dns gss-tsig

testenv/docker/dns/Dockerfile

@@ -5,10 +5,6 @@ EXPOSE 53
 
 ENTRYPOINT ["/var/named/named.sh"]
 
-ENV KRB5_KTNAME /etc/named.keytab
-ADD files/krb5.conf /etc/krb5.conf
-ADD files/krb5.testtab /etc/krb5.keytab
-
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && apt-get install -y bind9 && \
   mkdir -p /var/named/data && \
@@ -17,10 +13,15 @@ RUN apt-get update && apt-get install -y bind9 && \
   mkdir -p /etc/named && \
   mkdir -p /var/run/named && chown bind /var/run/named
 
+ENV KRB5_KTNAME /etc/named.keytab
+ADD files/krb5.conf /etc/krb5.conf
+ADD files/krb5.testtab /var/named/data/named.keytab
+RUN chown bind:bind /var/named/data/named.keytab && chmod 644 /var/named/data/named.keytab
+
+ADD files/named.sh /var/named/named.sh
+RUN chmod 744 /var/named/named.sh
+
 ADD files/etc-named.conf /etc/named.conf
 ADD files/gokrb5.conf /etc/named/gokrb5.conf
 ADD files/zone-files/db.10 /var/named/data/
-ADD files/zone-files/db.test.gokrb5 /var/named/data/
-ADD files/named.sh /var/named/named.sh
-
-RUN chmod 744 /var/named/named.sh
+ADD files/zone-files/db.test.gokrb5 /var/named/data/

testenv/docker/dns/files/etc-named.conf

@@ -18,14 +18,24 @@ options {
 	pid-file "/run/named/named.pid";
 	session-keyfile "/run/named/session.key";
 
-	tkey-gssapi-keytab  "DNS/ns.test.gokrb5";
+	tkey-gssapi-keytab  "/var/named/data/named.keytab";
 };
 
 logging {
-        channel default_debug {
-                file "data/named.run";
-                severity dynamic;
-        };
+    channel stderr {
+        stderr;
+        severity debug;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
+    category default { stderr; };
+    category client { stderr; };
+    category config { stderr; };
+    category general { stderr; };
+    category security { stderr; };
+    category update { stderr; };
+    category update-security { stderr; };
 };
 
 include "/etc/bind/named.conf.local";

testenv/docker/dns/files/krb5.conf

@@ -12,7 +12,7 @@
   forwardable = yes
   default_tkt_enctypes = aes256-cts-hmac-sha1-96
   default_tgs_enctypes = aes256-cts-hmac-sha1-96
-  default_keytab_name = FILE:/etc/krb5.keytab
+  default_keytab_name = FILE:/var/named/data/named.keytab
 
 [realms]
  TEST.GOKRB5 = {

testenv/docker/dns/files/zone-files/db.10

@@ -9,5 +9,5 @@ $TTL	604800
 			2419200		; Expire
 			 604800 )	; Negative Cache TTL
 ;
-@	IN	NS	test.gokrb5.
-88.88.80 IN  PTR host.test.gokrb5.
+@	IN	NS	ns.test.gokrb5.
+88.88.80 IN  PTR host.test.gokrb5.

testenv/docker/dns/files/zone-files/db.test.gokrb5

@@ -1,14 +1,16 @@
-$ORIGIN .
+$ORIGIN test.gokrb5.
 $TTL 86400	; 1 day
-test.gokrb5		IN SOA	test.gokrb5. ns.test.gokrb5. (
+@		        IN SOA ns.test.gokrb5. test.gokrb5. (
 				2017112801 ; serial
 				604800     ; refresh (1 week)
 				86400      ; retry (1 day)
 				2419200    ; expire (4 weeks)
 				86400      ; minimum (1 day)
 				)
-			NS	test.gokrb5.
-			A	10.80.88.88
+
+		IN	NS	ns
+ns      IN  A   <TEST_KDC_ADDR>
+		IN	A	<TEST_KDC_ADDR>
 $ORIGIN _tcp.test.gokrb5.
 _kerberos		IN	SRV	0 0 88 kdc.test.gokrb5.
 _kerberos		IN	SRV	1 100 88 kdc1a.test.gokrb5.
@@ -26,4 +28,4 @@ kdc		IN	A	<TEST_KDC_ADDR>
 kdc1a	IN	A	<TEST_KDC_ADDR>
 kdc1b	IN	A	<TEST_KDC_ADDR>
 kdc2a	IN	A	<TEST_KDC_ADDR>
-kdc2b	IN	A	<TEST_KDC_ADDR>
+kdc2b	IN	A	<TEST_KDC_ADDR>

testenv/docker/krbhttp/Dockerfile

@@ -19,6 +19,7 @@ ADD index.html /var/www/html/modkerb/index.html
 ADD index.html /var/www/html/modgssapi/index.html
 ADD krb5.conf /etc/krb5.conf
 ADD http.testtab /etc/httpd/
+ADD host.testtab /etc/krb5.keytab
 #RUN ln -sf /dev/stdout /var/log/httpd/access_log && \
 # ln -sf /dev/stdout /var/log/httpd/ssl_access_log && \
 # ln -sf /dev/stdout /var/log/httpd/ssl_request_log && \

testenv/krbhttp-vagrant/a_update

@@ -0,0 +1,5 @@
+debug
+server 10.80.88.88
+zone test.gokrb5.
+update add host.test.gokrb5. 86400  IN A 1.2.3.4
+send

testenv/krbhttp-vagrant/bootstrap.sh

@@ -12,6 +12,7 @@ yum install -y \
    mod_auth_gssapi \
    mod_ssl \
    ntp \
+   bind-utils \
    krb5-workstation
 
 systemctl stop firewalld
@@ -30,6 +31,7 @@ echo "10.80.88.90 host.test.gokrb5" >> /etc/hosts
 
 sh /vagrant/krb-setup.sh
 mv /vagrant/httpd-krb5.conf /etc/httpd/conf.d/
+cp /vagrant/host.testtab /etc/krb5.keytab
 chcon system_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/*
 chcon system_u:object_r:httpd_config_t:s0 /vagrant/http.testtab
 chmod 644 /vagrant/http.testtab

testenv/mit-krb5kdc/dns.service

@@ -13,7 +13,7 @@ TimeoutStartSec=0
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStartPre=-/usr/bin/docker pull ${DOCKER_IMAGE}
-ExecStart=/usr/bin/docker run -h kdc.test.gokrb5 -v /etc/localtime:/etc/localtime:ro -e "TEST_KDC_ADDR=${TEST_KDC_ADDR}" -p ${PORT}:${PORT} -p ${PORT}:${PORT}/udp --rm --name ${NAME} ${DOCKER_IMAGE}
+ExecStart=/usr/bin/docker run -h ns.test.gokrb5 -v /etc/localtime:/etc/localtime:ro -e "TEST_KDC_ADDR=${TEST_KDC_ADDR}" -p ${PORT}:${PORT} -p ${PORT}:${PORT}/udp --rm --name ${NAME} ${DOCKER_IMAGE}
 ExecStop=/usr/bin/docker stop --time=60 %n
 ExecStopPost=-/usr/bin/docker rm %n