GSS-TSIG updates with multiple KSPs on the same BIND server?

Vinícius Ferrão ferrao at if.ufrj.br
Thu Jun 23 16:04:47 UTC 2016 

Hello Doug,

Have you managed to achieve this and solved this one year old question?

I was recently thinking about it and I would set up a lab to test a similar environment for multiple AD realms, as you asked.

Just checking if we have some updates on this.

My major concern at this moment is joining the same server on two distinct AD domains. SAMBA should not be used for keytab generation, since it will simply not work.

Thanks,
Vinicius.

> On Jun 3, 2015, at 17:44, Doug Barton <dougb at dougbarton.us> wrote:
> 
> Folks,
> 
> Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. The traditional way of configuring GSS-TSIG is the following in options{}:
> 
>    tkey-domain "FOO.BAR";
>    tkey-gssapi-credential "DNS/dns1.foo.bar";
> 
> However that configuration restricts the server to use only that one KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option to specify just the keytab file. According to the 9.9.5 ARM:
> 
> tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab.
> 
> I'm assuming that if I get the [realms] and [domain_realms] configured correctly in my krb5.conf file that I would be good to go, but I am far from an expert on Kerberos, and while using a single KSP works fine, I haven't yet created a test environment for using multiple KSPs. So before I do that I thought I would ask if what I want to do is even possible, and if so where the landmines are.
> 
> In case it's not clear, the use case here is to be able to use the same BIND instance as master for multiple AD realms that do not have an existing trust relationship.
> 
> Thanks,
> 
> Doug
> 
> -- 
> I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list