Using bind 9.5.0 with Active directory
Admin
admin at sonycom.com
Tue Dec 30 15:11:12 UTC 2008
On second thought I think it must be:
---------------- named.conf
options {
[...]
tkey-gssapi-credential "DNS/dns.test.net";
tkey-domain "TEST.NET";
};
view "internal" {
[...]
zone "test.net" {
type master;
file "test.net.zone";
update-policy {
grant TEST.NET krb5-subdomain * A;
};
};
}
----------------------------
But it doesn't seem to help.
Nico
On Tue, 2008-12-30 at 11:25 +0100, Nico De Ranter wrote:
>
> You were correct (of course). I had my versions mixed up and was
> starting an older version without GSSAPI support.
>
> The kerberos authentication seems to be working now but I still can't
> the updates working. If I understand the output in named.run
> correctly, I believe the kerberos authentication is accepted
> ("process_gsstkey(): dns_tsigerror_noerror"), but the update is still
> refused ("updating zone 'test.net/IN': update failed: rejected by
> secure update (REFUSED)"). (see excerpt from named.run below)
>
> Most likely I haven't got my named.conf straight. In named.conf I
> have:
>
> -------------- named.conf
> -----------------------------------------------------------------------------------------
> [...]
> options {
> [...]
> tkey-gssapi-credential "DNS/dns.test.net";
> tkey-domain "TEST.NET";
> };
>
> view "internal" {
> [...]
> zone "test.net" {
> type master;
> file "test.net.zone";
> // allow-update { internals; };
> update-policy {
> grant update-key krb5-self test.net A;
> };
> };
> }
> -------------- end of named.conf
> --------------------------------------------------------------------------------
>
> I can't quite figure out what the update-policy line should look like
> when using gss.
>
> Again, thanks for all your help!!
>
> Nico
>
> -------------- named.run
> -------------------------------------------------------------------------------------------
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> using view 'internal'
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> request is not signed
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> recursion available
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> update
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> ns_client_attach: ref = 1
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> updating zone 'test.net/IN': prerequisites are OK
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> update 'test.net/IN' denied
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> updating zone 'test.net/IN': rolling back
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: send
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> sendto
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> senddone
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: next
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> ns_client_detach: ref = 0
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> endrequest
> 30-Dec-2008 10:51:08.329 client @0xb604b008: udprecv
> 30-Dec-2008 10:51:08.333 socket 0xb7f28588 10.10.10.101#1053: accepted
> connection, new socket 0xb5f56588
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: new TCP connection
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: replace
> 30-Dec-2008 10:51:08.334 clientmgr @0xb7f1f3b8: createclients
> 30-Dec-2008 10:51:08.334 clientmgr @0xb7f1f3b8: recycle
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: read
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: TCP request
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> using view 'internal'
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> request is not signed
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> recursion available
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> query
> 30-Dec-2008 10:51:08.334 gss cred: "DNS/dns.test.net at TEST.NET",
> GSS_C_ACCEPT, 4294967146
> 30-Dec-2008 10:51:08.369 gss-api source name (accept) is XP3$@TEST.NET
> 30-Dec-2008 10:51:08.369 process_gsstkey(): dns_tsigerror_noerror
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: send
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
> sendto
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
> senddone
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: next
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
> endrequest
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: read
> 30-Dec-2008 10:51:08.369 client @0xb600a008: accept
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: next
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: request failed: end
> of file
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: endrequest
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: closetcp
> 30-Dec-2008 10:51:08.371 socket 0xb5f56588: destroying
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: UDP request
> 30-Dec-2008 10:51:08.373 tsig key
> '1044-ms-7.1-12594.61c6fec0-d657-11dd-2fa0-000c292d3ce0' (XP3\
> $\@TEST.NET): tsig expire: generated=1, refs=1, expire=-86401)
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> using view 'internal'
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> request has valid signature
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> recursion available
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> update
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> ns_client_attach: ref = 1
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> updating zone 'test.net/IN': prerequisites are OK
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> updating zone 'test.net/IN': update failed: rejected by secure update
> (REFUSED)
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> updating zone 'test.net/IN': rolling back
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: send
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> sendto
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> senddone
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: next
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> ns_client_detach: ref = 0
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> endrequest
> 30-Dec-2008 10:51:08.373 client @0xb604b008: udprecv
>
>
>
> On Fri, 2008-12-26 at 13:29 -0500, Rob Austein wrote:
> > At Fri, 26 Dec 2008 14:28:13 +0100, Nico De Ranter wrote:
> > >
> > > Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
> >
> > The error suggests that you don't really have GSSAPI enabled
> > (dst_gssapi_acquirecred() returns that error when called with GSSAPI
> > support disabled). Check your build log to make sure that -DGSSAPI
> > was included on the command line when compiling lib/dns/gssapictx.c.
> > If not, you've got some kind of autoconf problem or are specifying the
> > wrong directory for the GSSAPI libraries, so check config.log next to
> > see what happened.
More information about the bind-users
mailing list