diff --git a/ChangeLog b/ChangeLog index a5a5e5741ab811acde5a14f253fb2cc3f663551f..f4a602919ba9e18de580a2681229a8b16dd02dcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2030. [doc] fdupont,tomek + GSS-TSIG examples updated. The recommendation to not use + client-keytab and credentials-cache at the same time added. + (Gitlab #2247) + 2029. [bug] fdupont The check of the subnet id in configuration is stricter: values outside the 0..4294967295 are rejected. Note that diff --git a/doc/examples/ddns/gss-tsig.json b/doc/examples/ddns/gss-tsig.json index 0cc324df74f216356c8f906ae4daccce9fa553b2..e98a2ef667d9791876161ae8241ba6a392aa2054 100644 --- a/doc/examples/ddns/gss-tsig.json +++ b/doc/examples/ddns/gss-tsig.json @@ -56,7 +56,7 @@ ] }, - // Need to add gss-tsig hook here + // The GSS-TSIG hook is loaded and its configuration is specified here. "hooks-libraries": [ { "library": "/opt/lib/libddns_gss_tsig.so", @@ -69,8 +69,15 @@ "server-principal": "DNS/server.example.org@EXAMPLE.ORG", "client-principal": "DHCP/admin.example.org@EXAMPLE.ORG", - "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only - "credentials-cache": "FILE:/etc/ccache", // toplevel only + + // client-keytab and credentials-cache can both be used to + // store client keys. As credentials cache is more flexible, + // it is recommended to use it. Typically, using both at the + // same time may cause problems. + // + // "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only + "credentials-cache": "FILE:/etc/ccache", // toplevel only + "tkey-lifetime": 3600, // 1 hour "rekey-interval": 2700, // 45 minutes "retry-interval": 120, // 2 minutes diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index 6126e32f30c0f001fe20c8cdf2740d49d732aca6..b0012c2193fc4704f66d56ad32e53a652e60e856 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -466,7 +466,7 @@ An excerpt from a D2 server configuration is provided below; more examples are a .. code-block:: javascript :linenos: - :emphasize-lines: 57-107 + :emphasize-lines: 57-113 { @@ -525,7 +525,7 @@ An excerpt from a D2 server configuration is provided below; more examples are a ] }, - // Need to add gss-tsig hook here + // The GSS-TSIG hook is loaded and its configuration is specified here. "hooks-libraries": [ { "library": "/opt/lib/libddns_gss_tsig.so", @@ -538,7 +538,13 @@ An excerpt from a D2 server configuration is provided below; more examples are a "server-principal": "DNS/server.example.org@EXAMPLE.ORG", "client-principal": "DHCP/admin.example.org@EXAMPLE.ORG", - "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only + + // client-keytab and credentials-cache can both be used to + // store client keys. As credentials cache is more flexible, + // it is recommended to use it. Typically, using both at the + // same time may cause problems. + // + // "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only "credentials-cache": "FILE:/etc/ccache", // toplevel only "tkey-lifetime": 3600, // 1 hour "rekey-interval": 2700, // 45 minutes @@ -804,6 +810,21 @@ The server map parameters are described below: - ``comment`` is allowed but currently ignored. +.. note:: + + Generally it is not recommended to specify both the client keytab (``client-keytab``) + and the credentials cache (``credentials-cache``), although this may + differ between Kerberos implementations. The client keytab is just for + the client key and is typically used to specify the key explicitly in more + static manner, while the credentials cache can be used to store multiple + credentials and can be dynamically updated by the Keberos library. As such, + the credentials-cache is more flexible and thus the recommended alternative. + + Also note that only the read access right is needed to use the cache. + Fetching credentials and updating the cache requires the write access + right. + + GSS-TSIG Automatic Key Removal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~