diff --git a/docs/index.rst b/docs/index.rst index acad18cd66bf8f54b8129fd0b0e53aa600410dd0..24a6b325680403d411da41ae1d6abf0b7ca09737 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -226,25 +226,35 @@ Installed under `instance-add-post.d`, `instance-rename-post.d`, Currently it supports dynamic updates against a BIND server or secure Microsoft DNS (Active Directory) by using the `nsupdate` -command (found in `dnsutils` debian package). +command (found in `dnsutils` debian package). The method to be used +is defined in AUTHENTICATION_METHOD setting. The available methods +are: -On both cases, to enable it, the admin must set the SERVER (the IP of + - plain (nsupdate) + - bind9 (nsupdate -k) + - kerberos (nsupdate -g) + +For backwards compatibility we assume `bind9` if the above setting is missing. +To disable DDNS updates unset the AUTHENTICATION_METHOD variable +in `/etc/defaults/snf-network`. + +If DDNS updates are enabled, the admin must set the SERVER (the IP of the DNS server) and FZONE (the domain of the instances) variables found in `/etc/default/snf-network`. Please note that currenlty only one domain is supported for the instances. -In case of BIND (e.g `DDNS `_), +In case of ``bind9`` method (e.g `DDNS `_), the KEYFILE variable in `/etc/default/snf-network` must point to -the .private file created by dnssec-keygen. +the `.private` file created by ``dnssec-keygen``. -To authenticate against an AD controller using Kerberos, snf-network -uses the -g option of nsupdate (GSS-TSIG mode). Prior to that, it uses -"k5start -H" to ensure there is a happy ticket (stored under -/var/lib/snf-network; see KERBEROS_TICKET default option). In case the -ticket is invalid, it will use a keytab containing the password and it -will try to obtain a ticket automatically (password-less). The keytab -with the corresponding service principal must already exist and both -should be mentioned in the settings. +In case of ``kerberos`` method (e.g. against Active Directory), +snf-network uses the -g option of nsupdate (GSS-TSIG mode). Prior to that, +it uses "k5start -H" to ensure there is a happy ticket (see +KERBEROS_TICKET default option). In case the ticket is invalid, it will +use a keytab containing the password and try obtain a ticket +automatically (password-less). The keytab with the corresponding service +principal must already exist and both should be mentioned in the +settings. To add a valid keytab one can use: @@ -427,10 +437,26 @@ one of them. `) - ``RUNLOCKED_OPTS`` options for runlocked helper script used as a wrapper for ebtables - - ``SERVER`` the IP/FQDN of the name server - - ``FZONE`` the domain that the VMs will reside in + - ``AUTHENTICATION_METHOD`` is the method to be used for dynamic DNS + updates. The valid methods are: plain (nsupdate), bind9 (nsupdate + -k), kerberos (nsupdate -g). To disable DDNS updates just unset this + setting. + - ``SERVER`` the IP/FQDN of the name server (required for dynamic DNS + updates) + - ``FZONE`` the domain that the VMs will reside in (required for + dynamic DNS updates) - ``KEYFILE`` path to file used with -k option of nsupdate - ``TTL`` defines the duration in seconds that a DNS record may be cached + (defaults to 300) + - ``KERBEROS_PRINCIPAL`` is the kerberos principal (required for + kerberos authentication) + - ``KERBEROS_KEYTAB`` is the kerberos keytab (defaults to + /etc/krb5.keytab) + - ``KERBEROS_KSTART_ARGS`` are the options to pass to kstart (default + to "-H 1 -l 1h") + - ``KERBEROS_TICKET`` is the path to keep the ticket obtained by kstart + (defaults to /var/lib/snf-network/snf-network-kerberos.tkt) + .. toctree::