4.4. Configuring Capsule Server with External IdM DNS
When Satellite Server adds a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.
Capsule Server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.
To configure Capsule Server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:
To revert to internal DNS service, use the following procedure:
You are not required to use Capsule Server to manage DNS. When you are using the realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install
script creates DNS records for the client. Configuring Capsule Server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see External Authentication for Provisioned Hosts in Administering Red Hat Satellite.
4.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication リンクのコピーリンクがクリップボードにコピーされました!
You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Capsule Server base operating system.
Prerequisites
- You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
- You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
- You must confirm whether Satellite Server or Capsule Server is configured to provide DNS service for your deployment.
- You must configure DNS, DHCP and TFTP services on the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment.
- You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.
Procedure
To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:
Creating a Kerberos Principal on the IdM Server
Obtain a Kerberos ticket for the account obtained from the IdM administrator:
kinit idm_user
# kinit idm_user
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a new Kerberos principal for Capsule Server to use to authenticate on the IdM server.
ipa service-add capsule.example.com
# ipa service-add capsule.example.com
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Installing and Configuring the IdM Client
On the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment, install the
ipa-client
package:satellite-maintain packages install ipa-client
# satellite-maintain packages install ipa-client
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the IdM client by running the installation script and following the on-screen prompts:
ipa-client-install
# ipa-client-install
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Obtain a Kerberos ticket:
kinit admin
# kinit admin
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove any preexisting
keytab
:rm /etc/foreman-proxy/dns.keytab
# rm /etc/foreman-proxy/dns.keytab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Obtain the
keytab
for this system:ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab
# ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注記When adding a keytab to a standby system with the same host name as the original system in service, add the
r
option to prevent generating new credentials and rendering the credentials on the original system invalid.For the
dns.keytab
file, set the group and owner toforeman-proxy
:chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: To verify that the
keytab
file is valid, enter the following command:kinit -kt /etc/foreman-proxy/dns.keytab \ capsule/satellite.example.com@EXAMPLE.COM
# kinit -kt /etc/foreman-proxy/dns.keytab \ capsule/satellite.example.com@EXAMPLE.COM
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Configuring DNS Zones in the IdM web UI
Create and configure the zone that you want to manage:
- Navigate to Network Services > DNS > DNS Zones.
-
Select Add and enter the zone name. For example,
example.com
. - Click Add and Edit.
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant capsule/047satellite.example.com@EXAMPLE.COM wildcard * ANY;
grant capsule/047satellite.example.com@EXAMPLE.COM wildcard * ANY;
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Set Dynamic update to True.
- Enable Allow PTR sync.
- Click Save to save the changes.
Create and configure the reverse zone:
- Navigate to Network Services > DNS > DNS Zones.
- Click Add.
- Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
- Click Add and Edit.
Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Set Dynamic update to True.
- Click Save to save the changes.
Configuring the Satellite or Capsule Server that Manages the DNS Service for the Domain
Use the
satellite-installer
command to configure the Satellite or Capsule that manages the DNS Service for the domain:On Satellite, enter the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow On Capsule, enter the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Restart the Satellite or Capsule’s Proxy Service.
systemctl restart foreman-proxy
# systemctl restart foreman-proxy
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
After you run the satellite-installer
command to make any changes to your Capsule configuration, you must update the configuration of each affected Capsule in the Satellite web UI.
Updating the Configuration in the Satellite web UI
- Navigate to Infrastructure > Capsules, locate the Capsule Server, and from the list in the Actions column, select Refresh.
Configure the domain:
- Navigate to Infrastructure > Domains and select the domain name.
- In the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.
Configure the subnet:
- Navigate to Infrastructure > Subnets and select the subnet name.
- In the Subnet tab, set IPAM to None.
- In the Domains tab, select the domain that you want to manage using the IdM server.
- In the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
- Click Submit to save the changes.