4.4. Configuring Capsule Server with External IdM DNS


When Satellite Server adds a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

Capsule Server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

To configure Capsule Server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:

To revert to internal DNS service, use the following procedure:

注記

You are not required to use Capsule Server to manage DNS. When you are using the realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client. Configuring Capsule Server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see External Authentication for Provisioned Hosts in Administering Red Hat Satellite.

4.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Capsule Server base operating system.

Prerequisites

  • You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
  • You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
  • You must confirm whether Satellite Server or Capsule Server is configured to provide DNS service for your deployment.
  • You must configure DNS, DHCP and TFTP services on the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment.
  • You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos Principal on the IdM Server

  1. Obtain a Kerberos ticket for the account obtained from the IdM administrator:

    # kinit idm_user
    Copy to Clipboard Toggle word wrap
  2. Create a new Kerberos principal for Capsule Server to use to authenticate on the IdM server.

    # ipa service-add capsule.example.com
    Copy to Clipboard Toggle word wrap

Installing and Configuring the IdM Client

  1. On the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment, install the ipa-client package:

    # satellite-maintain packages install ipa-client
    Copy to Clipboard Toggle word wrap
  2. Configure the IdM client by running the installation script and following the on-screen prompts:

    # ipa-client-install
    Copy to Clipboard Toggle word wrap
  3. Obtain a Kerberos ticket:

    # kinit admin
    Copy to Clipboard Toggle word wrap
  4. Remove any preexisting keytab:

    # rm /etc/foreman-proxy/dns.keytab
    Copy to Clipboard Toggle word wrap
  5. Obtain the keytab for this system:

    # ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \
    -s idm1.example.com -k /etc/foreman-proxy/dns.keytab
    Copy to Clipboard Toggle word wrap
    注記

    When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

  6. For the dns.keytab file, set the group and owner to foreman-proxy:

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab
    Copy to Clipboard Toggle word wrap
  7. Optional: To verify that the keytab file is valid, enter the following command:

    # kinit -kt /etc/foreman-proxy/dns.keytab \
    capsule/satellite.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

Configuring DNS Zones in the IdM web UI

  1. Create and configure the zone that you want to manage:

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add and enter the zone name. For example, example.com.
    3. Click Add and Edit.
    4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:

      grant capsule/047satellite.example.com@EXAMPLE.COM wildcard * ANY;
      Copy to Clipboard Toggle word wrap
    5. Set Dynamic update to True.
    6. Enable Allow PTR sync.
    7. Click Save to save the changes.
  2. Create and configure the reverse zone:

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Click Add.
    3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
    4. Click Add and Edit.
    5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
      Copy to Clipboard Toggle word wrap
    6. Set Dynamic update to True.
    7. Click Save to save the changes.

Configuring the Satellite or Capsule Server that Manages the DNS Service for the Domain

  1. Use the satellite-installer command to configure the Satellite or Capsule that manages the DNS Service for the domain:

    • On Satellite, enter the following command:

      satellite-installer --scenario satellite \
      --foreman-proxy-dns=true \
      --foreman-proxy-dns-managed=true \
      --foreman-proxy-dns-provider=nsupdate_gss \
      --foreman-proxy-dns-server="idm1.example.com" \
      --foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
      --foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
      --foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
      --foreman-proxy-dns-zone=example.com \
      --foreman-proxy-dns-ttl=86400
      Copy to Clipboard Toggle word wrap
    • On Capsule, enter the following command:

      satellite-installer --scenario capsule \
      --foreman-proxy-dns=true \
      --foreman-proxy-dns-managed=true \
      --foreman-proxy-dns-provider=nsupdate_gss \
      --foreman-proxy-dns-server="idm1.example.com" \
      --foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
      --foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
      --foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
      --foreman-proxy-dns-zone=example.com \
      --foreman-proxy-dns-ttl=86400
      Copy to Clipboard Toggle word wrap
  2. Restart the Satellite or Capsule’s Proxy Service.

    # systemctl restart foreman-proxy
    Copy to Clipboard Toggle word wrap

After you run the satellite-installer command to make any changes to your Capsule configuration, you must update the configuration of each affected Capsule in the Satellite web UI.

Updating the Configuration in the Satellite web UI

  1. Navigate to Infrastructure > Capsules, locate the Capsule Server, and from the list in the Actions column, select Refresh.
  2. Configure the domain:

    1. Navigate to Infrastructure > Domains and select the domain name.
    2. In the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.
  3. Configure the subnet:

    1. Navigate to Infrastructure > Subnets and select the subnet name.
    2. In the Subnet tab, set IPAM to None.
    3. In the Domains tab, select the domain that you want to manage using the IdM server.
    4. In the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.
トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat