Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Configuring External Services

Some environments have existing DNS, DHCP, and TFTP services and do not need to use the Satellite Server to provide these services. If you want to use external servers to provide DNS, DHCP, or TFTP, you can configure them for use with Satellite Server.

If you want to disable these services in Satellite in order to manage them manually, see Section 3.5.6, “Disabling DNS, DHCP, and TFTP for Unmanaged Networks” for more information.

5.1. Configuring Satellite with External DNS
Copy link

You can configure Satellite to use an external server to provide DNS service.

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DNS Service. 

    # yum install bind bind-utils
    Copy to Clipboard Toggle word wrap

  2. Create the configuration for the domain.

    The following example configures a domain virtual.lan as one subnet 192.168.38.0/24, a security key named foreman, and sets forwarders to Google’s public DNS addresses (8.8.8.8 and 8.8.4.4). 

    # cat /etc/named.conf
include "/etc/rndc.key";

controls  {
    inet 192.168.38.2 port 953 allow { 192.168.38.1; 192.168.38.2; } keys { "capsule"; };
};

options  {
    directory "/var/named";
    forwarders { 8.8.8.8; 8.8.4.4; };
};

include "/etc/named.rfc1912.zones";

zone "38.168.192.in-addr.arpa" IN {
    type master;
    file "dynamic/38.168.192-rev";
    update-policy {
        grant "capsule" zonesub ANY;
    };
};

zone "virtual.lan" IN {
    type master;
    file "dynamic/virtual.lan";
    update-policy {
        grant "capsule" zonesub ANY;
    };
};
    Copy to Clipboard Toggle word wrap

    The inet line must be entered as one line in the configuration file.

  3. Create a key file. 

    # ddns-confgen -k capsule
    Copy to Clipboard Toggle word wrap

    This command can take a long time to complete.

  4. Copy and paste the output from the key section into a separate file called /etc/rndc.key. 

    # cat /etc/rndc.key
key "capsule" {
        algorithm hmac-sha256;
        secret "GeBbgGoLedEAAwNQPtPh3zP56MJbkwM84UJDtaUS9mw=";
};
    Copy to Clipboard Toggle word wrap
    Important

    This is the key used to change DNS server configuration. Only the root user should read and write to it.

  5. Create zone files. 

    # cat /var/named/dynamic/virtual.lan
$ORIGIN .
$TTL 10800      ; 3 hours
virtual.lan             IN SOA  service.virtual.lan. root.virtual.lan. (
                                9          ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      service.virtual.lan.
$ORIGIN virtual.lan.
$TTL 86400      ; 1 day
capsule                 A       192.168.38.1
service                 A       192.168.38.2
    Copy to Clipboard Toggle word wrap

  6. Create the reverse zone file. 

    # cat /var/named/dynamic/38.168.192-rev
$ORIGIN .
$TTL 10800      ; 3 hours
38.168.192.in-addr.arpa IN SOA  service.virtual.lan. root.38.168.192.in-addr.arpa. (
                                4          ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      service.virtual.lan.
$ORIGIN 38.168.192.in-addr.arpa.
$TTL 86400      ; 1 day
1                PTR     capsule.virtual.lan.
2                PTR     service.virtual.lan.
    Copy to Clipboard Toggle word wrap

    There should be no extra non-ASCII characters.

5.2. Verifying and Starting the DNS Service
Copy link

  1. Validate the syntax. 

    # named-checkconf -z /etc/named.conf
    Copy to Clipboard Toggle word wrap

  2. Start the server.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service named restart
      Copy to Clipboard Toggle word wrap

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl restart named
      Copy to Clipboard Toggle word wrap

  3. Add a new host.

    The following uses the example host 192.168.38.2. You should change this to suit your environment. 

    # echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
    Copy to Clipboard Toggle word wrap

  4. Test that the DNS service can resolve the new host. 

    # nslookup aaa.virtual.lan 192.168.38.2
    Copy to Clipboard Toggle word wrap

  5. If necessary, delete the new entry. 

    # echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
    Copy to Clipboard Toggle word wrap

  6. Configure the firewall for external access to the DNS service (UDP and TCP on port 53).

    • For Satellite Server running Red Hat Enterprise Linux 7: 

      # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp"
      Copy to Clipboard Toggle word wrap

    • For Satellite Server running Red Hat Enterprise Linux 6: 

      # iptables -I INPUT -m state --state NEW -p udp \
--dport 53 -j ACCEPT \
&& iptables -I INPUT -m state --state NEW -p tcp \
--dport 53 -j ACCEPT \
&& service iptables save
      Copy to Clipboard Toggle word wrap

      Verify that the iptables service is started and enabled. 

      # service iptables start
# chkconfig iptables on
      Copy to Clipboard Toggle word wrap

5.3. Configuring Capsule Server with External DNS
Copy link

  1. On the Red Hat Enterprise Linux Server, install the ISC DNS Service. 

    # yum install bind bind-utils
    Copy to Clipboard Toggle word wrap

    Ensure that the nsupdate utility was installed. The Capsule uses the nsupdate utility to update DNS records on the remote server.

  2. Copy the /etc/rndc.key file from the services server to the Capsule Server. 

    # scp localfile username@hostname:remotefile
    Copy to Clipboard Toggle word wrap

  3. Verify that the key file has the correct owner, permissions, and SELinux label. 

    # ls /etc/rndc.key -Zla
-rw-r-----. root named system_u:object_r:dnssec_t:s0    /etc/rndc.key
    Copy to Clipboard Toggle word wrap

  4. Test the nsupdate utility by adding a host remotely. 

    # echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
# nslookup aaa.virtual.lan 192.168.38.2
# echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
    Copy to Clipboard Toggle word wrap

  5. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file. 

    # satellite-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.38.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400
    Copy to Clipboard Toggle word wrap

  6. Restart the foreman-proxy service.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service foreman-proxy restart
      Copy to Clipboard Toggle word wrap

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl restart foreman-proxy
      Copy to Clipboard Toggle word wrap
  7. Log in to the Satellite Server web UI.
  8. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DNS feature should appear.
  9. Associate the DNS service with the appropriate subnets and domain.
Important

From Satellite 6.3 onwards, the foreman-proxy DHCP isc provider does not support remote DHCP lease files. You must follow the procedures in the Satellite 6.3 Installation guide to change to the new remote ISC DHCP provider remote_isc when you upgrade to Satellite 6.3. For more information about using remote_isc in Satellite 6.3, see Configuring Satellite Server with External DHCP in the Red Hat Satellite 6.3 Installation Guide.

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DHCP Service. 

    # yum install dhcp
    Copy to Clipboard Toggle word wrap

  2. Generate a security token in an empty directory. 

    # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
    Copy to Clipboard Toggle word wrap

    The above command can take a long time, for less-secure proof-of-concept deployments you can use a non-blocking random number generator. 

    # dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key
    Copy to Clipboard Toggle word wrap

    This will create the key pair in two files in the current directory.

  3. Copy the secret hash from the key. 

    # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2
    Copy to Clipboard Toggle word wrap

  4. Edit the dhcpd configuration file for all of the subnets and add the key. 

    # cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;
    Copy to Clipboard Toggle word wrap
  5. Delete the two key files from the directory where you created them.

  6. Define each subnet on the Satellite Server.

    It is recommended to set up a lease range and reservation range separately to prevent conflicts. For example, the lease range is 192.168.38.10 to 192.168.38.100 so the reservation range (defined in the Satellite web UI) is 192.168.38.101 to 192.168.38.250. Do not set DHCP Capsule for the defined Subnet yet.

    ISC DHCP listens only on interfaces that match defined subnets. In this example, the server has an interface that routes to 192.168.38.0 subnet directly.

  7. Configure the firewall for external access to the DHCP server.

    • For Satellite Server running Red Hat Enterprise Linux 7: 

      # firewall-cmd --add-service dhcp \
&& firewall-cmd --permanent --add-service dhcp
      Copy to Clipboard Toggle word wrap

    • For Satellite Server running Red Hat Enterprise Linux 6: 

      # iptables -I INPUT -m state --state NEW -p tcp \
--dport 67 -j ACCEPT \
&& service iptables save
      Copy to Clipboard Toggle word wrap

      Verify that the iptables service is started and enabled. 

      # service iptables start
# chkconfig iptables on
      Copy to Clipboard Toggle word wrap

  8. Determine the UID and GID numbers of the foreman-proxy user on the Capsule Server. Create the same user and group with the same IDs on the DHCP server. 

    # groupadd -g 990 foreman-proxy
# useradd -u 992 -g 990 -s /sbin/nologin foreman-proxy
    Copy to Clipboard Toggle word wrap

  9. To make the configuration files readable, restore the read and execute flags. 

    # chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf
    Copy to Clipboard Toggle word wrap

  10. Start the DHCP service.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service dhcpd start
      Copy to Clipboard Toggle word wrap

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl start dhcpd
      Copy to Clipboard Toggle word wrap

  11. Export the DHCP configuration and leases files using NFS. 

    # yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd
    Copy to Clipboard Toggle word wrap

  12. Create the DHCP configuration and leases files to be exported using NFS. 

    # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
    Copy to Clipboard Toggle word wrap

  13. Add the newly created mount point to /etc/fstab file. 

    /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0
    Copy to Clipboard Toggle word wrap

  14. Mount the file systems in /etc/fstab. 

    # mount -a
    Copy to Clipboard Toggle word wrap

  15. Ensure the following lines are present in /etc/exports: 

    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    Copy to Clipboard Toggle word wrap 
    /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
    Copy to Clipboard Toggle word wrap 
    /exports/var/lib/dhcpd
192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
    Copy to Clipboard Toggle word wrap

  16. Reload the NFS server. 

    # exportfs -rva
    Copy to Clipboard Toggle word wrap

  17. Configure the firewall for the DHCP omapi port 7911 for the Capsule Server.

    • On Red Hat Enterprise Linux 7, run the following command: 

      # firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --permanent --add-port="7911/tcp"
      Copy to Clipboard Toggle word wrap

    • On Red Hat Enterprise Linux 6, run the following commands: 

      # iptables -I INPUT -m state --state NEW -p tcp \
--dport 7911 -j ACCEPT \
&& service iptables save
      Copy to Clipboard Toggle word wrap

      Ensure that the iptables service is started and enabled. 

      # service iptables start
# chkconfig iptables on
      Copy to Clipboard Toggle word wrap

  18. If required, configure the firewall for external access to NFS.

    Clients are configured using NFSv3.

    • On Red Hat Enterprise Linux 7, use the firewalld daemon’s NFS service to configure the firewall. 

      # firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --permanent --zone public --add-service mountd \
&& firewall-cmd --permanent --zone public --add-service rpc-bind \
&& firewall-cmd --permanent --zone public --add-service nfs
      Copy to Clipboard Toggle word wrap

    • On Red Hat Enterprise Linux 6, configure the ports for NFSv3 in the /etc/sysconfig/nfs file. 

      LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
      Copy to Clipboard Toggle word wrap

      Restart the service. 

      # service nfs restart
      Copy to Clipboard Toggle word wrap

      Add rules to the /etc/sysconfig/iptables file. 

      # iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 111 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 111 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 2049 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 2049 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 32803 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 32769 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 892 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 892 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 875 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 875 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 662 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 662 -j ACCEPT \
&& service iptables save
      Copy to Clipboard Toggle word wrap

      Restart the firewall. 

      # service iptables restart
      Copy to Clipboard Toggle word wrap

For more information on using NFSv3 behind a firewall on Red Hat Enterprise Linux 6, see Running NFS Behind a Firewall in the Red Hat Enterprise Linux 6 Storage Administration Guide.

5.5. Configuring Capsule Server with External DHCP
Copy link

  1. Install the NFS client. 

    # yum install nfs-utils
    Copy to Clipboard Toggle word wrap

  2. Create the DHCP directories for NFS. 

    # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd
    Copy to Clipboard Toggle word wrap

  3. Change the file owner. 

    # chown -R foreman-proxy /mnt/nfs
    Copy to Clipboard Toggle word wrap

  4. Verify communication with the NFS server and RPC communication paths. 

    # showmount -e 192.168.38.2
# rpcinfo -p 192.168.38.2
    Copy to Clipboard Toggle word wrap

  5. Add the following lines to the /etc/fstab file: 

    192.168.38.2:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0
    Copy to Clipboard Toggle word wrap 
    192.168.38.2:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0
    Copy to Clipboard Toggle word wrap

  6. Mount the file systems on /etc/fstab. 

    # mount -a
    Copy to Clipboard Toggle word wrap

  7. Read the relevant files. 

    # su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit
    Copy to Clipboard Toggle word wrap

  8. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file. 

    # satellite-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=isc \
--foreman-proxy-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-dhcp-key-name=omapi_key \
--foreman-proxy-dhcp-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-dhcp-server dhcp.example.com
    Copy to Clipboard Toggle word wrap

  9. Restart the foreman-proxy service.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service foreman-proxy restart
      Copy to Clipboard Toggle word wrap

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl restart foreman-proxy
      Copy to Clipboard Toggle word wrap
  10. Log in to the Satellite Server web UI.
  11. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DHCP feature should appear.
  12. Associate the DHCP service with the appropriate subnets and domain.

Before You Begin

Configure Satellite Server with External TFTP

  1. Install and enable the TFTP server. 

    # yum install tftp-server syslinux
    Copy to Clipboard Toggle word wrap

    1. On Red Hat Enterprise 7, enable and activate the tftp.socket unit. 

      # systemctl enable tftp.socket
# systemctl start tftp.socket
      Copy to Clipboard Toggle word wrap

    2. On Red Hat Enterprise Linux 6, enable and start the xinetd service. 

      # service xinetd enable
# service xinetd start
      Copy to Clipboard Toggle word wrap

  2. Configure the PXELinux environment. 

    # mkdir -p /var/lib/tftpboot/{boot,pxelinux.cfg}
# cp /usr/share/syslinux/{pxelinux.0,menu.c32,chain.c32} \
/var/lib/tftpboot/
    Copy to Clipboard Toggle word wrap

  3. Restore SELinux file contexts. 

    # restorecon -RvF /var/lib/tftpboot/
    Copy to Clipboard Toggle word wrap

  4. Create the TFTP directory to be exported using NFS. 

    # mkdir -p /exports/var/lib/tftpboot
    Copy to Clipboard Toggle word wrap

  5. Add the newly created mount point to the /etc/fstab file. 

    /var/lib/tftpboot /exports/var/lib/tftpboot none bind,auto 0 0
    Copy to Clipboard Toggle word wrap

  6. Mount the file systems in /etc/fstab. 

    # mount -a
    Copy to Clipboard Toggle word wrap

  7. Ensure the following lines are present in /etc/exports: 

    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    Copy to Clipboard Toggle word wrap 
    /exports/var/lib/tftpboot 192.168.38.1(rw,async,no_root_squash,no_subtree_check,nohide)
    Copy to Clipboard Toggle word wrap

    The first line is common to the DHCP configuration and therefore should already be present if the previous procedure was completed on this system.

  8. Reload the NFS server. 

    # exportfs -rva
    Copy to Clipboard Toggle word wrap

Configuring the Firewall for External Access to the TFTP Service Using Red Hat Enterprise Linux 7

  1. Configure the firewall (UDP on port 69). 

    # firewall-cmd --add-port="69/udp" \
&& firewall-cmd --permanent --add-port="69/udp"
    Copy to Clipboard Toggle word wrap

Configuring the Firewall for External Access to the TFTP Service Using Red Hat Enterprise Linux 6

  1. Configure the firewall. 

    # iptables -I INPUT -m state --state NEW -p tcp --dport 69 -j ACCEPT \
&& service iptables save
    Copy to Clipboard Toggle word wrap

  2. Ensure the iptables service is started and enabled. 

    # service iptables start
# chkconfig iptables on
    Copy to Clipboard Toggle word wrap

5.7. Configuring Capsule Server with External TFTP
Copy link

  1. Create the TFTP directory to prepare for NFS. 

    # mkdir -p /mnt/nfs/var/lib/tftpboot
    Copy to Clipboard Toggle word wrap

  2. Add the following line in the /etc/fstab file: 

    192.168.38.2:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0
    Copy to Clipboard Toggle word wrap

  3. Mount the file systems in /etc/fstab. 

    # mount -a
    Copy to Clipboard Toggle word wrap

  4. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file. 

    # satellite-installer --foreman-proxy-tftp=true \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot
    Copy to Clipboard Toggle word wrap

  5. If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of that server. 

    # satellite-installer --foreman-proxy-tftp-servername=new_FQDN
    Copy to Clipboard Toggle word wrap

    This updates all configuration files with the new value.

  6. Log in to the Satellite Server web UI.
  7. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The TFTP feature should appear.
  8. Associate the TFTP service with the appropriate subnets and domain.

5.8. Configuring Satellite with External IdM DNS
Copy link

Red Hat Satellite can be configured to use a Red Hat Identity Management (IdM) server to provide the DNS service. Two methods are described here to achieve this, both using a transaction key. For more information on Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

The first method is to install the IdM client which will handle the process automatically using the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. This method requires installing the IdM client on the Satellite Server or Capsule’s base system and having an account created by the IdM server administrator for use by the Satellite administrator. See Section 5.8.1, “Configuring Dynamic DNS Update with GSS-TSIG Authentication” to use this method.

The second method, secret key transaction authentication for DNS (TSIG), uses an rndc.key for authentication. It requires root access to the IdM server to edit the BIND configuration file, installing the BIND utility on the Satellite Server’s base system, and coping the rndc.key to between the systems. This technology is defined in RFC2845. See Section 5.8.2, “Configuring Dynamic DNS Update with TSIG Authentication” to use this method.

Note

You are not required to use Satellite to manage DNS. If you are already using the Realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, then the ipa-client-install script will create DNS records for the client. The following procedure and Realm enrollment are therefore mutually exclusive. See External Authentication for Provisioned Hosts in the Server Administration Guide for more information on configuring Realm enrollment.

Determining where to install the IdM Client

When Satellite Server wants to add a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule and adds the record. The hosts themselves are not involved in this process. This means you should install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

In this example, Satellite Server has the following settings.

Expand

Host name

satellite.example.com

Network

192.168.55.0/24

The IdM server has the following settings.

Expand

Host name

idm1.example.com

Domain name

example.com

Before you Begin.

  1. Confirm the IdM server is deployed and the host-based firewall has been configured correctly. See Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide for more information.
  2. Obtain an account on the IdM server with permissions to create zones on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Optionally, make a backup of the answer file. This can make it easier to revert to using the internal DNS service. See Section 3.3.4, “Configuring Red Hat Satellite with an Answer File” for more information.

Create a Kerberos Principal on the IdM Server.

  1. Ensure you have a Kerberos ticket. 

    # kinit idm_user
    Copy to Clipboard Toggle word wrap

    Where idm_user is the account created for you by the IdM administrator.

  2. Create a new Kerberos principal for the Satellite or Capsule to use to authenticate to the IdM server. 

    # ipa service-add capsule/satellite.example.com
    Copy to Clipboard Toggle word wrap

Install and Configure the IdM Client.

Do this on the Satellite or Capsule Server that is managing the DNS service for a domain.

  1. Install the IdM client package. 

    # yum install ipa-client
    Copy to Clipboard Toggle word wrap

  2. Configure the IdM client by running the installation script and following the on-screen prompts. 

    # ipa-client-install
    Copy to Clipboard Toggle word wrap

  3. Ensure you have a Kerberos ticket. 

    # kinit admin
    Copy to Clipboard Toggle word wrap

  4. Remove any preexisting keytab. 

    # rm /etc/foreman-proxy/dns.keytab
    Copy to Clipboard Toggle word wrap

  5. Get the keytab created for this system. 

    # ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab
    Copy to Clipboard Toggle word wrap
    Note

    When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

  6. Set the group and owner for the keytab file to foreman-proxy as follows. 

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
    Copy to Clipboard Toggle word wrap

  7. If required, check the keytab is valid. 

    # kinit -kt /etc/foreman-proxy/dns.keytab \
capsule/satellite.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

Configure DNS Zones in the IdM web UI.

  1. Create and configure the zone to be managed:

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add and enter the zone name. In this example, example.com.
    3. Click Add and Edit.

    4. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list. 

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
      Copy to Clipboard Toggle word wrap
    5. Ensure Dynamic update is set to True.
    6. Enable Allow PTR sync.
    7. Select Save to save the changes.

  2. Create and Configure the reverse zone.

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add.
    3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
    4. Click Add and Edit.

    5. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list: 

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
      Copy to Clipboard Toggle word wrap
    6. Ensure Dynamic update is set to True.
    7. Select Save to save the changes.

Run the Installation Script on the Satellite or Capsule Server that is Managing the DNS Service for the Domain.

  • On a Satellite Server’s Base System. 

    satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400
    Copy to Clipboard Toggle word wrap

  • On a Capsule Server’s Base System. 

    satellite-installer --scenario capsule \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400
    Copy to Clipboard Toggle word wrap

Restart the Satellite or Capsule’s Proxy Service.

  • On Red Hat Enterprise Linux 7. 

    # systemctl restart foreman-proxy
    Copy to Clipboard Toggle word wrap

  • On Red Hat Enterprise Linux 6. 

    # service foreman-proxy restart
    Copy to Clipboard Toggle word wrap

Update the Configuration in Satellite web UI.

After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:

  1. Navigate to Infrastructure > Capsules.
  2. For each Capsule to be updated, from the Actions drop-down menu, select Refresh.

  3. Configure the domain:

    1. Go to Infrastructure > Domains and select the domain name.
    2. On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.

  4. Configure the subnet:

    1. Go to Infrastructure > Subnets and select the subnet name.
    2. On the Subnet tab, set IPAM to None.
    3. On the Domains tab, ensure the domain to be managed by the IdM server is selected.
    4. On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.

In this example, Satellite Server has the following settings.

Expand

IP address

192.168.25.1

Host name

satellite.example.com

The IdM server has the following settings.

Expand

Host name

idm1.example.com

IP address

192.168.25.2

Domain name

example.com

Before you Begin

  1. Confirm the IdM Server is deployed and the host-based firewall has been configured correctly. See Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide for more information.
  2. Obtain root user privileges on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Optionally, make a backup of the answer file. This can make it easier to revert to using the internal DNS service. See Section 3.3.4, “Configuring Red Hat Satellite with an Answer File” for more information.

Enabling External Updates to the DNS Zone in the IdM Server

  1. On the IdM Server, add the following to the top of the /etc/named.conf file. 

    // This was added to allow Satellite Server at 192.168.25.1 to make DNS updates.
########################################################################
include "/etc/rndc.key";
controls  {
inet 192.168.25.2 port 953 allow { 192.168.25.1; } keys { "rndc-key"; };
};
########################################################################
    Copy to Clipboard Toggle word wrap

  2. In the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone. On the Settings tab:

    1. Add the following in the BIND update policy box. 

      grant "rndc-key" zonesub ANY;
      Copy to Clipboard Toggle word wrap
    2. Ensure Dynamic update is set to True.
    3. Click Update to save the changes.

  3. Copy the /etc/rndc.key file from the IdM server to a secure location for later use. Alternatively, copy it directly to Satellite’s base system as follows. 

    # scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key
    Copy to Clipboard Toggle word wrap

  4. On Satellite Server, run the installation script as follows to use the external DNS server. 

    # satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.25.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400
    Copy to Clipboard Toggle word wrap

Testing External Updates to the DNS Zone in the IdM Server

  1. Install bind-utils for testing with nsupdate. 

    # yum install bind-utils
    Copy to Clipboard Toggle word wrap

  2. Ensure the key in the /etc/rndc.key file on Satellite Server is the same one as used on the IdM server. 

    key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};
    Copy to Clipboard Toggle word wrap

  3. On Satellite Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1. 

    # echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
    Copy to Clipboard Toggle word wrap

  4. On Satellite Server, test the DNS entry. 

    # nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20
    Copy to Clipboard Toggle word wrap
  5. To view the entry in the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone and search for the host by name.

  6. If resolved successfully, remove the test DNS entry. 

    # echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
    Copy to Clipboard Toggle word wrap

  7. Confirm that the DNS entry was removed. 

    # nslookup test.example.com 192.168.25.1
    Copy to Clipboard Toggle word wrap

    The above nslookup command will fail and output the SERVFAIL error message if the record was successfully deleted.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat