Using bind 9.5.0 with Active directory

Admin admin at sonycom.com
Tue Dec 30 15:11:12 UTC 2008 

On second thought I think it must be:

---------------- named.conf
options {
        [...]
        tkey-gssapi-credential "DNS/dns.test.net";
        tkey-domain "TEST.NET";
};

view "internal" {
         [...]
         zone "test.net" {
              type master;
              file "test.net.zone";
              update-policy {
                grant TEST.NET krb5-subdomain * A;
              };
        };
}
----------------------------

But it doesn't seem to help.

Nico

On Tue, 2008-12-30 at 11:25 +0100, Nico De Ranter wrote:
> 
> You were correct (of course).  I had my versions mixed up and was
> starting an older version without GSSAPI support.
> 
> The kerberos authentication seems to be working now but I still can't
> the updates working.  If I understand the output in named.run
> correctly, I believe the kerberos authentication is accepted
> ("process_gsstkey(): dns_tsigerror_noerror"), but the update is still
> refused ("updating zone 'test.net/IN': update failed: rejected by
> secure update (REFUSED)").  (see excerpt from named.run below)
> 
> Most likely I haven't got my named.conf straight.   In named.conf I
> have:
> 
> -------------- named.conf
> -----------------------------------------------------------------------------------------
> [...]
> options {
>         [...]
>         tkey-gssapi-credential "DNS/dns.test.net";
>         tkey-domain "TEST.NET";
> };
> 
> view "internal" {
>          [...]
>          zone "test.net" {
>               type master;
>               file "test.net.zone";
>               // allow-update { internals; };
>               update-policy {
>                 grant update-key krb5-self test.net A;
>               };
>         };
> }
> -------------- end of named.conf
> -------------------------------------------------------------------------------- 
> 
> I can't quite figure out what the update-policy line should look like
> when using gss.
> 
> Again, thanks for all your help!!
> 
> Nico
> 
> -------------- named.run
> -------------------------------------------------------------------------------------------
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> using view 'internal'
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> request is not signed
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> recursion available
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> update
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> ns_client_attach: ref = 1
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> updating zone 'test.net/IN': prerequisites are OK
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> update 'test.net/IN' denied
> 30-Dec-2008 10:51:08.328 client 10.10.10.101#1051: view internal:
> updating zone 'test.net/IN': rolling back
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: send
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> sendto
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> senddone
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal: next
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> ns_client_detach: ref = 0
> 30-Dec-2008 10:51:08.329 client 10.10.10.101#1051: view internal:
> endrequest
> 30-Dec-2008 10:51:08.329 client @0xb604b008: udprecv
> 30-Dec-2008 10:51:08.333 socket 0xb7f28588 10.10.10.101#1053: accepted
> connection, new socket 0xb5f56588
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: new TCP connection
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: replace
> 30-Dec-2008 10:51:08.334 clientmgr @0xb7f1f3b8: createclients
> 30-Dec-2008 10:51:08.334 clientmgr @0xb7f1f3b8: recycle
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: read
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: TCP request
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> using view 'internal'
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> request is not signed
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> recursion available
> 30-Dec-2008 10:51:08.334 client 10.10.10.101#1053: view internal:
> query
> 30-Dec-2008 10:51:08.334 gss cred: "DNS/dns.test.net at TEST.NET",
> GSS_C_ACCEPT, 4294967146
> 30-Dec-2008 10:51:08.369 gss-api source name (accept) is XP3$@TEST.NET
> 30-Dec-2008 10:51:08.369 process_gsstkey(): dns_tsigerror_noerror
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: send
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
> sendto
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
> senddone
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal: next
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: view internal:
> endrequest
> 30-Dec-2008 10:51:08.369 client 10.10.10.101#1053: read
> 30-Dec-2008 10:51:08.369 client @0xb600a008: accept
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: next
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: request failed: end
> of file
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: endrequest
> 30-Dec-2008 10:51:08.371 client 10.10.10.101#1053: closetcp
> 30-Dec-2008 10:51:08.371 socket 0xb5f56588: destroying
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: UDP request
> 30-Dec-2008 10:51:08.373 tsig key
> '1044-ms-7.1-12594.61c6fec0-d657-11dd-2fa0-000c292d3ce0' (XP3\
> $\@TEST.NET): tsig expire: generated=1, refs=1, expire=-86401)
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> using view 'internal'
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> request has valid signature
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> recursion available
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> update
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> ns_client_attach: ref = 1
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> updating zone 'test.net/IN': prerequisites are OK
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> updating zone 'test.net/IN': update failed: rejected by secure update
> (REFUSED)
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> updating zone 'test.net/IN': rolling back
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: send
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> sendto
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> senddone
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: next
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> ns_client_detach: ref = 0
> 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal:
> endrequest
> 30-Dec-2008 10:51:08.373 client @0xb604b008: udprecv
> 
> 
> 
> On Fri, 2008-12-26 at 13:29 -0500, Rob Austein wrote: 
> > At Fri, 26 Dec 2008 14:28:13 +0100, Nico De Ranter wrote:
> > > 
> > > Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
> > 
> > The error suggests that you don't really have GSSAPI enabled
> > (dst_gssapi_acquirecred() returns that error when called with GSSAPI
> > support disabled).  Check your build log to make sure that -DGSSAPI
> > was included on the command line when compiling lib/dns/gssapictx.c.
> > If not, you've got some kind of autoconf problem or are specifying the
> > wrong directory for the GSSAPI libraries, so check config.log next to
> > see what happened.

More information about the bind-users mailing list