GSS-TSIG update policy identity field
Juergen Dietl
isclists01 at googlemail.com
Wed May 11 13:16:50 UTC 2011
Hello Mark,
thanx for your anwer.
Your first sentence maybe help me to understand why this is the client´s
credential that it needs in the rule:
WS-YBCL150939\$\@EXAMPLE.COM
So fist is the hostname then the slash makes the $-sign just to be a normal
letter and not variable for example, and the @example.com is the rest of how
windows uses the sort of identity.
machinename$@EXAMPLE.COM <http://example.com/>
Is it normal that I have to put in the Windows identity in the named.conf
and not the kerberus identity?
So WS-YBCL150939\$\@EXAMPLE.COM and NOT
host/WS-YBCL150939 at EXAMPLE.COM.
What is host .....? I just know the principal as Service-Principal and there
its normally
for example: DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST
thanx a lot for all your help,
cheers,
2011/5/11 Mark Andrews <marka at isc.org>
>
> To match machines in the EXAMPLE.COM realm you would use one of these.
>
> Windows uses the following sort of identity for machines
>
> machinename$@EXAMPLE.COM
>
> grant EXAMPLE.COM ms-self * any;
> grant EXAMPLE.COM ms-subdomain * any;
>
> Kerberos uses the following identities for machines
>
> host/machinename at EXAMPLE.COM
>
> grant EXAMPLE.COM krb5-self * any;
> grant EXAMPLE.COM krb5-subdomain * any;
>
> {ms,krb5}-self allows updates of machinename
> {ms,krb5}-subdomain allows updates of *.machinename
>
> For ordinary users there isn't a mapping which turns user at REALM into
> user.realm
>
> grant user at realm subdomain example.test any.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110511/90957654/attachment.html>
More information about the bind-users
mailing list