Commit 5752d6f5 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

docs: Update docs for AUTHENTICATION_METHOD

Mention AUTHENTICATION_METHOD setting in docs and update
configure section with all missing settings included in
/etc/default/snf-network.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent c608941f
...@@ -226,25 +226,35 @@ Installed under `instance-add-post.d`, `instance-rename-post.d`, ...@@ -226,25 +226,35 @@ Installed under `instance-add-post.d`, `instance-rename-post.d`,
Currently it supports dynamic updates against a BIND server or Currently it supports dynamic updates against a BIND server or
secure Microsoft DNS (Active Directory) by using the `nsupdate` secure Microsoft DNS (Active Directory) by using the `nsupdate`
command (found in `dnsutils` debian package). command (found in `dnsutils` debian package). The method to be used
is defined in AUTHENTICATION_METHOD setting. The available methods
are:
On both cases, to enable it, the admin must set the SERVER (the IP of - plain (nsupdate)
- bind9 (nsupdate -k)
- kerberos (nsupdate -g)
For backwards compatibility we assume `bind9` if the above setting is missing.
To disable DDNS updates unset the AUTHENTICATION_METHOD variable
in `/etc/defaults/snf-network`.
If DDNS updates are enabled, the admin must set the SERVER (the IP of
the DNS server) and FZONE (the domain of the instances) variables found the DNS server) and FZONE (the domain of the instances) variables found
in `/etc/default/snf-network`. Please note that currenlty only one in `/etc/default/snf-network`. Please note that currenlty only one
domain is supported for the instances. domain is supported for the instances.
In case of BIND (e.g `DDNS <https://wiki.debian.org/DDNS>`_), In case of ``bind9`` method (e.g `DDNS <https://wiki.debian.org/DDNS>`_),
the KEYFILE variable in `/etc/default/snf-network` must point to the KEYFILE variable in `/etc/default/snf-network` must point to
the .private file created by dnssec-keygen. the `.private` file created by ``dnssec-keygen``.
To authenticate against an AD controller using Kerberos, snf-network In case of ``kerberos`` method (e.g. against Active Directory),
uses the -g option of nsupdate (GSS-TSIG mode). Prior to that, it uses snf-network uses the -g option of nsupdate (GSS-TSIG mode). Prior to that,
"k5start -H" to ensure there is a happy ticket (stored under it uses "k5start -H" to ensure there is a happy ticket (see
/var/lib/snf-network; see KERBEROS_TICKET default option). In case the KERBEROS_TICKET default option). In case the ticket is invalid, it will
ticket is invalid, it will use a keytab containing the password and it use a keytab containing the password and try obtain a ticket
will try to obtain a ticket automatically (password-less). The keytab automatically (password-less). The keytab with the corresponding service
with the corresponding service principal must already exist and both principal must already exist and both should be mentioned in the
should be mentioned in the settings. settings.
To add a valid keytab one can use: To add a valid keytab one can use:
...@@ -427,10 +437,26 @@ one of them. ...@@ -427,10 +437,26 @@ one of them.
<setups>`) <setups>`)
- ``RUNLOCKED_OPTS`` options for runlocked helper script used as a - ``RUNLOCKED_OPTS`` options for runlocked helper script used as a
wrapper for ebtables wrapper for ebtables
- ``SERVER`` the IP/FQDN of the name server - ``AUTHENTICATION_METHOD`` is the method to be used for dynamic DNS
- ``FZONE`` the domain that the VMs will reside in updates. The valid methods are: plain (nsupdate), bind9 (nsupdate
-k), kerberos (nsupdate -g). To disable DDNS updates just unset this
setting.
- ``SERVER`` the IP/FQDN of the name server (required for dynamic DNS
updates)
- ``FZONE`` the domain that the VMs will reside in (required for
dynamic DNS updates)
- ``KEYFILE`` path to file used with -k option of nsupdate - ``KEYFILE`` path to file used with -k option of nsupdate
- ``TTL`` defines the duration in seconds that a DNS record may be cached - ``TTL`` defines the duration in seconds that a DNS record may be cached
(defaults to 300)
- ``KERBEROS_PRINCIPAL`` is the kerberos principal (required for
kerberos authentication)
- ``KERBEROS_KEYTAB`` is the kerberos keytab (defaults to
/etc/krb5.keytab)
- ``KERBEROS_KSTART_ARGS`` are the options to pass to kstart (default
to "-H 1 -l 1h")
- ``KERBEROS_TICKET`` is the path to keep the ticket obtained by kstart
(defaults to /var/lib/snf-network/snf-network-kerberos.tkt)
.. toctree:: .. toctree::
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment