Commit 5752d6f5 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

docs: Update docs for AUTHENTICATION_METHOD

Mention AUTHENTICATION_METHOD setting in docs and update
configure section with all missing settings included in
/etc/default/snf-network.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent c608941f
......@@ -226,25 +226,35 @@ Installed under `instance-add-post.d`, `instance-rename-post.d`,
Currently it supports dynamic updates against a BIND server or
secure Microsoft DNS (Active Directory) by using the `nsupdate`
command (found in `dnsutils` debian package).
command (found in `dnsutils` debian package). The method to be used
is defined in AUTHENTICATION_METHOD setting. The available methods
are:
On both cases, to enable it, the admin must set the SERVER (the IP of
- plain (nsupdate)
- bind9 (nsupdate -k)
- kerberos (nsupdate -g)
For backwards compatibility we assume `bind9` if the above setting is missing.
To disable DDNS updates unset the AUTHENTICATION_METHOD variable
in `/etc/defaults/snf-network`.
If DDNS updates are enabled, the admin must set the SERVER (the IP of
the DNS server) and FZONE (the domain of the instances) variables found
in `/etc/default/snf-network`. Please note that currenlty only one
domain is supported for the instances.
In case of BIND (e.g `DDNS <https://wiki.debian.org/DDNS>`_),
In case of ``bind9`` method (e.g `DDNS <https://wiki.debian.org/DDNS>`_),
the KEYFILE variable in `/etc/default/snf-network` must point to
the .private file created by dnssec-keygen.
the `.private` file created by ``dnssec-keygen``.
To authenticate against an AD controller using Kerberos, snf-network
uses the -g option of nsupdate (GSS-TSIG mode). Prior to that, it uses
"k5start -H" to ensure there is a happy ticket (stored under
/var/lib/snf-network; see KERBEROS_TICKET default option). In case the
ticket is invalid, it will use a keytab containing the password and it
will try to obtain a ticket automatically (password-less). The keytab
with the corresponding service principal must already exist and both
should be mentioned in the settings.
In case of ``kerberos`` method (e.g. against Active Directory),
snf-network uses the -g option of nsupdate (GSS-TSIG mode). Prior to that,
it uses "k5start -H" to ensure there is a happy ticket (see
KERBEROS_TICKET default option). In case the ticket is invalid, it will
use a keytab containing the password and try obtain a ticket
automatically (password-less). The keytab with the corresponding service
principal must already exist and both should be mentioned in the
settings.
To add a valid keytab one can use:
......@@ -427,10 +437,26 @@ one of them.
<setups>`)
- ``RUNLOCKED_OPTS`` options for runlocked helper script used as a
wrapper for ebtables
- ``SERVER`` the IP/FQDN of the name server
- ``FZONE`` the domain that the VMs will reside in
- ``AUTHENTICATION_METHOD`` is the method to be used for dynamic DNS
updates. The valid methods are: plain (nsupdate), bind9 (nsupdate
-k), kerberos (nsupdate -g). To disable DDNS updates just unset this
setting.
- ``SERVER`` the IP/FQDN of the name server (required for dynamic DNS
updates)
- ``FZONE`` the domain that the VMs will reside in (required for
dynamic DNS updates)
- ``KEYFILE`` path to file used with -k option of nsupdate
- ``TTL`` defines the duration in seconds that a DNS record may be cached
(defaults to 300)
- ``KERBEROS_PRINCIPAL`` is the kerberos principal (required for
kerberos authentication)
- ``KERBEROS_KEYTAB`` is the kerberos keytab (defaults to
/etc/krb5.keytab)
- ``KERBEROS_KSTART_ARGS`` are the options to pass to kstart (default
to "-H 1 -l 1h")
- ``KERBEROS_TICKET`` is the path to keep the ticket obtained by kstart
(defaults to /var/lib/snf-network/snf-network-kerberos.tkt)
.. toctree::
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment