GSS-TSIG update policy identity field

Mark Andrews marka at isc.org
Thu May 12 10:53:30 UTC 2011 

In message <BANLkTi=f=LP2WTSEck940CvqzxL=DSiiPA at mail.gmail.com>, Juergen Dietl 
writes:
> --20cf30549e9f7b6a2604a30ffc67
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hello Mark,
> 
> thanx a lot for your feedback.
> 
> the rule that works at the moment for only ONE client:
> 
> grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
> 
> Because bind support both it should also work with:
> 
> grant WS-YBCL150939 at EXAMPLE.TEST subdomain example.test. ANY;
> 
> right?

No.  WS-YBCL150939\$\@EXAMPLE.TEST != WS-YBCL150939 at EXAMPLE.TEST

WS-YBCL150939\$\@EXAMPLE.TEST is what is the credential.

Now ms-self would allow it to update WS-YBCL150939.EXAMPLE.TEST as
ms-self knows how to turn WS-YBCL150939\$\@EXAMPLE.TEST into
WS-YBCL150939.EXAMPLE.TEST.
 
> But for any reason it dont. When I use that form I get a refuse. I hope that
> in that form I could use the syntax:
> 
> grant *@EXAMPLE.TEST subdomain example.test. ANY;

*@EXAMPLE.TEST is two DNS labels "*@EXAMPLE" and "TEST".

*.TEST would match.

krb5-* and ms-* know that the realm starts in the middle of a label
and look for it there.

The other methods use the dns labels in the records.  They were designed
to work with TSIG and KEY records.

I suggest that you look at the documentation for "external" and use
it.
 
> to mach all Clients from EXAMPLE.TEST that have a valid key from Active
> Directory.
> 
> thanx a lot,
> cheers,
> 
> 
> 2011/5/11 Mark Andrews <marka at isc.org>
> 
> >
> > In message <BANLkTim7k4KYxYoz=awj9mwtCzvxB32Vog at mail.gmail.com>, Juergen
> > Dietl
> > writes:
> > > Hello Mark,
> > >
> > > thanx for your anwer.
> > >
> > > Your first sentence maybe help me to understand why this is the
> > client=B4s
> > > credential that it needs in the rule:
> > >
> > > WS-YBCL150939\$\@EXAMPLE.COM
> > >
> > > So fist is the hostname then the slash makes the $-sign just to be a
> > normal
> > > letter and not variable for example, and the @example.com is the rest of
> > ho=
> > > w
> > > windows uses the sort of identity.
> > > machinename$@EXAMPLE.COM <http://example.com/>
> >
> > You don't need the backslashes in 9.8, earlier versions still need
> > the backslashes.  $ and @ are special characters in master files
> > which is why they were escaped.  We added name -> principle routines
> > in 9.8 which don't do unnecessary escapes.
> >
> > > Is it normal that I have to put in the Windows identity in the named.conf
> > > and not the kerberus identity?
> > >
> > > So WS-YBCL150939\$\@EXAMPLE.COM and NOT host/WS-YBCL150939 at EXAMPLE.COM.
> >
> > It depends on the network.
> >
> > > What is host .....? I just know the principal as Service-Principal and
> > ther=
> > > e
> > > its normally
> > > for example: DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST
> > >
> > > thanx a lot for all your help,
> > > cheers,
> >
> > There are multiple conventions.  Windows does it one way.  MIT does
> > it a different way.  named has code for both.
> >
> > Mark
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >
> 
> --20cf30549e9f7b6a2604a30ffc67
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> Hello Mark,<br><br>thanx a lot for your feedback.<br><br>the rule that work=
> s at the moment for only ONE client:<br><br>grant WS-YBCL150939\$\@EXAMPLE.=
> TEST subdomain example.test. ANY;<br><br>Because bind support both it shoul=
> d also work with:<br>
> <br>grant WS-YBCL150939 at EXAMPLE.TEST subdomain example.test. ANY;<br><br>ri=
> ght?<br><br>But for any reason it dont. When I use that form I get a refuse=
> . I hope that in that form I could use the syntax:<br><br>grant *@EXAMPLE.T=
> EST subdomain example.test. ANY;<br>
> <br>to mach all Clients from EXAMPLE.TEST that have a valid key from Active=
>  Directory.<br><br>thanx a lot,<br>cheers,<br><br><br><div class=3D"gmail_q=
> uote">2011/5/11 Mark Andrews <span dir=3D"ltr"><<a href=3D"mailto:marka@=
> isc.org">marka at isc.org</a>></span><br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex;"><br>
> In message <BANLkTim7k4KYxYoz=3D<a href=3D"mailto:awj9mwtCzvxB32Vog at mail=
> .gmail.com">awj9mwtCzvxB32Vog at mail.gmail.com</a>>, Juergen Dietl<br>
> writes:<br>
> <div class=3D"im">> Hello Mark,<br>
> ><br>
> > thanx for your anwer.<br>
> ><br>
> </div>> Your first sentence maybe help me to understand why this is the =
> client=3DB4s<br>
> <div class=3D"im">> credential that it needs in the rule:<br>
> ><br>
> > WS-YBCL150939\$\@<a href=3D"http://EXAMPLE.COM" target=3D"_blank">EXAM=
> PLE.COM</a><br>
> ><br>
> > So fist is the hostname then the slash makes the $-sign just to be a n=
> ormal<br>
> </div>> letter and not variable for example, and the @<a href=3D"http://=
> example.com" target=3D"_blank">example.com</a> is the rest of ho=3D<br>
> > w<br>
> <div class=3D"im">> windows uses the sort of identity.<br>
> </div>> machinename$@<a href=3D"http://EXAMPLE.COM" target=3D"_blank">EX=
> AMPLE.COM</a> <<a href=3D"http://example.com/" target=3D"_blank">http://=
> example.com/</a>><br>
> <br>
> You don't need the backslashes in 9.8, earlier versions still need<br>
> the backslashes. =A0$ and @ are special characters in master files<br>
> which is why they were escaped. =A0We added name -> principle routines<b=
> r>
> in 9.8 which don't do unnecessary escapes.<br>
> <div class=3D"im"><br>
> > Is it normal that I have to put in the Windows identity in the named.c=
> onf<br>
> > and not the kerberus identity?<br>
> ><br>
> > So WS-YBCL150939\$\@<a href=3D"http://EXAMPLE.COM" target=3D"_blank">E=
> XAMPLE.COM</a> and NOT host/<a href=3D"mailto:WS-YBCL150939 at EXAMPLE.COM">WS=
> -YBCL150939 at EXAMPLE.COM</a>.<br>
> <br>
> </div>It depends on the network.<br>
> <br>
> > What is host .....? I just know the principal as Service-Principal and=
>  ther=3D<br>
> > e<br>
> <div class=3D"im">> its normally<br>
> > for example: DNS/lxdns10t.prim-dns.test1.test at EXAMPLE.TEST<br>
> ><br>
> > thanx a lot for all your help,<br>
> > cheers,<br>
> <br>
> </div>There are multiple conventions. =A0Windows does it one way. =A0MIT do=
> es<br>
> it a different way. =A0named has code for both.<br>
> <div><div></div><div class=3D"h5"><br>
> Mark<br>
> <br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: <a href=3D=
> "mailto:marka at isc.org">marka at isc.org</a><br>
> </div></div></blockquote></div><br>
> 
> --20cf30549e9f7b6a2604a30ffc67--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list