[SAMBA4][PATCH]: Enable DNS GSS-TSIG Updates
Andrew Kroeger
andrew at sprocks.gotdns.com
Sun May 18 07:40:30 GMT 2008
All:
Please find attached patches that allow Windows clients to do DDNS
updates against BIND, using the GSS-TSIG capabilities present in the new
BIND 9.5.0 series.
The patches have also been pushed to git://git.id10ts.net/samba.git, in
the v4-0-local branch.
Thanks,
Andrew
P.S. - It was over 8 months ago when I first looked into the GSS-TSIG
updates. In his commit message for
99f832e7edcf940003fe9a2506622d991bc00f27, Andrew Bartlett remarked about
"...the slow road to working GSS-TSIG DDNS." If only he would've known
at the time how true that statement was ;)
-------------- next part --------------
>From 572efc8e65457a982a8cbb04d3b10e3aae22d574 Mon Sep 17 00:00:00 2001
From: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date: Sat, 17 May 2008 23:20:35 -0500
Subject: [PATCH] provision: Allow DNS GSS-TSIG updates to work.
This change ensures the KVNO of the principal in secrets.ldb (which is also
exported to the dns.keytab) matches the KVNO associated with the "dns" user.
Without explicitly setting msDS-KeyVersionNumber, the KVNO exported into the
dns.keytab was 0.
KVNO needs to be > 0, as the client libs (at least MIT libs on Fedora)
consider KVNO == 0 as a sign to ignore that particular key.
---
source/setup/secrets_dc.ldif | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/source/setup/secrets_dc.ldif b/source/setup/secrets_dc.ldif
index 71c7fc2..abc5860 100644
--- a/source/setup/secrets_dc.ldif
+++ b/source/setup/secrets_dc.ldif
@@ -33,6 +33,7 @@ objectClass: secret
objectClass: kerberosSecret
realm: ${REALM}
servicePrincipalName: DNS/${DNSDOMAIN}
+msDS-KeyVersionNumber: 1
privateKeytab: ${DNS_KEYTAB}
secret:: ${DNSPASS_B64}
--
1.5.4.5
-------------- next part --------------
>From 0b7a6bfcba1b906dc4d461882b4c3fe3c91c44e0 Mon Sep 17 00:00:00 2001
From: Andrew Kroeger <andrew at sprocks.gotdns.com>
Date: Sat, 17 May 2008 23:24:48 -0500
Subject: [PATCH] provision: Create instructions for enabling DNS GSS-TSIG updates.
Added code to the python provisioning to create the named.conf file that was
previously generated by the EJS provisioning.
Updated the named.conf template to provide the additional details necessary
to get things working.
---
source/scripting/python/samba/provision.py | 32 +++++--
source/setup/named.conf | 135 ++++++++++++++++++++++------
2 files changed, 133 insertions(+), 34 deletions(-)
diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py
index ad8eb8b..4818a79 100644
--- a/source/scripting/python/samba/provision.py
+++ b/source/scripting/python/samba/provision.py
@@ -236,6 +236,7 @@ def provision_paths_from_lp(lp, dnsdomain):
paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
paths.templates = os.path.join(paths.private_dir, "templates.ldb")
paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
+ paths.namedconf = os.path.join(paths.private_dir, "named.conf")
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
paths.phpldapadminconfig = os.path.join(paths.private_dir,
@@ -1059,12 +1060,14 @@ def provision(setup_dir, message, session_info,
scope=SCOPE_SUBTREE)
assert isinstance(hostguid, str)
- create_zone_file(paths.dns, setup_path, samdb,
+ create_zone_file(paths.dns, paths.namedconf, setup_path, samdb,
hostname=names.hostname, hostip=hostip,
hostip6=hostip6, dnsdomain=names.dnsdomain,
domaindn=names.domaindn, dnspass=dnspass, realm=names.realm,
- domainguid=domainguid, hostguid=hostguid)
+ domainguid=domainguid, hostguid=hostguid,
+ private_dir=paths.private_dir, keytab_name=paths.dns_keytab)
message("Please install the zone located in %s into your DNS server" % paths.dns)
+ message("See %s if you want to use secure GSS-TSIG updates" % paths.namedconf)
create_phpldapadmin_config(paths.phpldapadminconfig, setup_path,
ldapi_url)
@@ -1281,12 +1284,18 @@ def create_phpldapadmin_config(path, setup_path, ldapi_uri):
{"S4_LDAPI_URI": ldapi_uri})
-def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
- hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid):
+def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaindn,
+ hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid,
+ private_dir, keytab_name):
"""Write out a DNS zone file, from the info in the current database.
+
+ Also writes a file with stubs appropriate for a DNS configuration file
+ (including GSS-TSIG configuration), and details as to some of the other
+ configuration changes that may be necessary.
- :param path: Path of the new file.
- :param setup_path": Setup path function.
+ :param path_zone: Path of the new zone file.
+ :param path_conf: Path of the config stubs file.
+ :param setup_path: Setup path function.
:param samdb: SamDB object
:param dnsdomain: DNS Domain name
:param domaindn: DN of the Domain
@@ -1307,7 +1316,7 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
hostip6_base_line = " IN AAAA " + hostip6
hostip6_host_line = hostname + " IN AAAA " + hostip6
- setup_file(setup_path("provision.zone"), path, {
+ setup_file(setup_path("provision.zone"), path_zone, {
"DNSPASS_B64": b64encode(dnspass),
"HOSTNAME": hostname,
"DNSDOMAIN": dnsdomain,
@@ -1321,6 +1330,15 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
"HOSTIP6_HOST_LINE": hostip6_host_line,
})
+ setup_file(setup_path("named.conf"), path_conf, {
+ "DNSDOMAIN": dnsdomain,
+ "REALM": realm,
+ "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
+ "HOSTNAME": hostname,
+ "DNS_KEYTAB": keytab_name,
+ "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
+ })
+
def load_schema(setup_path, samdb, schemadn, netbiosname, configdn, sitename):
"""Load schema for the SamDB.
diff --git a/source/setup/named.conf b/source/setup/named.conf
index 0257880..9cf0b48 100644
--- a/source/setup/named.conf
+++ b/source/setup/named.conf
@@ -3,35 +3,116 @@
# the BIND nameserver.
#
-# If you have a very recent BIND, supporting GSS-TSIG,
-# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
-tkey-gssapi-credential "DNS/${DNSDOMAIN}";
-tkey-domain "${REALM}";
-
-# You should always include the actual zone configuration reference:
+# You should always include the actual forward zone configuration:
zone "${DNSDOMAIN}." IN {
- type master;
- file "${DNSDOMAIN}.zone";
+ type master;
+ file "${DNSDOMAIN}.zone";
update-policy {
- /* use ANY only for Domain controllers for now */
- /* for normal machines A AAAA PTR is probbaly all is needed */
- grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
+ /*
+ * A rather long description here, as the "ms-self" option does
+ * not appear in any docs yet (it can only be found in the
+ * source code).
+ *
+ * The short of it is that each host is allowed to update its
+ * own A and AAAA records, when the update request is properly
+ * signed by the host itself.
+ *
+ * The long description is (look at the
+ * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
+ * its definition in lib/dns/gssapictx.c for details):
+ *
+ * A GSS-TSIG update request will be signed by a given signer
+ * (e.g. machine-name$@${REALM}). The signer name is split into
+ * the machine component (e.g. "machine-name") and the realm
+ * component (e.g. "${REALM}"). The update is allowed if the
+ * following conditions are met:
+ *
+ * 1) The machine component of the signer name matches the first
+ * (host) component of the FQDN that is being updated.
+ *
+ * 2) The realm component of the signer name matches the realm
+ * in the grant statement below (${REALM}).
+ *
+ * 3) The domain component of the FQDN that is being updated
+ * matches the realm in the grant statement below.
+ *
+ * If the 3 conditions above are satisfied, the update succeeds.
+ */
+ grant ${REALM} ms-self * A AAAA;
};
};
-# Also, you need to change your init scripts to set this environment variable
-# for named: KRB5_KTNAME so that it points to the keytab generated.
-# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
-# line to the /etc/sysconfig/named file:
-# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
-#
-# Please note that most distributions have BIND configured to run under
-# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as
-# the user "named" once the daemon relinquishes its rights. Therefore,
-# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
-# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
-# permissions altered to allow the daemon to read it. In the FC6
-# example, execute the commands:
-#
-# chgrp named ${DNS_KEYTAB_ABS}
-# chmod g+r ${DNS_KEYTAB_ABS}
+# The reverse zone configuration is optional. The following example assumes a
+# subnet of 192.168.123.0/24:
+zone "123.168.192.in-addr.arpa" in {
+ type master;
+ file "123.168.192.in-addr.arpa.zone";
+ update-policy {
+ grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
+ };
+};
+# Note that the reverse zone file is not created during the provision process.
+
+# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG
+# updates. If you are running an earlier version of BIND, or if you do not wish
+# to use secure GSS-TSIG updates, you may remove the update-policy sections in
+# both examples above.
+
+# If you are running a capable version of BIND and you wish to support secure
+# GSS-TSIG updates, you must make the following configuration changes:
+
+# - Insert the following lines into the options {} section of your named.conf
+# file:
+tkey-gssapi-credential "DNS/${DNSDOMAIN}";
+tkey-domain "${REALM}";
+
+# - Add settings for the ${REALM} realm to the Kerberos configuration on the DNS
+# server. The easiest way is to add the following blocks to the appropriate
+# sections in /etc/krb5.conf:
+[realms]
+ ${REALM} = {
+ kdc = ${HOSTNAME}.${DNSDOMAIN}:88
+ admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
+ default_domain = ${DNSDOMAIN}
+ }
+
+[domain_realm]
+ .${DNSDOMAIN} = ${REALM}
+ ${DNSDOMAIN} = ${REALM}
+
+# - Modify BIND init scripts to pass the location of the generated keytab file.
+# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
+# for this purpose:
+KEYTAB_FILE="${DNS_KEYTAB_ABS}"
+# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
+# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
+# your distribution does not provide a variable like KEYTAB_FILE to pass a
+# keytab file to the BIND daemon, a workaround is to place the following line in
+# BIND's sysconfig file or in the init script for BIND:
+export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
+
+# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
+# that most distributions have BIND configured to run under a non-root user
+# account. For example, Fedora 9 runs BIND as the user "named" once the daemon
+# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
+# by the user that BIND run as. If BIND is running as a non-root user, the
+# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
+# read it. Under Fedora 9, execute the following commands:
+chgrp named ${DNS_KEYTAB_ABS}
+chmod g+r ${DNS_KEYTAB_ABS}
+
+# - Ensure the BIND zone file(s) that will be dynamically updated are in a
+# directory where the BIND daemon can write. When BIND performs dynamic
+# updates, it not only needs to update the zone file itself but it must also
+# create a journal (.jnl) file to track the dynamic updates as they occur.
+# Under Fedora 9, the /var/named directory can not be written to by the "named"
+# user. However, the directory /var/named/dynamic directory does provide write
+# access. Therefore the zone files were placed under the /var/named/dynamic
+# directory. The file directives in both example zone statements at the
+# beginning of this file were changed by prepending the directory "dynamic/".
+
+# - If SELinux is enabled, ensure that all files have the appropriate SELinux
+# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
+# and should have a SELinux type of named_conf_t. This can be set with the
+# following command:
+chcon -t named_conf_t ${DNS_KEYTAB_ABS}
--
1.5.4.5
More information about the samba-technical
mailing list