[SAMBA4][PATCH]: Enable DNS GSS-TSIG Updates - Samba

This is a discussion on [SAMBA4][PATCH]: Enable DNS GSS-TSIG Updates - Samba ; All: Please find attached patches that allow Windows clients to do DDNS updates against BIND, using the GSS-TSIG capabilities present in the new BIND 9.5.0 series. The patches have also been pushed to git://git.id10ts.net/samba.git, in the v4-0-local branch. Thanks, Andrew ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [SAMBA4][PATCH]: Enable DNS GSS-TSIG Updates

  1. [SAMBA4][PATCH]: Enable DNS GSS-TSIG Updates

    All:

    Please find attached patches that allow Windows clients to do DDNS
    updates against BIND, using the GSS-TSIG capabilities present in the new
    BIND 9.5.0 series.

    The patches have also been pushed to git://git.id10ts.net/samba.git, in
    the v4-0-local branch.

    Thanks,
    Andrew

    P.S. - It was over 8 months ago when I first looked into the GSS-TSIG
    updates. In his commit message for
    99f832e7edcf940003fe9a2506622d991bc00f27, Andrew Bartlett remarked about
    "...the slow road to working GSS-TSIG DDNS." If only he would've known
    at the time how true that statement was


    >From 572efc8e65457a982a8cbb04d3b10e3aae22d574 Mon Sep 17 00:00:00 2001

    From: Andrew Kroeger
    Date: Sat, 17 May 2008 23:20:35 -0500
    Subject: [PATCH] provision: Allow DNS GSS-TSIG updates to work.

    This change ensures the KVNO of the principal in secrets.ldb (which is also
    exported to the dns.keytab) matches the KVNO associated with the "dns" user.
    Without explicitly setting msDS-KeyVersionNumber, the KVNO exported into the
    dns.keytab was 0.

    KVNO needs to be > 0, as the client libs (at least MIT libs on Fedora)
    consider KVNO == 0 as a sign to ignore that particular key.
    ---
    source/setup/secrets_dc.ldif | 1 +
    1 files changed, 1 insertions(+), 0 deletions(-)

    diff --git a/source/setup/secrets_dc.ldif b/source/setup/secrets_dc.ldif
    index 71c7fc2..abc5860 100644
    --- a/source/setup/secrets_dc.ldif
    +++ b/source/setup/secrets_dc.ldif
    @@ -33,6 +33,7 @@ objectClass: secret
    objectClass: kerberosSecret
    realm: ${REALM}
    servicePrincipalName: DNS/${DNSDOMAIN}
    +msDS-KeyVersionNumber: 1
    privateKeytab: ${DNS_KEYTAB}
    secret:: ${DNSPASS_B64}

    --
    1.5.4.5


    >From 0b7a6bfcba1b906dc4d461882b4c3fe3c91c44e0 Mon Sep 17 00:00:00 2001

    From: Andrew Kroeger
    Date: Sat, 17 May 2008 23:24:48 -0500
    Subject: [PATCH] provision: Create instructions for enabling DNS GSS-TSIG updates.

    Added code to the python provisioning to create the named.conf file that was
    previously generated by the EJS provisioning.

    Updated the named.conf template to provide the additional details necessary
    to get things working.
    ---
    source/scripting/python/samba/provision.py | 32 +++++--
    source/setup/named.conf | 135 ++++++++++++++++++++++------
    2 files changed, 133 insertions(+), 34 deletions(-)

    diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py
    index ad8eb8b..4818a79 100644
    --- a/source/scripting/python/samba/provision.py
    +++ b/source/scripting/python/samba/provision.py
    @@ -236,6 +236,7 @@ def provision_paths_from_lp(lp, dnsdomain):
    paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
    paths.templates = os.path.join(paths.private_dir, "templates.ldb")
    paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
    + paths.namedconf = os.path.join(paths.private_dir, "named.conf")
    paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
    paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
    paths.phpldapadminconfig = os.path.join(paths.private_dir,
    @@ -1059,12 +1060,14 @@ def provision(setup_dir, message, session_info,
    scope=SCOPE_SUBTREE)
    assert isinstance(hostguid, str)

    - create_zone_file(paths.dns, setup_path, samdb,
    + create_zone_file(paths.dns, paths.namedconf, setup_path, samdb,
    hostname=names.hostname, hostip=hostip,
    hostip6=hostip6, dnsdomain=names.dnsdomain,
    domaindn=names.domaindn, dnspass=dnspass, realm=names.realm,
    - domainguid=domainguid, hostguid=hostguid)
    + domainguid=domainguid, hostguid=hostguid,
    + private_dir=paths.private_dir, keytab_name=paths.dns_keytab)
    message("Please install the zone located in %s into your DNS server" % paths.dns)
    + message("See %s if you want to use secure GSS-TSIG updates" % paths.namedconf)

    create_phpldapadmin_config(paths.phpldapadminconfi g, setup_path,
    ldapi_url)
    @@ -1281,12 +1284,18 @@ def create_phpldapadmin_config(path, setup_path, ldapi_uri):
    {"S4_LDAPI_URI": ldapi_uri})


    -def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
    - hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid):
    +def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaindn,
    + hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid,
    + private_dir, keytab_name):
    """Write out a DNS zone file, from the info in the current database.
    +
    + Also writes a file with stubs appropriate for a DNS configuration file
    + (including GSS-TSIG configuration), and details as to some of the other
    + configuration changes that may be necessary.

    - aram path: Path of the new file.
    - aram setup_path": Setup path function.
    + aram path_zone: Path of the new zone file.
    + aram path_conf: Path of the config stubs file.
    + aram setup_path: Setup path function.
    aram samdb: SamDB object
    aram dnsdomain: DNS Domain name
    aram domaindn: DN of the Domain
    @@ -1307,7 +1316,7 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
    hostip6_base_line = " IN AAAA " + hostip6
    hostip6_host_line = hostname + " IN AAAA " + hostip6

    - setup_file(setup_path("provision.zone"), path, {
    + setup_file(setup_path("provision.zone"), path_zone, {
    "DNSPASS_B64": b64encode(dnspass),
    "HOSTNAME": hostname,
    "DNSDOMAIN": dnsdomain,
    @@ -1321,6 +1330,15 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
    "HOSTIP6_HOST_LINE": hostip6_host_line,
    })

    + setup_file(setup_path("named.conf"), path_conf, {
    + "DNSDOMAIN": dnsdomain,
    + "REALM": realm,
    + "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
    + "HOSTNAME": hostname,
    + "DNS_KEYTAB": keytab_name,
    + "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
    + })
    +
    def load_schema(setup_path, samdb, schemadn, netbiosname, configdn, sitename):
    """Load schema for the SamDB.

    diff --git a/source/setup/named.conf b/source/setup/named.conf
    index 0257880..9cf0b48 100644
    --- a/source/setup/named.conf
    +++ b/source/setup/named.conf
    @@ -3,35 +3,116 @@
    # the BIND nameserver.
    #

    -# If you have a very recent BIND, supporting GSS-TSIG,
    -# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
    -tkey-gssapi-credential "DNS/${DNSDOMAIN}";
    -tkey-domain "${REALM}";
    -
    -# You should always include the actual zone configuration reference:
    +# You should always include the actual forward zone configuration:
    zone "${DNSDOMAIN}." IN {
    - type master;
    - file "${DNSDOMAIN}.zone";
    + type master;
    + file "${DNSDOMAIN}.zone";
    update-policy {
    - /* use ANY only for Domain controllers for now */
    - /* for normal machines A AAAA PTR is probbaly all is needed */
    - grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
    + /*
    + * A rather long description here, as the "ms-self" option does
    + * not appear in any docs yet (it can only be found in the
    + * source code).
    + *
    + * The short of it is that each host is allowed to update its
    + * own A and AAAA records, when the update request is properly
    + * signed by the host itself.
    + *
    + * The long description is (look at the
    + * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
    + * its definition in lib/dns/gssapictx.c for details):
    + *
    + * A GSS-TSIG update request will be signed by a given signer
    + * (e.g. machine-name$@${REALM}). The signer name is split into
    + * the machine component (e.g. "machine-name") and the realm
    + * component (e.g. "${REALM}"). The update is allowed if the
    + * following conditions are met:
    + *
    + * 1) The machine component of the signer name matches the first
    + * (host) component of the FQDN that is being updated.
    + *
    + * 2) The realm component of the signer name matches the realm
    + * in the grant statement below (${REALM}).
    + *
    + * 3) The domain component of the FQDN that is being updated
    + * matches the realm in the grant statement below.
    + *
    + * If the 3 conditions above are satisfied, the update succeeds.
    + */
    + grant ${REALM} ms-self * A AAAA;
    };
    };

    -# Also, you need to change your init scripts to set this environment variable
    -# for named: KRB5_KTNAME so that it points to the keytab generated.
    -# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
    -# line to the /etc/sysconfig/named file:
    -# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
    -#
    -# Please note that most distributions have BIND configured to run under
    -# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as
    -# the user "named" once the daemon relinquishes its rights. Therefore,
    -# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
    -# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
    -# permissions altered to allow the daemon to read it. In the FC6
    -# example, execute the commands:
    -#
    -# chgrp named ${DNS_KEYTAB_ABS}
    -# chmod g+r ${DNS_KEYTAB_ABS}
    +# The reverse zone configuration is optional. The following example assumes a
    +# subnet of 192.168.123.0/24:
    +zone "123.168.192.in-addr.arpa" in {
    + type master;
    + file "123.168.192.in-addr.arpa.zone";
    + update-policy {
    + grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
    + };
    +};
    +# Note that the reverse zone file is not created during the provision process.
    +
    +# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG
    +# updates. If you are running an earlier version of BIND, or if you do not wish
    +# to use secure GSS-TSIG updates, you may remove the update-policy sections in
    +# both examples above.
    +
    +# If you are running a capable version of BIND and you wish to support secure
    +# GSS-TSIG updates, you must make the following configuration changes:
    +
    +# - Insert the following lines into the options {} section of your named.conf
    +# file:
    +tkey-gssapi-credential "DNS/${DNSDOMAIN}";
    +tkey-domain "${REALM}";
    +
    +# - Add settings for the ${REALM} realm to the Kerberos configuration on the DNS
    +# server. The easiest way is to add the following blocks to the appropriate
    +# sections in /etc/krb5.conf:
    +[realms]
    + ${REALM} = {
    + kdc = ${HOSTNAME}.${DNSDOMAIN}:88
    + admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
    + default_domain = ${DNSDOMAIN}
    + }
    +
    +[domain_realm]
    + .${DNSDOMAIN} = ${REALM}
    + ${DNSDOMAIN} = ${REALM}
    +
    +# - Modify BIND init scripts to pass the location of the generated keytab file.
    +# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
    +# for this purpose:
    +KEYTAB_FILE="${DNS_KEYTAB_ABS}"
    +# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
    +# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
    +# your distribution does not provide a variable like KEYTAB_FILE to pass a
    +# keytab file to the BIND daemon, a workaround is to place the following line in
    +# BIND's sysconfig file or in the init script for BIND:
    +export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
    +
    +# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
    +# that most distributions have BIND configured to run under a non-root user
    +# account. For example, Fedora 9 runs BIND as the user "named" once the daemon
    +# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
    +# by the user that BIND run as. If BIND is running as a non-root user, the
    +# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
    +# read it. Under Fedora 9, execute the following commands:
    +chgrp named ${DNS_KEYTAB_ABS}
    +chmod g+r ${DNS_KEYTAB_ABS}
    +
    +# - Ensure the BIND zone file(s) that will be dynamically updated are in a
    +# directory where the BIND daemon can write. When BIND performs dynamic
    +# updates, it not only needs to update the zone file itself but it must also
    +# create a journal (.jnl) file to track the dynamic updates as they occur.
    +# Under Fedora 9, the /var/named directory can not be written to by the "named"
    +# user. However, the directory /var/named/dynamic directory does provide write
    +# access. Therefore the zone files were placed under the /var/named/dynamic
    +# directory. The file directives in both example zone statements at the
    +# beginning of this file were changed by prepending the directory "dynamic/".
    +
    +# - If SELinux is enabled, ensure that all files have the appropriate SELinux
    +# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
    +# and should have a SELinux type of named_conf_t. This can be set with the
    +# following command:
    +chcon -t named_conf_t ${DNS_KEYTAB_ABS}
    --
    1.5.4.5



  2. Re: [SAMBA4][PATCH]: Enable DNS GSS-TSIG Updates

    On Sun, 2008-05-18 at 02:40 -0500, Andrew Kroeger wrote:
    > All:
    >
    > Please find attached patches that allow Windows clients to do DDNS
    > updates against BIND, using the GSS-TSIG capabilities present in the new
    > BIND 9.5.0 series.
    >
    > The patches have also been pushed to git://git.id10ts.net/samba.git, in
    > the v4-0-local branch.
    >
    > Thanks,
    > Andrew
    >
    > P.S. - It was over 8 months ago when I first looked into the GSS-TSIG
    > updates. In his commit message for
    > 99f832e7edcf940003fe9a2506622d991bc00f27, Andrew Bartlett remarked about
    > "...the slow road to working GSS-TSIG DDNS." If only he would've known
    > at the time how true that statement was


    This looks *really* interesting. We probably need to split some of this
    out into documentation and a separate krb5.conf, but for how I've pushed
    it (as it is far better than nothing).

    Pushed.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIM6dMz4A8Wyi0NrsRAkNSAJ9ojSZeKgom6yUTSWcCTv 592gPDqQCbBfTl
    8llJgr/dJ4Tm7cJU2qBM8F4=
    =lrxC
    -----END PGP SIGNATURE-----


+ Reply to Thread