lib/proxy/dns/nsupdate_gss.rb
require 'proxy/dns/nsupdate'
require 'rkerberos'
module Proxy::DNS
class NsupdateGSS < Nsupdate
attr_reader :tsig_keytab, :tsig_principal
def initialize options = {}
@tsig_keytab = options[:tsig_keytab]
@tsig_principal = options[:tsig_principal]
raise "Keytab not configured via dns_tsig_keytab for DNS GSS-TSIG support" unless tsig_keytab
raise "Unable to read dns_tsig_keytab file at #{tsig_keytab}" unless File.exist?(tsig_keytab)
raise "Kerberos principal required - check dns_tsig_principal setting" unless tsig_principal
super(options)
end
protected
def nsupdate_args
"#{super} -g "
end
def nsupdate cmd
init_krb5_ccache if cmd == "connect"
super
end
private
def init_krb5_ccache
krb5 = Kerberos::Krb5.new
ccache = Kerberos::Krb5::CredentialsCache.new
logger.info "Requesting credentials for Kerberos principal #{tsig_principal} using keytab #{tsig_keytab}"
begin
krb5.get_init_creds_keytab tsig_principal, tsig_keytab, nil, ccache
rescue => e
logger.error "Failed to initialise credential cache from keytab: #{e}"
raise Proxy::DNS::Error.new("Unable to initialise Kerberos: #{e}")
end
logger.debug "Kerberos credential cache initialised with principal: #{ccache.primary_principal}"
end
end
end