BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with GSS-TSIG
David Holder
david.holder at erion.co.uk
Fri Aug 31 15:41:32 UTC 2007
Danny,
Network trace attached for failure.
This might be obvious but:
192.168.100.101 Windows Server 2003 AD DC
192.168.100.100 FC7 Client with BIND 9.5
I got exactly the same results using the nsupdate -g and nsupdate -o.
Let me know if you need anything else. I am holiday for two weeks from
tomorrow but I will be attempting to pick up email.
Regards,
David
==================================================================
Dr David Holder CEng FIET MIEEE
Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT
Reception: +44 (0)1422 207000
Direct Dial: +44 (0)131 2026317
Cell: +44 (0) 7768 456831
Registered in England and Wales. Registered Number 3521142
VAT Number: GB 698 3633 78
-----Original Message-----
From: Danny Mayer [mailto:mayer at gis.net]
Sent: 20 August 2007 00:26
To: David Holder
Cc: bind-users at isc.org
Subject: Re: BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with
GSS-TSIG
David Holder wrote:
> I had a little trouble getting this message onto the list - here it is at
last (I hope).
>
>
>> Hi! I am trying to use BIND 9.5's GSS-TSIG functionality to carry out
secure
>> updates to a Windows Server 2003 R2 AD domain controller.
>>
>>
>>
>> I am using a few different Linux clients. They are all configured to use
the
>> AD DC as their KDC. This works fine.
>>
>>
>>
>> I have built and tested BIND 9.5 with GSSAPI. So far I have not been able
to
>> get it to work with Windows.
>>
It doesn't work yet.
>>
>>
>> Here is an example of the failure messages I get.
>>
>> /usr/local/bin/nsupdate -d -g -o
>>
>
>>>> update add oak2.active.com 86400 A 192.168.100.100
>>
>>
>
>>>> send
>>
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53990
>>
>> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
1
>>
>> ;; QUESTION SECTION:
>>
>> ;oak2.active.com. IN SOA
>>
>>
>>
>> ;; AUTHORITY SECTION:
>>
>> active.com. 3600 IN SOA w2003r2.active.com.
>> hostmaster. 32 900 600 86400 3600
>>
>>
>>
>> ;; ADDITIONAL SECTION:
>>
>> w2003r2.active.com. 3600 IN A 192.168.100.101
>>
>>
>>
>> Found zone name: active.com
>>
>> The master is: w2003r2.active.com
>>
>> start_gssrequest
>>
>> nsupdate.c:2192: INSIST(result == 0) failed.
>>
>> Aborted
>>
>>
>>
>> If I do a klist I see the following.
>>
>> Ticket cache: FILE:/tmp/krb5cc_513
>>
>> Default principal: administrator at ACTIVE.COM
>>
>>
>>
>> Valid starting Expires Service principal
>>
>> 08/08/07 13:06:09 08/08/07 23:07:35 krbtgt/ACTIVE.COM at ACTIVE.COM
>>
>> renew until 08/09/07 13:06:09
>>
>> 08/08/07 13:31:26 08/08/07 23:07:35 DNS/w2003r2.active.com at ACTIVE.COM
>>
>> renew until 08/09/07 13:06:09
>>
>>
>>
>> I have carried out network traces and found that Windows to Windows
dynamic
>> updates look different from the BIND to Windows dynamic updates.
>>
I wouldn't be surprised.
>>
>>
>> Has anyone tried this before? What information do you need to look at
this?
>> Traces logs configuration info? And is this the correct mailing list for
>> this problem?
>>
The network traces would be useful. Is this with wireshark?
Danny
More information about the bind-users
mailing list