYFILE"
+  elif [ -n "$KERBEROS_PRINCIPAL" ]; then
+    nsupdate_command="KR5BCCNAME=$KERBEROS_TICKET nsupdate -g"
+    k5start -k $KERBEROS_TICKET -u $KERBEROS_PRINCIPAL -f $KERBEROS_KEYTAB $KERBEROS_KSTART_ARGS
+  fi
+  $nsupdate_command > /dev/null << EOF
   server $SERVER
   $command
   send
diff --git a/snf-network-dnshook b/snf-network-dnshook
index a83e8c0..2a68501 100755
--- a/snf-network-dnshook
+++ b/snf-network-dnshook
@@ -45,10 +45,27 @@ FZONE=""
 KEYFILE=""
 MAC2EUI64="/usr/bin/mac2eui64"
 
+# kerberos authentication settings
+# Will be used with kstart and ktutil
+KERBEROS_PRINCIPAL=
+KERBEROS_KEYTAB=/etc/krb5.keytab
+KERBEROS_KSTART_ARGS="-H 1 -l 1h"
+KERBEROS_TICKET=/var/lib/snf-network/snf-network-kerberos.tkt
+
 source /etc/default/snf-network
 source /usr/lib/snf-network/common.sh
 
-if [ -z "$SERVER" -o -z "$FZONE" -o ! -e "$KEYFILE" ]; then
+if [ -z "$SERVER" -o -z "$FZONE" ]; then
+  log "SERVER and FZONE not defined! Aborting.."
+  exit 0
+fi
+
+if [ -e "$KEYFILE" ]; then
+  log "Will use $KEYFILE keyfile for nsupdate."
+elif [ -n "$KERBEROS_PRINCIPAL" ]; then
+  log "Will use $KERBEROS_PRINCIPAL kerberos principal for nsupdate."
+else
+  log "Neither KEYFILE nor KERBEROS_PRINCIPAL defined! Aborting.."
   exit 0
 fi
 
-- 
GitLab