Commit 30ad28a9 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Add doc section wrt kerberos authentication

..that explains how to configure snf-network in order to use
it for dynamic DNS update against an AD controller.
Signed-off-by: default avatarDimitris Aragiorgis <>
parent 0a49af87
......@@ -224,7 +224,29 @@ Installed under `instance-stop-post.d`, `instance-rename-post.d` and
`instance-remove-post.d` hook dirs.
This hook updates an external `DDNS <>`_
setup via ``nsupdate``. Since we add/remove entries during ifup/ifdown
setup via ``nsupdate``. To do so, the path to a valid keyfile, along
with the nameserver must be added in settings
To authenticate against an AD controller using Kerberos, snf-network uses
the -g option of nsupdate (GSS-TSIG mode). Prior to that it uses "k5start
-H" to ensure there is a happy ticket (stored under /var/lib/snf-network;
see KERBEROS_TICKET default option), otherwise use a keytab containing
the password to obtain a ticket automatically (password-less). The
keytab with the corresponding service principal must already exist and
both should be mentioned in the settings.
To add a valid keytab one can use:
.. code-block:: console
ktutil -v add -V 1 -e aes256-cts -p SYNNEFO.NSUPDATE
``dnsutils`` debian packages includes ``nsupdate`` client while
``kstart`` and ``heimdal-clients`` packages are required in case
kerberos authentication is desired.
Since we add/remove entries during ifup/ifdown
scripts, we use this only during instance remove/shutdown/rename. It
does not rely on exported environment but it queries first the DNS
server to obtain current entries and then it invokes the necessary
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment