Project

General

Profile

Actions

Bug #12449

closed

Keytab not configured via dns_tsig_keytab for DNS GSS-TSIG support

Added by Mario Gamboa over 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
DNS
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

i upgrade foreman from 1.9.3 to 1.10 and now i can't register the record of the new vms into the active directory

on dns_nsupdate_gss.yml

---
#
# Configuration file for 'nsupdate_gss' dns provider with GSS-TSIG support
#

# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: 192.168.0.1
# use dns_tsig_* for GSS-TSIG updates using Kerberos.  Required for Windows MS DNS with
# Secure Dynamic Updates, or BIND as used in FreeIPA.  Set dns_provider to nsupdate_gss.
:dns_tsig_keytab: /etc/foreman-proxy/dns.keytab
:dns_tsig_principal: foremanproxy/server01.example.com@EXAMPLE.COM

On dns.yml

---
# DNS management
:enabled: https
# valid providers:
#   dns_dnscmd (Microsoft Windows native implementation)
#   dns_nsupdate
#   dns_nsupdate_gss (for GSS-TSIG support)
#   dns_virsh (simple implementation for libvirt)
:use_provider: dns_nsupdate_gss

The only difference i notice with the new version is now the plug-in is called dns_nsupdate_gss instead as 1.9.3 nsupdate_gss and also all the configuration is manage in a separate file after try to make a new host is complain on the proxy logs with the following error

Keytab not configured via dns_tsig_keytab for DNS GSS-TSIG support

Actions #1

Updated by Mario Gamboa over 8 years ago

from proxy.log in debug mode
D, [2015-11-12T19:48:10.770624 #25828] DEBUG -- : /usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_main.rb:12:in `initialize'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:11:in `new'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:11:in `record'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_plugin.rb:4:in `block in <class:Plugin>'
/usr/share/foreman-proxy/lib/proxy/provider_factory.rb:5:in `call'
/usr/share/foreman-proxy/lib/proxy/provider_factory.rb:5:in `get_provider'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:8:in `dns_setup'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:18:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `block in compile!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `[]'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:876:in `route_eval'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:897:in `block in process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:859:in `block in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `each'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:963:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:960:in `dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `block in call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:780:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:161:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:58:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/json_csrf.rb:17:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/showexceptions.rb:21:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:124:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `block in call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1499:in `synchronize'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/handler/webrick.rb:60:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
I, [2015-11-12T19:48:10.771493 #25828] INFO -- : 172.25.176.245 - - [12/Nov/2015 19:48:10] "POST /dns/ HTTP/1.1" 400 66 0.0075

Actions #2

Updated by Dominic Cleal over 8 years ago

  • Description updated (diff)
  • Category set to DNS
  • Priority changed from Urgent to High
  • translation missing: en.field_release set to 63

Thanks for the report. This looks like a bug that we're not setting up the keytab location from the settings correctly in modules/dns_nsupdate/dns_nsupdate_gss_main.rb.

Actions #3

Updated by Dominic Cleal over 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal
Actions #4

Updated by The Foreman Bot over 8 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/337 added
Actions #5

Updated by Mario Gamboa over 8 years ago

Hi the patch was already apply but still issues now with the kerberos apparently on /usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_main.rb

the variables :tsig_keytab, :tsig_principal is not pass the value into the /usr/share/foreman-proxy/lib/proxy/kerberos.rb"

in this section to get the credentials

begin
krb5.get_init_creds_keytab principal, keytab, nil, ccache
rescue => e

as result in proxy.log we can see the following error

D, [2015-11-13T00:12:17.437327 #4723] DEBUG -- : verifying remote client 172.25.176.245 against trusted_hosts ["foreman01.pp.net.nz", "foreman01.pp.net.nz"]
I, [2015-11-13T00:12:17.440450 #4723] INFO -- : Requesting credentials for Kerberos principal using keytab /etc/foreman-proxy/dns.keytab
E, [2015-11-13T00:12:17.441348 #4723] ERROR -- : Failed to initialise credential cache from keytab: krb5_get_init_creds_keytab: Key table entry not found
E, [2015-11-13T00:12:17.441829 #4723] ERROR -- : Failed to initailize credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry not found
D, [2015-11-13T00:12:17.442144 #4723] DEBUG -- : /usr/share/foreman-proxy/lib/proxy/kerberos.rb:13:in `rescue in init_krb5_ccache'
/usr/share/foreman-proxy/lib/proxy/kerberos.rb:9:in `init_krb5_ccache'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_main.rb:25:in `nsupdate'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:24:in `create'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:19:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `block in compile!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `[]'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:876:in `route_eval'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:897:in `block in process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:859:in `block in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `each'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:963:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:960:in `dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `block in call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:780:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:161:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:58:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/json_csrf.rb:17:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/showexceptions.rb:21:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:124:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `block in call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1499:in `synchronize'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/handler/webrick.rb:60:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'

Actions #6

Updated by Dominic Cleal over 8 years ago

Mario Gamboa wrote:

the variables :tsig_keytab, :tsig_principal is not pass the value into the /usr/share/foreman-proxy/lib/proxy/kerberos.rb"

in this section to get the credentials

begin
krb5.get_init_creds_keytab principal, keytab, nil, ccache
rescue => e

as result in proxy.log we can see the following error

I, [2015-11-13T00:12:17.440450 #4723] INFO -- : Requesting credentials for Kerberos principal using keytab /etc/foreman-proxy/dns.keytab

The fact it's logging this doesn't really support the idea that they're not being passed in. I think this bit of code is working correctly - the error's coming from something inside the Kerberos stack.

Actions #7

Updated by Dominic Cleal over 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF