Commit 30ad28a9 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Add doc section wrt kerberos authentication

..that explains how to configure snf-network in order to use
it for dynamic DNS update against an AD controller.
Signed-off-by: default avatarDimitris Aragiorgis <>
parent 0a49af87
......@@ -224,7 +224,29 @@ Installed under `instance-stop-post.d`, `instance-rename-post.d` and
`instance-remove-post.d` hook dirs.
This hook updates an external `DDNS <>`_
setup via ``nsupdate``. Since we add/remove entries during ifup/ifdown
setup via ``nsupdate``. To do so, the path to a valid keyfile, along
with the nameserver must be added in settings
To authenticate against an AD controller using Kerberos, snf-network uses
the -g option of nsupdate (GSS-TSIG mode). Prior to that it uses "k5start
-H" to ensure there is a happy ticket (stored under /var/lib/snf-network;
see KERBEROS_TICKET default option), otherwise use a keytab containing
the password to obtain a ticket automatically (password-less). The
keytab with the corresponding service principal must already exist and
both should be mentioned in the settings.
To add a valid keytab one can use:
.. code-block:: console
ktutil -v add -V 1 -e aes256-cts -p SYNNEFO.NSUPDATE
``dnsutils`` debian packages includes ``nsupdate`` client while
``kstart`` and ``heimdal-clients`` packages are required in case
kerberos authentication is desired.
Since we add/remove entries during ifup/ifdown
scripts, we use this only during instance remove/shutdown/rename. It
does not rely on exported environment but it queries first the DNS
server to obtain current entries and then it invokes the necessary
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment