From 758a1c8d0fefcd0877bd1c3cb15b17eb7116b72f Mon Sep 17 00:00:00 2001 From: Tomek Mrugalski Date: Wed, 18 Aug 2021 20:38:18 +0200 Subject: [PATCH] [#2018] GSS-TSIG text updated --- doc/sphinx/arm/ext-gss-tsig.rst | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index 67d0960eb7..2bb2ae1dde 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -223,20 +223,27 @@ IP+port tuples. If port is not specified, the default of 53 is assumed. This is mode with no authentication or authentication done using TSIG keys, with the exception that static TSIG keys are not referenced by name. -Second, the `gss_tsig.so` library has to be specified on the `hooks-libraries` list. This hook takes +Second, the ``gss_tsig.so`` library has to be specified on the ``hooks-libraries`` list. This hook takes many parameters. The most important one is `servers`, which is a list of GSS-TSIG capable servers. If there are several servers and they share some characteristics, the values can be specified in `parameters` scope as defaults. In the example above, the defaults that apply to all servers unless otherwise specified on per server scope, are defined in lines 63 through 68. The defaults can be skipped if there is only one server defined or all servers have different values. -- ``server-principal`` is ... +- ``client-keytab`` is pointer to the location of the Kerberos key tab. This is usually a single file + that is located in ``/etc/krb5.keytab``. However, some implementations support schemes other than + ``FILE:`` and whole directory can be specified using ``DIR:``. This parameter can be specified only once, + in the parameters scope. -- ``client-principal`` is ... +- ``credentials-cache`` is Kerberos credentials cache file. As there is only one cache for the whole + system, this parameter can be specified only once, in the parameters scope. -- ``client-keytab`` is .. +- ``server-principal`` is the Kerberos principal name of the DNS server that will receive the updates. + In plain words, this is the DNS server's name in the Kerberos system. This parameter is mandatory. + It uses the typical Kerberos notation: ``/domain@REALM``. -- ``credentials-cache`` is .. +- ``client-principal`` is the Kerberos principal name of the Kea D2 service. It is optional. It uses + the typical Kerberos notation: ``/domain@REALM``. - ``tkey-protocol`` determines which protocol is used to establish the security context with the DNS servers. Currently the only supported value is TCP.