tkey-gssapi-credential
Rob Austein
sra at isc.org
Sat Sep 18 05:08:42 UTC 2010
At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote:
>
> Does anyone have instructions on how to setup a Linux bind server to
> use GSS-TSIG against an AD? I have found many articles from people
> having issues with it but none that had good instructions on how to
> get it working. Last year we played around with it but were having
> issues getting it to work. kinit would work against the AD on our
> RHEL bind server but our clients couldn't update their records.
Beyond what's already been posted here? Not really. I can perhaps
tell you two things that might be useful.
1) The code really does work, honest. I have personally seen it work
(in the lab -- my last stint as an operator supporting anything on
Windows predated AD) with Windows 2000, Windows 2003 Server, and
Windows XP. I have not (yet) personally tested it with anything
more recent than that, but unless Microsoft has done something
weird (nah) it still should.
2) If you run into problems, the best debugging tools I can recommend
are:
a) Running named with full debugging ("named -g" and capture the
stderr output somewhere, or do the equivalent with logging
options in named.conf); and
b) A good packet sniffer watching both DNS and Kerberos traffic.
For (b) I recommend Wireshark (or tshark, same difference). You
can use some other tool (eg, tcpdump) to capture the dump, but
understanding what happened requires an analyzer that do deep
insepction of both DNS and Kerberos. Make sure you capture full
packets for both Kerberos and DNS, ie, UDP ports 88 and 53 as well
as TCP port 53 (Yes, Windows uses all three).
More information about the bind-users
mailing list