GSS-TSIG updates with multiple KSPs on the same BIND server?
John Marshall
john.marshall at riverwillow.com.au
Thu Jun 4 22:51:21 UTC 2015
Chiming in to provide moral support due to lack of replies...
On 04/06/2015 06:44, Doug Barton wrote:
> Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
> BIND 9.8+ could be configured to use multiple KSPs.
No experience to share with multiple KSP's/REALMS. Sorry :-(
> What I'd like to do instead is to use the tkey-gssapi-keytab option
> to specify just the keytab file.
but I can confirm that this works. I like to use service-specific
keytabs, so I have the following as the ONLY 'tkey' statement in our
master server's named.conf (currently BIND 9.10.2).
options {
...
tkey-gssapi-keytab "/path/to/bind.keytab";
};
and then work happily with 'nsupdate -g' from a client with an
authorized UPN in the ACL for relevant zones.
No krb5.conf on the server in this case: just all the right krb bits in DNS.
I don't have time to mess with setting up and testing a second realm but
I just tried adding an alias (AAAA) record for the master server in a
different domain (same realm) and adding a DNS/ service principal for
that name to the KDC and to BIND's keytab on the server. I specified
> server alias.name.
in nsupdate but the client still picked up the original service
principal (even after restarting BIND). I haven't looked at the code but
I'm guessing the service principal selected may be tied to the server
name 'options {hostname}' or something similar. Perhaps same domain
names in different realms might work?
--
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150605/1a6e96db/attachment.bin>
More information about the bind-users
mailing list