Commit 0a49af87 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Add kerberos authentication support for nsupdate

Up until now snf-network used nsupdate with a keyfile to
dynamically update DNS entries on an external nameserver
(bind9). This patch adds support for authenticating against an
AD controller using Kerberos.

Specifically we use "k5start -H" to ensure there is a happy ticket,
otherwise use a keytab containing the password to obtain a ticket
automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option
and with KRB5CCNAME environment variable pointing to the ticket
obtained previously by k5start) to update AD-integrated DNS server.

The keytab file can be added with:

 # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent 3b3a7040
......@@ -372,7 +372,13 @@ send_command () {
local command="$1"
log "* $command"
nsupdate -k $KEYFILE > /dev/null << EOF
if [ -e "$KEYFILE" ]; then
nsupdate_command="nsupdate -k $KEYFILE"
elif [ -n "$KERBEROS_PRINCIPAL" ]; then
nsupdate_command="KR5BCCNAME=$KERBEROS_TICKET nsupdate -g"
k5start -k $KERBEROS_TICKET -u $KERBEROS_PRINCIPAL -f $KERBEROS_KEYTAB $KERBEROS_KSTART_ARGS
fi
$nsupdate_command > /dev/null << EOF
server $SERVER
$command
send
......
......@@ -45,10 +45,27 @@ FZONE=""
KEYFILE=""
MAC2EUI64="/usr/bin/mac2eui64"
# kerberos authentication settings
# Will be used with kstart and ktutil
KERBEROS_PRINCIPAL=
KERBEROS_KEYTAB=/etc/krb5.keytab
KERBEROS_KSTART_ARGS="-H 1 -l 1h"
KERBEROS_TICKET=/var/lib/snf-network/snf-network-kerberos.tkt
source /etc/default/snf-network
source /usr/lib/snf-network/common.sh
if [ -z "$SERVER" -o -z "$FZONE" -o ! -e "$KEYFILE" ]; then
if [ -z "$SERVER" -o -z "$FZONE" ]; then
log "SERVER and FZONE not defined! Aborting.."
exit 0
fi
if [ -e "$KEYFILE" ]; then
log "Will use $KEYFILE keyfile for nsupdate."
elif [ -n "$KERBEROS_PRINCIPAL" ]; then
log "Will use $KERBEROS_PRINCIPAL kerberos principal for nsupdate."
else
log "Neither KEYFILE nor KERBEROS_PRINCIPAL defined! Aborting.."
exit 0
fi
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment