Skip to content
  • Dimitris Aragiorgis's avatar
    Add kerberos authentication support for nsupdate · 0a49af87
    Dimitris Aragiorgis authored
    
    
    Up until now snf-network used nsupdate with a keyfile to
    dynamically update DNS entries on an external nameserver
    (bind9). This patch adds support for authenticating against an
    AD controller using Kerberos.
    
    Specifically we use "k5start -H" to ensure there is a happy ticket,
    otherwise use a keytab containing the password to obtain a ticket
    automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option
    and with KRB5CCNAME environment variable pointing to the ticket
    obtained previously by k5start) to update AD-integrated DNS server.
    
    The keytab file can be added with:
    
     # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL
    
    Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
    0a49af87