First, has anyone EVER configured ISC bind 9.5.0 OR greater with support for GSS-TSIG Dynamic DNS Updates AND gotten it to work? If so, what is the configuration that was used to make that happen?
I feel close to having this working. I see that GSS cred passes w/o apparent error during the TKEY negotiation with an Active Directory DC and the BIND DNS server:
client 192.168.0.30#52314: query gss cred: "DNS/dns1.example.com@EXAMPLE.COM", GSS_C_ACCEPT, 4294967256 gss-api source name (accept) is DC1$@EXAMPLE.COM process_gsstkey(): dns_tsigerror_noerror client 192.168.0.30#52314: send
But, when the Update is sent, it is refused:
client 192.168.0.30#58330: update client 192.168.0.30#58330: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED) client 192.168.0.30#58330: send
Does anyone have this working in the real world?
-
I actually managed to get dynamic updates to work using a patch provided by the samba 4 team.
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates
There seems to be issues with the version of windows running and it's method of doing dynamic updates.
If you're trying to do the same outside of a samba4 domain... your next-best-bet is to try & follow the howto here:
http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG
I'm sorry if I don't have more info on that subject.
netlinxman : Good and interesting read on samba4 link. I will try bits from that such as the env variables for the keytab file. The wiki page of the first link is somewhat sketchy since it doesn't detail the version of BIND, and/or the Kerberos/GSSAPI bits that are required. When you set it up, which version of BIND did you use and what was the OS platform? RE: the second URL, I have read that FreeIPA site docs as well and found it somewhat useful in getting an example of the "update-policy " directive. Still stumped. And still looking for evidence. Thank you for your response.From TheCompWiz
0 comments:
Post a Comment