Using bind 9.5.0 with Active directory

Nico De Ranter nico at sonycom.com
Tue Dec 30 10:25:22 UTC 2008 

You were correct (of course).  I had my versions mixed up and was
starting an older version without GSSAPI support.

The kerberos authentication seems to be working now but I still can't
the updates working.  If I understand the output in named.run correctly,
I believe the kerberos authentication is accepted ("process_gsstkey():
dns_tsigerror_noerror"), but the update is still refused ("updating zone
'test.net/IN': update failed: rejected by secure update (REFUSED)").
(see excerpt from named.run below)

Most likely I haven't got my named.conf straight.   In named.conf I
have:

-------------- named.conf
-----------------------------------------------------------------------------------------
[...]
options {
        [...]
        tkey-gssapi-credential "DNS/dns.test.net";
        tkey-domain "TEST.NET";
};

view "internal" {
         [...]
         zone "test.net" {
              type master;
              file "test.net.zone";
              // allow-update { internals; };
              update-policy {
                grant update-key krb5-self test.net A;
              };
        };
}
-------------- end of named.conf
-------------------------------------------------------------------------------- 

I can't quite figure out what the update-policy line should look like
when using gss.

Again, thanks for all your help!!

Nico

-------------- named.run
-------------------------------------------------------------------------------------------
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal: using
view 'internal'
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
request is not signed
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
recursion available
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal: update
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
ns_client_attach: ref = 1
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
updating zone 'test.net/IN': prerequisites are OK
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal: update
'test.net/IN' denied
30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
updating zone 'test.net/IN': rolling back
30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: send
30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: sendto
30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
senddone
30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: next
30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
ns_client_detach: ref = 0
30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
endrequest
30-Dec-2008 10:51:08.329 client @0xb604b008: udprecv
30-Dec-2008 10:51:08.333 socket 0xb7f28588 10.10.10.101#1053: accepted
connection, new socket 0xb5f56588
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: new TCP connection
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: replace
30-Dec-2008 10:51:08.334 clientmgr @0xb7f1f3b8: createclients
30-Dec-2008 10:51:08.334 clientmgr @0xb7f1f3b8: recycle
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: read
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: TCP request
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal: using
view 'internal'
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
request is not signed
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
recursion available
30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal: query
30-Dec-2008 10:51:08.334 gss cred: "DNS/dns.test.net at TEST.NET",
GSS_C_ACCEPT, 4294967146
30-Dec-2008 10:51:08.369 gss-api source name (accept) is XP3$@TEST.NET
30-Dec-2008 10:51:08.369 process_gsstkey(): dns_tsigerror_noerror
30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: send
30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: sendto
30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
senddone
30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: next
30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
endrequest
30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: read
30-Dec-2008 10:51:08.369 client @0xb600a008: accept
30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: next
30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: request failed: end
of file
30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: endrequest
30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: closetcp
30-Dec-2008 10:51:08.371 socket 0xb5f56588: destroying
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: UDP request
30-Dec-2008 10:51:08.373 tsig key
'1044-ms-7.1-12594.61c6fec0-d657-11dd-2fa0-000c292d3ce0' (XP3\
$\@TEST.NET): tsig expire: generated=1, refs=1, expire=-86401)
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: using
view 'internal'
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
request has valid signature
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
recursion available
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: update
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
ns_client_attach: ref = 1
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
updating zone 'test.net/IN': prerequisites are OK
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
updating zone 'test.net/IN': update failed: rejected by secure update
(REFUSED)
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
updating zone 'test.net/IN': rolling back
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: send
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: sendto
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
senddone
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: next
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
ns_client_detach: ref = 0
30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
endrequest
30-Dec-2008 10:51:08.373 client @0xb604b008: udprecv



On Fri, 2008-12-26 at 13:29 -0500, Rob Austein wrote:

> At Fri, 26 Dec 2008 14:28:13 +0100, Nico De Ranter wrote:
> > 
> > Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
> 
> The error suggests that you don't really have GSSAPI enabled
> (dst_gssapi_acquirecred() returns that error when called with GSSAPI
> support disabled).  Check your build log to make sure that -DGSSAPI
> was included on the command line when compiling lib/dns/gssapictx.c.
> If not, you've got some kind of autoconf problem or are specifying the
> wrong directory for the GSSAPI libraries, so check config.log next to
> see what happened.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081230/955df1f1/attachment.html>

More information about the bind-users mailing list