GSS-TSIG update policy identity field

Juergen Dietl isclists01 at googlemail.com
Thu May 12 08:29:22 UTC 2011 

Hello Mark,

thanx a lot for your feedback.

the rule that works at the moment for only ONE client:

grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;

Because bind support both it should also work with:

grant WS-YBCL150939 at EXAMPLE.TEST subdomain example.test. ANY;

right?

But for any reason it dont. When I use that form I get a refuse. I hope that
in that form I could use the syntax:

grant *@EXAMPLE.TEST subdomain example.test. ANY;

to mach all Clients from EXAMPLE.TEST that have a valid key from Active
Directory.

thanx a lot,
cheers,


2011/5/11 Mark Andrews <marka at isc.org>

>
> In message <BANLkTim7k4KYxYoz=awj9mwtCzvxB32Vog at mail.gmail.com>, Juergen
> Dietl
> writes:
> > Hello Mark,
> >
> > thanx for your anwer.
> >
> > Your first sentence maybe help me to understand why this is the
> client=B4s
> > credential that it needs in the rule:
> >
> > WS-YBCL150939\$\@EXAMPLE.COM
> >
> > So fist is the hostname then the slash makes the $-sign just to be a
> normal
> > letter and not variable for example, and the @example.com is the rest of
> ho=
> > w
> > windows uses the sort of identity.
> > machinename$@EXAMPLE.COM <http://example.com/>
>
> You don't need the backslashes in 9.8, earlier versions still need
> the backslashes.  $ and @ are special characters in master files
> which is why they were escaped.  We added name -> principle routines
> in 9.8 which don't do unnecessary escapes.
>
> > Is it normal that I have to put in the Windows identity in the named.conf
> > and not the kerberus identity?
> >
> > So WS-YBCL150939\$\@EXAMPLE.COM and NOT host/WS-YBCL150939 at EXAMPLE.COM.
>
> It depends on the network.
>
> > What is host .....? I just know the principal as Service-Principal and
> ther=
> > e
> > its normally
> > for example: DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST
> >
> > thanx a lot for all your help,
> > cheers,
>
> There are multiple conventions.  Windows does it one way.  MIT does
> it a different way.  named has code for both.
>
> Mark
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110512/71f710ca/attachment.html>

More information about the bind-users mailing list