Bug #12449
closedKeytab not configured via dns_tsig_keytab for DNS GSS-TSIG support
Added by Mario Gamboa about 9 years ago. Updated over 6 years ago.
Description
i upgrade foreman from 1.9.3 to 1.10 and now i can't register the record of the new vms into the active directory
on dns_nsupdate_gss.yml
--- # # Configuration file for 'nsupdate_gss' dns provider with GSS-TSIG support # # use this setting if you are managing a dns server which is not localhost though this proxy :dns_server: 192.168.0.1 # use dns_tsig_* for GSS-TSIG updates using Kerberos. Required for Windows MS DNS with # Secure Dynamic Updates, or BIND as used in FreeIPA. Set dns_provider to nsupdate_gss. :dns_tsig_keytab: /etc/foreman-proxy/dns.keytab :dns_tsig_principal: foremanproxy/server01.example.com@EXAMPLE.COM
On dns.yml
--- # DNS management :enabled: https # valid providers: # dns_dnscmd (Microsoft Windows native implementation) # dns_nsupdate # dns_nsupdate_gss (for GSS-TSIG support) # dns_virsh (simple implementation for libvirt) :use_provider: dns_nsupdate_gss
The only difference i notice with the new version is now the plug-in is called dns_nsupdate_gss instead as 1.9.3 nsupdate_gss and also all the configuration is manage in a separate file after try to make a new host is complain on the proxy logs with the following error
Keytab not configured via dns_tsig_keytab for DNS GSS-TSIG support
Updated by Mario Gamboa about 9 years ago
from proxy.log in debug mode
D, [2015-11-12T19:48:10.770624 #25828] DEBUG -- : /usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_main.rb:12:in `initialize'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:11:in `new'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:11:in `record'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_plugin.rb:4:in `block in <class:Plugin>'
/usr/share/foreman-proxy/lib/proxy/provider_factory.rb:5:in `call'
/usr/share/foreman-proxy/lib/proxy/provider_factory.rb:5:in `get_provider'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:8:in `dns_setup'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:18:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `block in compile!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `[]'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:876:in `route_eval'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:897:in `block in process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:859:in `block in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `each'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:963:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:960:in `dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `block in call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:780:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:161:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:58:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/json_csrf.rb:17:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/showexceptions.rb:21:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:124:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `block in call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1499:in `synchronize'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/handler/webrick.rb:60:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
I, [2015-11-12T19:48:10.771493 #25828] INFO -- : 172.25.176.245 - - [12/Nov/2015 19:48:10] "POST /dns/ HTTP/1.1" 400 66 0.0075
Updated by Dominic Cleal about 9 years ago
- Description updated (diff)
- Category set to DNS
- Priority changed from Urgent to High
- Translation missing: en.field_release set to 63
Thanks for the report. This looks like a bug that we're not setting up the keytab location from the settings correctly in modules/dns_nsupdate/dns_nsupdate_gss_main.rb.
Updated by Dominic Cleal about 9 years ago
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
Updated by The Foreman Bot about 9 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/337 added
Updated by Mario Gamboa about 9 years ago
Hi the patch was already apply but still issues now with the kerberos apparently on /usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_main.rb
the variables :tsig_keytab, :tsig_principal is not pass the value into the /usr/share/foreman-proxy/lib/proxy/kerberos.rb"
in this section to get the credentials
begin
krb5.get_init_creds_keytab principal, keytab, nil, ccache
rescue => e
as result in proxy.log we can see the following error
D, [2015-11-13T00:12:17.437327 #4723] DEBUG -- : verifying remote client 172.25.176.245 against trusted_hosts ["foreman01.pp.net.nz", "foreman01.pp.net.nz"]
I, [2015-11-13T00:12:17.440450 #4723] INFO -- : Requesting credentials for Kerberos principal foremanproxy/foreman01.pp.net.nz@PP.NET.NZ using keytab /etc/foreman-proxy/dns.keytab
E, [2015-11-13T00:12:17.441348 #4723] ERROR -- : Failed to initialise credential cache from keytab: krb5_get_init_creds_keytab: Key table entry not found
E, [2015-11-13T00:12:17.441829 #4723] ERROR -- : Failed to initailize credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry not found
D, [2015-11-13T00:12:17.442144 #4723] DEBUG -- : /usr/share/foreman-proxy/lib/proxy/kerberos.rb:13:in `rescue in init_krb5_ccache'
/usr/share/foreman-proxy/lib/proxy/kerberos.rb:9:in `init_krb5_ccache'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_gss_main.rb:25:in `nsupdate'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:24:in `create'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:19:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1293:in `block in compile!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `[]'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:876:in `route_eval'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:860:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:897:in `block in process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:895:in `process_route'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:859:in `block in route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `each'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:858:in `route!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:963:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:960:in `dispatch!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `block in call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:794:in `call!'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:780:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:161:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:58:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/json_csrf.rb:17:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/base.rb:48:in `call'
/usr/share/gems/gems/rack-protection-1.3.2/lib/rack/protection/xss_header.rb:27:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/showexceptions.rb:21:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:124:in `call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `block in call'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1499:in `synchronize'
/usr/share/gems/gems/sinatra-1.3.5/lib/sinatra/base.rb:1417:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/share/gems/gems/rack-1.5.2/lib/rack/handler/webrick.rb:60:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
Updated by Dominic Cleal about 9 years ago
Mario Gamboa wrote:
the variables :tsig_keytab, :tsig_principal is not pass the value into the /usr/share/foreman-proxy/lib/proxy/kerberos.rb"
in this section to get the credentials
begin
krb5.get_init_creds_keytab principal, keytab, nil, ccache
rescue => eas result in proxy.log we can see the following error
I, [2015-11-13T00:12:17.440450 #4723] INFO -- : Requesting credentials for Kerberos principal foremanproxy/foreman01.pp.net.nz@PP.NET.NZ using keytab /etc/foreman-proxy/dns.keytab
The fact it's logging this doesn't really support the idea that they're not being passed in. I think this bit of code is working correctly - the error's coming from something inside the Kerberos stack.
Updated by Dominic Cleal about 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 839ca954a620b8496d6ea9e5c992684c70ef34ee.