Problems with Bind-Kerberos-Windows-Linux

Jürgen Dietl juergen.dietl at googlemail.com
Mon Dec 6 17:00:43 UTC 2010 

Hello Serjiu,
many thanx for your hint. This I was asking me too for some time. Because
the TGT is for the client name (principal) that is logged in at the moment
and the service should be always for the same principal name on any client.
So yes I will need to define 2 principals.

You wrote:
You still need to configure update-policy to allow your client to update
DNS, but that is another issue.

Do you mean the policy in the active directory? Btw. did you try to do it
your own and succeeded?


thanx a lot,
cheers,
Juergen


2010/12/6 Sergiu Bivol <sbivol at bluecatnetworks.com>

> > The client has an entry in the AD with DNS/test.loc at TEST.LOC. The
> Client,
> > DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If I do a
> > kinit -k -t c:\krb5.keytab DNS/test.loc at TEST.LOC then all seem to be ok.
>  I
> > get this message from the DNSserver: 03-Dec-2010 10:42:00.451 general:
> debug
> > 3: gss cred: "DNS/test.loc at TEST.LOC", GSS_C_ACCEPT, 4294962027. But when
> the
> > client do it from its own I get this message from the DNS-Server:
> > 03-Dec-2010 10:42:00.451 general: debug 3: failed gss_accept_sec_context:
> > GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide
> more
> > information, Minor = Wrong principal in request.
>
> Normally you need 2 kerberos principals, one for the DNS Server, one for
> the client.
>
> If kinit above works on the DNS Server box, and you can see these messages
> at startup BIND is configured correctly.
> 27-Sep-2010 18:26:47.860 acquiring credentials for DNS/test.loc
> 27-Sep-2010 18:26:47.860 gss cred: "DNS/test.loc at TEST.LOC", GSS_C_ACCEPT,
> 4294967295
>
> You still need to configure update-policy to allow your client to update
> DNS, but that is another issue.
>
> A GSS-TSIG-enabled DNS client would request TGT (as a different Kerberos
> user/principal), then TGS to use the DNS Service identified by the
> DNS/test.loc at TEST.LOG service principal. With this it should be able to
> update the DNS server, as long as DNS Server validates the client's ticket
> and the policy allows the update.
>
> I hope your understanding is the same, it just wasn't clear from your
> message.
>
> Regards
> Sergiu
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101206/ece0b38e/attachment.html>

More information about the bind-users mailing list