Safe dynamic update of DNS records in the Windows domain from Linux (GSS-TSIG)

The need for such an update arose in my situation: an openvpn server was raised on Linux, and remote clients connect to it. Openvpn server itself dynamically issues addresses to clients and, I would like it to create dns records with the common name of the certificate on a DNS server that is integrated into Active Directory. Here you can go a simple way, and set the option “Unsafe and secure” in the “Dynamic update” zone property, but then anyone who has access to the DNS server will be able to change the zone records - not comme il faut. If you put "Only secure", then the DNS server will necessarily require authentication using the GSS-TSIG protocol. Then we will talk about how to set it up.


To begin with, we create a domain user with minimal rights, for example, ddns and give him a complex password and the option "Password validity is not limited." This user should have enough rights to change the records of the dns-zone. In the properties of the dns zone, the option "Only secure updates" should be selected.

Install the Kerberos client:

sudo apt-get install krb5-user 

')
Edit /etc/krb5.conf:

 [libdefaults] default_realm = DOMAIN.LOCAL [realms] DOMAIN.LOCAL = { kdc = 192.168.2.200 kdc = 192.168.2.202 default_domain = domain.local admin_server = 192.168.2.200 } [domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL 

Although the client will work even in this configuration:

 [libdefaults] default_realm = DOMAIN.LOCAL 

For Kerberos, the important point is the synchronization of the north clock and the client. You can install the ntpd service - it will maintain the correct time:

 sudo apt-get install ntp 

Using ktutil, we will create a keytab file in which the data for user authentication ddns will be stored:

 sudo ktutil ktutil: addent -password -p ddns@DOMAIN.LOCAL -k 1 -e rc4-hmac ktutil: write_kt krb5.keytab ktutil: quit 

Now you can check how everything is done correctly:

 kinit -k -t krb5.keytab ddns 

There should be no conclusion. You can see the tickets received:

 klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ddns@DOMAIN.LOCAL Valid starting Expires Service principal 29.04.2014 14:50:39 30.04.2014 00:50:39 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 30.04.2014 14:50:39 

If keytab is placed by default (etc / krb5.keytab), then you can shorten the command:

 kinit -k ddns 

Now it remains only to configure openvpn. To do this, the openvpn server configuration file must have the option:

 learn-address /etc/openvpn/learn-address.sh 

The script learn-address.sh:

 #!/bin/bash dnsserver=192.168.2.200 fwdzone=domain.local revzone=7.168.192.in-addr.arpa ttl=300 op=$1 addr=$2 revaddr=`echo $addr | sed -re 's:([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+):\4.\3.\2.\1.in-addr.arpa:'` cn=$3 fqdn=$cn.$fwdzone dir=/etc/openvpn/dns addfile=$dir/add_$addr delfile=$dir/del_$addr keytab_file=/etc/openvpn/krb5.keytab user=ddns addRecord() { kinit -k -t $keytab_file $user cat > $addfile << EOF gsstsig server $dnsserver zone $fwdzone update delete $fqdn a update add $fqdn $ttl a $addr send zone $revzone update delete $revaddr ptr update add $revaddr $ttl ptr $fqdn send EOF cat > $delfile << EOF gsstsig server $dnsserver zone $fwdzone update delete $fqdn a send zone $revzone update delete $revaddr ptr send EOF nsupdate -v $addfile rm -f $addfile } delRecord() { kinit -k -t $keytab_file $user nsupdate -v $delfile rm -f $delfile } case $op in add|update) addRecord ;; delete) delRecord ;; *) echo "Unable to handle operation $op. Exiting" exit 1 esac 

To summarize: The key point is the gsstsig option in the file that is passed to the nsupdate utility. A ticket must be obtained from the domain controller using kinit <user> .