Fwd: GSS-TSIG with a change root enviroment

Juergen Dietl isclists01 at googlemail.com
Wed Apr 13 11:15:51 UTC 2011 

---------- Forwarded message ----------
From: Juergen Dietl <isclists01 at googlemail.com>
Date: 2011/4/13
Subject: Re: GSS-TSIG with a change root enviroment
To: Abdulla Bushlaibi <abushlaibi at ies.etisalat.ae>


Hello,

thanx for the -g hint. Now I see the same thing I saw yesterday in the
syslog. For any reason the syslog dont show anything since yesterday - but
thats another story.

When I use bind with the -t parameter (change root) I get the following
error:

13-Apr-2011 13:10:17.956 default realm from krb5.conf (EXAMPLE.TEST) does
not match tkey-gssapi-credential (DNS/dns1.example.test at EXAMPLE.TEST)
13-Apr-2011 13:10:17.956 configuring TKEY: failure
13-Apr-2011 13:10:17.956 loading configuration: failure
13-Apr-2011 13:10:17.956 exiting (due to fatal error)


When I start it without -t all is OK. But I need the change root for
security reasons. I put they krb5.keytab in /etc/ and /root-envirment/etc
but didnt help.

Is there anybody where it works with the -g parameter?

thanx so far,
Juergen



2011/4/13 Abdulla Bushlaibi <abushlaibi at ies.etisalat.ae>

>  Hey Juergen,
>
> You could try running bind with -g option and see what the logs tell you.
>
> Best Regards
>
>
>
>
> On 13/04/2011 1:11 PM, Juergen Dietl wrote:
>
> Hello,
>
> I set up gss-tsig and working fine with bind 9.7.3 and bind 9.8. Now I
> tried it on a 2nd server that uses 2 instances of bind. One for primary one
> for secondary. For this the primary bind starts with the "-t parameter"
> which tells him to use a change root enviroment. If I start the bind this
> way I dont get any error messages but it do not start.
>
> Is there anything I must pay attention if I want to use bind and gss-tsig
> in a change root envirement?
>
> thanx for any hints,
> cheers,
> Juergen
>
>
> _______________________________________________
> bind-users mailing listbind-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110413/c054c90a/attachment.html>

More information about the bind-users mailing list