tkey-gssapi-credential
Rob Austein
sra at isc.org
Fri Oct 1 14:29:20 UTC 2010
At Fri, 1 Oct 2010 07:05:40 -0600, Nicholas F Miller wrote:
>
> It is interesting, when I try an update from a client all I get are
> denies. When I try an update using nsupdate -g from the DNS server I
> will get a REFUSED but I will also get a DNS/host at DOMAIN kerb ticket
> from the keytab.
It might be worth watching the Kerberos (UDP port 88) traffic during
both exchanges, to see if there are visible differences.
Basic capture of Kereberos can tell you a fair amount about
principals, realms, and algorithm negotiations. tshark's -K option
lets you load keytabs, which in theory might let you peer deeper into
the packet, but I've never experimented with that option and don't
know if it's useful in this scenario.
More information about the bind-users
mailing list