Red Hat Training

A Red Hat training course is available for Red Hat Satellite

Chapter 5. Configuring External Services

Some environments have existing DNS, DHCP, and TFTP services and do not need to use the Satellite Server to provide these services. If you want to use external servers to provide DNS, DHCP, or TFTP, you can configure them for use with Satellite Server.

If you want to disable these services in Satellite in order to manage them manually, see Section 3.5.6, “Disabling DNS, DHCP, and TFTP for Unmanaged Networks” for more information.

5.1. Configuring Satellite with External DNS

You can configure Satellite to use an external server to provide DNS service.

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DNS Service. 

    # yum install bind bind-utils

  2. Create the configuration for the domain.

    The following example configures a domain virtual.lan as one subnet 192.168.38.0/24, a security key named foreman, and sets forwarders to Google’s public DNS addresses (8.8.8.8 and 8.8.4.4). 

    # cat /etc/named.conf
include "/etc/rndc.key";

controls  {
    inet 192.168.38.2 port 953 allow { 192.168.38.1; 192.168.38.2; } keys { "capsule"; };
};

options  {
    directory "/var/named";
    forwarders { 8.8.8.8; 8.8.4.4; };
};

include "/etc/named.rfc1912.zones";

zone "38.168.192.in-addr.arpa" IN {
    type master;
    file "dynamic/38.168.192-rev";
    update-policy {
        grant "capsule" zonesub ANY;
    };
};

zone "virtual.lan" IN {
    type master;
    file "dynamic/virtual.lan";
    update-policy {
        grant "capsule" zonesub ANY;
    };
};

    The inet line must be entered as one line in the configuration file.

  3. Create a key file. 

    # ddns-confgen -k capsule

    This command can take a long time to complete.

  4. Copy and paste the output from the key section into a separate file called /etc/rndc.key. 

    # cat /etc/rndc.key
key "capsule" {
        algorithm hmac-sha256;
        secret "GeBbgGoLedEAAwNQPtPh3zP56MJbkwM84UJDtaUS9mw=";
};
    Important

    This is the key used to change DNS server configuration. Only the root user should read and write to it.

  5. Create zone files. 

    # cat /var/named/dynamic/virtual.lan
$ORIGIN .
$TTL 10800      ; 3 hours
virtual.lan             IN SOA  service.virtual.lan. root.virtual.lan. (
                                9          ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      service.virtual.lan.
$ORIGIN virtual.lan.
$TTL 86400      ; 1 day
capsule                 A       192.168.38.1
service                 A       192.168.38.2

  6. Create the reverse zone file. 

    # cat /var/named/dynamic/38.168.192-rev
$ORIGIN .
$TTL 10800      ; 3 hours
38.168.192.in-addr.arpa IN SOA  service.virtual.lan. root.38.168.192.in-addr.arpa. (
                                4          ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      service.virtual.lan.
$ORIGIN 38.168.192.in-addr.arpa.
$TTL 86400      ; 1 day
1                PTR     capsule.virtual.lan.
2                PTR     service.virtual.lan.

    There should be no extra non-ASCII characters.

5.2. Verifying and Starting the DNS Service

  1. Validate the syntax. 

    # named-checkconf -z /etc/named.conf

  2. Start the server.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service named restart

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl restart named

  3. Add a new host.

    The following uses the example host 192.168.38.2. You should change this to suit your environment. 

    # echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key

  4. Test that the DNS service can resolve the new host. 

    # nslookup aaa.virtual.lan 192.168.38.2

  5. If necessary, delete the new entry. 

    # echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key

  6. Configure the firewall for external access to the DNS service (UDP and TCP on port 53).

    • For Satellite Server running Red Hat Enterprise Linux 7: 

      # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
&& firewall-cmd --permanent --add-port="53/udp" --add-port="53/tcp"

    • For Satellite Server running Red Hat Enterprise Linux 6: 

      # iptables -I INPUT -m state --state NEW -p udp \
--dport 53 -j ACCEPT \
&& iptables -I INPUT -m state --state NEW -p tcp \
--dport 53 -j ACCEPT \
&& service iptables save

      Verify that the iptables service is started and enabled. 

      # service iptables start
# chkconfig iptables on

5.3. Configuring Capsule Server with External DNS

  1. On the Red Hat Enterprise Linux Server, install the ISC DNS Service. 

    # yum install bind bind-utils

    Ensure that the nsupdate utility was installed. The Capsule uses the nsupdate utility to update DNS records on the remote server.

  2. Copy the /etc/rndc.key file from the services server to the Capsule Server. 

    # scp localfile username@hostname:remotefile

  3. Verify that the key file has the correct owner, permissions, and SELinux label. 

    # ls /etc/rndc.key -Zla
-rw-r-----. root named system_u:object_r:dnssec_t:s0    /etc/rndc.key

  4. Test the nsupdate utility by adding a host remotely. 

    # echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key
# nslookup aaa.virtual.lan 192.168.38.2
# echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key

  5. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file. 

    # satellite-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.38.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

  6. Restart the foreman-proxy service.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service foreman-proxy restart

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl restart foreman-proxy
  7. Log in to the Satellite Server web UI.
  8. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DNS feature should appear.
  9. Associate the DNS service with the appropriate subnets and domain.

5.4. Configuring Satellite Server with External DHCP

Important

From Satellite 6.3 onwards, the foreman-proxy DHCP isc provider does not support remote DHCP lease files. You must follow the procedures in the Satellite 6.3 Installation guide to change to the new remote ISC DHCP provider remote_isc when you upgrade to Satellite 6.3. For more information about using remote_isc in Satellite 6.3, see Configuring Satellite Server with External DHCP in the Red Hat Satellite 6.3 Installation Guide.

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DHCP Service. 

    # yum install dhcp

  2. Generate a security token in an empty directory. 

    # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key

    The above command can take a long time, for less-secure proof-of-concept deployments you can use a non-blocking random number generator. 

    # dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key

    This will create the key pair in two files in the current directory.

  3. Copy the secret hash from the key. 

    # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

  4. Edit the dhcpd configuration file for all of the subnets and add the key. 

    # cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;
  5. Delete the two key files from the directory where you created them.

  6. Define each subnet on the Satellite Server.

    It is recommended to set up a lease range and reservation range separately to prevent conflicts. For example, the lease range is 192.168.38.10 to 192.168.38.100 so the reservation range (defined in the Satellite web UI) is 192.168.38.101 to 192.168.38.250. Do not set DHCP Capsule for the defined Subnet yet.

    ISC DHCP listens only on interfaces that match defined subnets. In this example, the server has an interface that routes to 192.168.38.0 subnet directly.

  7. Configure the firewall for external access to the DHCP server.

    • For Satellite Server running Red Hat Enterprise Linux 7: 

      # firewall-cmd --add-service dhcp \
&& firewall-cmd --permanent --add-service dhcp

    • For Satellite Server running Red Hat Enterprise Linux 6: 

      # iptables -I INPUT -m state --state NEW -p tcp \
--dport 67 -j ACCEPT \
&& service iptables save

      Verify that the iptables service is started and enabled. 

      # service iptables start
# chkconfig iptables on

  8. Determine the UID and GID numbers of the foreman-proxy user on the Capsule Server. Create the same user and group with the same IDs on the DHCP server. 

    # groupadd -g 990 foreman-proxy
# useradd -u 992 -g 990 -s /sbin/nologin foreman-proxy

  9. To make the configuration files readable, restore the read and execute flags. 

    # chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

  10. Start the DHCP service.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service dhcpd start

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl start dhcpd

  11. Export the DHCP configuration and leases files using NFS. 

    # yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd

  12. Create the DHCP configuration and leases files to be exported using NFS. 

    # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

  13. Add the newly created mount point to /etc/fstab file. 

    /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

  14. Mount the file systems in /etc/fstab. 

    # mount -a

  15. Ensure the following lines are present in /etc/exports: 

    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)
    /exports/var/lib/dhcpd
192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

  16. Reload the NFS server. 

    # exportfs -rva

  17. Configure the firewall for the DHCP omapi port 7911 for the Capsule Server.

    • On Red Hat Enterprise Linux 7, run the following command: 

      # firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --permanent --add-port="7911/tcp"

    • On Red Hat Enterprise Linux 6, run the following commands: 

      # iptables -I INPUT -m state --state NEW -p tcp \
--dport 7911 -j ACCEPT \
&& service iptables save

      Ensure that the iptables service is started and enabled. 

      # service iptables start
# chkconfig iptables on

  18. If required, configure the firewall for external access to NFS.

    Clients are configured using NFSv3.

    • On Red Hat Enterprise Linux 7, use the firewalld daemon’s NFS service to configure the firewall. 

      # firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --permanent --zone public --add-service mountd \
&& firewall-cmd --permanent --zone public --add-service rpc-bind \
&& firewall-cmd --permanent --zone public --add-service nfs

    • On Red Hat Enterprise Linux 6, configure the ports for NFSv3 in the /etc/sysconfig/nfs file. 

      LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020

      Restart the service. 

      # service nfs restart

      Add rules to the /etc/sysconfig/iptables file. 

      # iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 111 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 111 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 2049 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 2049 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 32803 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 32769 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 892 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 892 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 875 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 875 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p udp \
--dport 662 -j ACCEPT \
&& iptables -I INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp \
--dport 662 -j ACCEPT \
&& service iptables save

      Restart the firewall. 

      # service iptables restart

For more information on using NFSv3 behind a firewall on Red Hat Enterprise Linux 6, see Running NFS Behind a Firewall in the Red Hat Enterprise Linux 6 Storage Administration Guide.

5.5. Configuring Capsule Server with External DHCP

  1. Install the NFS client. 

    # yum install nfs-utils

  2. Create the DHCP directories for NFS. 

    # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

  3. Change the file owner. 

    # chown -R foreman-proxy /mnt/nfs

  4. Verify communication with the NFS server and RPC communication paths. 

    # showmount -e 192.168.38.2
# rpcinfo -p 192.168.38.2

  5. Add the following lines to the /etc/fstab file: 

    192.168.38.2:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0
    192.168.38.2:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

  6. Mount the file systems on /etc/fstab. 

    # mount -a

  7. Read the relevant files. 

    # su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

  8. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file. 

    # satellite-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=isc \
--foreman-proxy-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-dhcp-key-name=omapi_key \
--foreman-proxy-dhcp-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-dhcp-server dhcp.example.com

  9. Restart the foreman-proxy service.

    1. If you are using Red Hat Enterprise Linux 6, run this command. 

      # service foreman-proxy restart

    2. If you are using Red Hat Enterprise Linux 7, run this command. 

      # systemctl restart foreman-proxy
  10. Log in to the Satellite Server web UI.
  11. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DHCP feature should appear.
  12. Associate the DHCP service with the appropriate subnets and domain.

5.6. Configuring Satellite Server with External TFTP

Before You Begin

Configure Satellite Server with External TFTP

  1. Install and enable the TFTP server. 

    # yum install tftp-server syslinux

    1. On Red Hat Enterprise 7, enable and activate the tftp.socket unit. 

      # systemctl enable tftp.socket
# systemctl start tftp.socket

    2. On Red Hat Enterprise Linux 6, enable and start the xinetd service. 

      # service xinetd enable
# service xinetd start

  2. Configure the PXELinux environment. 

    # mkdir -p /var/lib/tftpboot/{boot,pxelinux.cfg}
# cp /usr/share/syslinux/{pxelinux.0,menu.c32,chain.c32} \
/var/lib/tftpboot/

  3. Restore SELinux file contexts. 

    # restorecon -RvF /var/lib/tftpboot/

  4. Create the TFTP directory to be exported using NFS. 

    # mkdir -p /exports/var/lib/tftpboot

  5. Add the newly created mount point to the /etc/fstab file. 

    /var/lib/tftpboot /exports/var/lib/tftpboot none bind,auto 0 0

  6. Mount the file systems in /etc/fstab. 

    # mount -a

  7. Ensure the following lines are present in /etc/exports: 

    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
    /exports/var/lib/tftpboot 192.168.38.1(rw,async,no_root_squash,no_subtree_check,nohide)

    The first line is common to the DHCP configuration and therefore should already be present if the previous procedure was completed on this system.

  8. Reload the NFS server. 

    # exportfs -rva

5.6.1. Configuring the Firewall for External Access to TFTP

Configuring the Firewall for External Access to the TFTP Service Using Red Hat Enterprise Linux 7

  1. Configure the firewall (UDP on port 69). 

    # firewall-cmd --add-port="69/udp" \
&& firewall-cmd --permanent --add-port="69/udp"

Configuring the Firewall for External Access to the TFTP Service Using Red Hat Enterprise Linux 6

  1. Configure the firewall. 

    # iptables -I INPUT -m state --state NEW -p tcp --dport 69 -j ACCEPT \
&& service iptables save

  2. Ensure the iptables service is started and enabled. 

    # service iptables start
# chkconfig iptables on

5.7. Configuring Capsule Server with External TFTP

  1. Create the TFTP directory to prepare for NFS. 

    # mkdir -p /mnt/nfs/var/lib/tftpboot

  2. Add the following line in the /etc/fstab file: 

    192.168.38.2:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

  3. Mount the file systems in /etc/fstab. 

    # mount -a

  4. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file. 

    # satellite-installer --foreman-proxy-tftp=true \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot

  5. If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of that server. 

    # satellite-installer --foreman-proxy-tftp-servername=new_FQDN

    This updates all configuration files with the new value.

  6. Log in to the Satellite Server web UI.
  7. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The TFTP feature should appear.
  8. Associate the TFTP service with the appropriate subnets and domain.

5.8. Configuring Satellite with External IdM DNS

Red Hat Satellite can be configured to use a Red Hat Identity Management (IdM) server to provide the DNS service. Two methods are described here to achieve this, both using a transaction key. For more information on Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

The first method is to install the IdM client which will handle the process automatically using the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. This method requires installing the IdM client on the Satellite Server or Capsule’s base system and having an account created by the IdM server administrator for use by the Satellite administrator. See Section 5.8.1, “Configuring Dynamic DNS Update with GSS-TSIG Authentication” to use this method.

The second method, secret key transaction authentication for DNS (TSIG), uses an rndc.key for authentication. It requires root access to the IdM server to edit the BIND configuration file, installing the BIND utility on the Satellite Server’s base system, and coping the rndc.key to between the systems. This technology is defined in RFC2845. See Section 5.8.2, “Configuring Dynamic DNS Update with TSIG Authentication” to use this method.

Note

You are not required to use Satellite to manage DNS. If you are already using the Realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, then the ipa-client-install script will create DNS records for the client. The following procedure and Realm enrollment are therefore mutually exclusive. See External Authentication for Provisioned Hosts in the Server Administration Guide for more information on configuring Realm enrollment.

Determining where to install the IdM Client

When Satellite Server wants to add a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule and adds the record. The hosts themselves are not involved in this process. This means you should install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

5.8.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

In this example, Satellite Server has the following settings.

Host name

satellite.example.com

Network

192.168.55.0/24

The IdM server has the following settings.

Host name

idm1.example.com

Domain name

example.com

Before you Begin.

  1. Confirm the IdM server is deployed and the host-based firewall has been configured correctly. See Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide for more information.
  2. Obtain an account on the IdM server with permissions to create zones on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Optionally, make a backup of the answer file. This can make it easier to revert to using the internal DNS service. See Section 3.3.4, “Configuring Red Hat Satellite with an Answer File” for more information.

Create a Kerberos Principal on the IdM Server.

  1. Ensure you have a Kerberos ticket. 

    # kinit idm_user

    Where idm_user is the account created for you by the IdM administrator.

  2. Create a new Kerberos principal for the Satellite or Capsule to use to authenticate to the IdM server. 

    # ipa service-add capsule/satellite.example.com

Install and Configure the IdM Client.

Do this on the Satellite or Capsule Server that is managing the DNS service for a domain.

  1. Install the IdM client package. 

    # yum install ipa-client

  2. Configure the IdM client by running the installation script and following the on-screen prompts. 

    # ipa-client-install

  3. Ensure you have a Kerberos ticket. 

    # kinit admin

  4. Remove any preexisting keytab. 

    # rm /etc/foreman-proxy/dns.keytab

  5. Get the keytab created for this system. 

    # ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab
    Note

    When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

  6. Set the group and owner for the keytab file to foreman-proxy as follows. 

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

  7. If required, check the keytab is valid. 

    # kinit -kt /etc/foreman-proxy/dns.keytab \
capsule/satellite.example.com@EXAMPLE.COM

Configure DNS Zones in the IdM web UI.

  1. Create and configure the zone to be managed:

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add and enter the zone name. In this example, example.com.
    3. Click Add and Edit.

    4. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list. 

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
    5. Ensure Dynamic update is set to True.
    6. Enable Allow PTR sync.
    7. Select Save to save the changes.

  2. Create and Configure the reverse zone.

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add.
    3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
    4. Click Add and Edit.

    5. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list: 

      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
    6. Ensure Dynamic update is set to True.
    7. Select Save to save the changes.

Run the Installation Script on the Satellite or Capsule Server that is Managing the DNS Service for the Domain.

  • On a Satellite Server’s Base System. 

    satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

  • On a Capsule Server’s Base System. 

    satellite-installer --scenario capsule \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

Restart the Satellite or Capsule’s Proxy Service.

  • On Red Hat Enterprise Linux 7. 

    # systemctl restart foreman-proxy

  • On Red Hat Enterprise Linux 6. 

    # service foreman-proxy restart

Update the Configuration in Satellite web UI.

After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:

  1. Navigate to Infrastructure > Capsules.
  2. For each Capsule to be updated, from the Actions drop-down menu, select Refresh.

  3. Configure the domain:

    1. Go to Infrastructure > Domains and select the domain name.
    2. On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.

  4. Configure the subnet:

    1. Go to Infrastructure > Subnets and select the subnet name.
    2. On the Subnet tab, set IPAM to None.
    3. On the Domains tab, ensure the domain to be managed by the IdM server is selected.
    4. On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.

5.8.2. Configuring Dynamic DNS Update with TSIG Authentication

In this example, Satellite Server has the following settings.

IP address

192.168.25.1

Host name

satellite.example.com

The IdM server has the following settings.

Host name

idm1.example.com

IP address

192.168.25.2

Domain name

example.com

Before you Begin

  1. Confirm the IdM Server is deployed and the host-based firewall has been configured correctly. See Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide for more information.
  2. Obtain root user privileges on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Optionally, make a backup of the answer file. This can make it easier to revert to using the internal DNS service. See Section 3.3.4, “Configuring Red Hat Satellite with an Answer File” for more information.

Enabling External Updates to the DNS Zone in the IdM Server

  1. On the IdM Server, add the following to the top of the /etc/named.conf file. 

    // This was added to allow Satellite Server at 192.168.25.1 to make DNS updates.
########################################################################
include "/etc/rndc.key";
controls  {
inet 192.168.25.2 port 953 allow { 192.168.25.1; } keys { "rndc-key"; };
};
########################################################################

  2. In the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone. On the Settings tab:

    1. Add the following in the BIND update policy box. 

      grant "rndc-key" zonesub ANY;
    2. Ensure Dynamic update is set to True.
    3. Click Update to save the changes.

  3. Copy the /etc/rndc.key file from the IdM server to a secure location for later use. Alternatively, copy it directly to Satellite’s base system as follows. 

    # scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key

  4. On Satellite Server, run the installation script as follows to use the external DNS server. 

    # satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.25.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Testing External Updates to the DNS Zone in the IdM Server

  1. Install bind-utils for testing with nsupdate. 

    # yum install bind-utils

  2. Ensure the key in the /etc/rndc.key file on Satellite Server is the same one as used on the IdM server. 

    key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};

  3. On Satellite Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1. 

    # echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

  4. On Satellite Server, test the DNS entry. 

    # nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20
  5. To view the entry in the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone and search for the host by name.

  6. If resolved successfully, remove the test DNS entry. 

    # echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

  7. Confirm that the DNS entry was removed. 

    # nslookup test.example.com 192.168.25.1

    The above nslookup command will fail and output the SERVFAIL error message if the record was successfully deleted.