Using bind 9.5.0 with Active directory
Nico De Ranter
nico at sonycom.com
Fri Dec 26 13:28:13 UTC 2008
Unfortunately I can't get it to work.
When I add
tkey-gssapi-credential "DNS/....";
tkey-domain "...";
to my named.conf file, named doesn't want to start anymore. I get the
following message in /var/log/messages:
Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
Dec 26 13:55:33 dns named[8546]: loading configuration: not implemented
Dec 26 13:55:33 dns named[8546]: exiting (due to fatal error)
I compiled bind 9.6.0 using the following options:
./configure --with-openssl=yes \
--with-randomdev=/dev/urandom \
--prefix=/opt/bind-${BINDVER} \
--sysconfdir=/etc/bind-${BINDVER} \
--enable-threads \
--with-pkcs11 \
--with-gssapi=/usr
on a Linux system (CentOS 5.2, clean install). The configure/make/make
install seems to run fine. I didn't see any error messages related to
gssapi (configure finds the libraries and header files without
problems.)
named runs fine as long as I don't use the 'tkey' options.
Any idea what might be wrong?
Thanks in advance,
Nico
On Wed, 2008-12-24 at 09:10 +0100, Nico De Ranter wrote:
> Thank you very much for your very detailed instructions. I'm going to
> try it right away.
>
> Nico
>
>
> On Tue, 2008-12-23 at 17:41 -0500, Rob Austein wrote:
> > Four things must be done to allow Bind 9 to support GSS-TKEY:
> >
> > * kinit must work on the host which will run BIND 9. This means
> > krb5.conf must be properly configured with the realm and
> > locations of the Kerberos servers.
> > * Bind 9 must be compiled with GSSAPI enabled.
> > * Bind 9 must have a principal and a keytab.
> > * named.conf needs to be told the name of the principal.
> >
> > options {
> > ...
> > tkey-gssapi-credential "DNS/foo.example.org";
> > ...
> > };
> >
> > Extracting a Kerberos keytab from Active Directory is a two-step
> > process: first you create a user account in Active Directory, then you
> > map it to a Kerberos principal name and extract the keytab. Windows
> > usernames don't use the same naming conventions as Kerberos principals
> > (the allowed set of Windows usernames are a subset of the allowed
> > Kerberos principal names, and a service principal name like
> > DNS/foo.example.org is not a legal Windows username).
> >
> > Go into Active Directory's new user wizard and create a new user
> > account. It's probably best to put accounts like this into a separate
> > organization unit (OU) within the active directory tree. This could
> > be called unix or bind9 or anything you wish to help organize bind 9
> > server credentials and users. The username can be any syntactically
> > legal thing you like, but when creating, eg, the DNS service principal
> > for host foo.example.org, it's probably best to use a username like
> > foo to avoid conflicts.
> >
> > Select "password never expires" and "user cannot change password" in
> > the next screen of the wizard, to make sure that the account's
> > password can't change (which would invalidate the keytab).
> >
> > The second step requires a command line tool, ktpass. ktpass is
> > supplied on the Windows installation media but is not installed by
> > default.
> >
> > ktpass accepts the usual /? option to display a help screen, but for
> > the task at hand you'll want to do something like this:
> >
> > C:\> ktpass -out foo.keytab -princ DNS/foo.example.org at EXAMPLE.ORG -pass * -mapuser foo at example.org
> >
> > where
> >
> > * foo.keytab is the filename for the new keytab
> > * DNS/foo.example.org at EXAMPLE.ORG is the principal name
> > * foo at example.org is the Active Directory user account
> >
> > If all goes well, ktpass will tell you what it's doing, prompt you for
> > the password you set when creating the user account, and will write
> > out the keytab, which you can then install in the usual place on the
> > machine to run Bind 9.
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list