Setup dynamc DNS updates with Active Directory DNS to be used by Smart Proxy of Katello/Foreman

Both BIND as configured in FreeIPA and Microsoft AD DNS servers can accept DNS updates using GSS-TSIG authentication. This uses Kerberos principals to authenticate to the DNS server. Under Microsoft AD, this is known as "Secure Dynamic Update".
Pre-requisites

    Kerberos principal in the realm/domain that Smart Proxy can use
    Kerberos keytab for the above principal


Setup krb5.conf

cat > /etc/krb5.conf << "EOF"
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = dc01.example.com
  admin_server = dc01.example.com
 }


[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM
EOF

Microsoft AD configuration


A user has to be created in Active Directory that will be used by the Smart Proxy, in our case foremanproxy. This will automatically create a service principal, e.g. foremanproxy@EXAMPLE.COM.

Test the Kerberos login with that user on the Smart Proxy using kinit:

kinit foremanproxy@EXAMPLE.COM.

If login works, the keytab file can be created using ktutil. First clear the Kerberos ticket cache:

kdestroy

Now create the keytab file with ktutil:

ktutil: addent -password -p foremanproxy@EXAMPLE.COM -k 1 -e RC4-HMAC
ktutil: wkt dns.keytab
ktutil: q

Once the keytab file has been created, test it using kinit:

#kinit foremanproxy@EXAMPLE.COM -k -t dns.keytab

If this works, clear the Kerberos ticket cache once again using kdestroy.

#kdestroy

Move the dns.keytab to /etc/foreman-proxy directory

#mv dns.keytab /etc/foreman-proxy/

ensure permissions are 0600 and the owner is foreman-proxy.

#chown foreman-proxy /etc/foreman-proxy/dns.keytab
#chmod 0600 /etc/foreman-proxy/dns.keytab

The DNS zone Dynamic Updates option on the DNS zones in Active Directory can now be set to Secure Only. Now follow the steps below under Proxy Configuration.

Proxy configuration


Next, update the proxy configuration file (/etc/foreman-proxy/settings.d/dns.yml) with the following settings:

:dns_server: ip address or fqdn of you active directory dns
:dns_provider: nsupdate_gss
:dns_tsig_keytab: /etc/foreman-proxy/dns.keytab
:dns_tsig_principal: foremanproxy@EXAMPLE.COM
#:dns_key: false

To work correctly, :dns_key: must be commented out.

Restart foreman-proxy

For Centos 6/RHEL 6

#service foreman-proxy restart

For Centos 7/RHEL 7
systemctl restart foreman-proxy

Success you are now configure you smart-proxy to provide dynamic dns updates to Microsoft DNS

 All this changes are no permanent at this stage if you want to make permanent you need to run the command katello-installer with the following options


#katello installer 
--capsule-dns  true
--capsule-dns-forwarders  <server ip or hostname --capsule-dns-interface  <eth0,eth1,ens192 etc> --capsule-dns-provider   nsupdate_gss
--capsule-dns-reverse  <reverse ip>.in-addr.arpa
--capsule-dns-server  <ip or hostname of Activer directory DNS>
 --capsule-dns-tsig-keytab     Kerberos keytab for DNS updates using GSS-TSIG authentication (default: "/etc/foreman-proxy/dns.keytab")
 --capsule-dns-tsig-principal  Kerberos principal for DNS updates using GSS-TSIG authentication (default: "foremanproxy@Domain")


After finish this process all the change are now permanent.

Comments

Post a Comment

Popular posts from this blog

How to clean all the foreman task and locked task

1.- First make su to postgres user su -s /bin/bash - postgres  2.-Execute psql psql  3.- connect to the foreman database \c foreman;  4.- Delete all the foreman task and foreman task locks delete from foreman_tasks_tasks;  delete from foreman_tasks_locks;  5.- Quit from postgres and exit \q  exit  6. Restart all the services for s in {qpidd,pulp_celerybeat,pulp_ resource_manager,pulp_workers, httpd}; do sudo service $s restart; done  Update in todays foreman you can clean the task using the following command: foreman-rake foreman_tasks:cleanup
Read more

How to restrict users to send only mail to the local domain in Zimbra

How to restrict users to send only mail to the local domain in Zimbra 1. Open file /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add this line below reject_non_fqdn_recipient. This is example on my system permit_sasl_authenticated check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders permit_mynetworks 2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE postfix_check_recipient_access.cf RESTART mta 3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line.  check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject 4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you want to restrict. Follow this syntax: user@yourdomain.com local_only 5. Create a file "/opt/zimb...
Read more

Hardening Script

#!/bin/bash function set_parameter { sed -i -e "s|^$2.*|$2$3|" $1 egrep "^$2*" $1 > /dev/null ||echo "$2$3" >> $1 } #--------------------------------------------------------------------------------------------------------------- function add_line { egrep "^$2" $1 > /dev/null || echo "$2" >> $1 } #--------------------------------------------------------------------------------------------------------------- echo '# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 8192 # Feel free to add below this line. See auditctl man page -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange ...
Read more