Rob Austein wrote:
> Four things must be done to allow Bind 9 to support GSS-TKEY:
>
> * kinit must work on the host which will run BIND 9. This means
> krb5.conf must be properly configured with the realm and
> locations of the Kerberos servers.
> * Bind 9 must be compiled with GSSAPI enabled.
> * Bind 9 must have a principal and a keytab.
> * named.conf needs to be told the name of the principal.
>
> options {
> ...
> tkey-gssapi-credential "DNS/foo.example.org";
> ...
> };
>
> Extracting a Kerberos keytab from Active Directory is a two-step
> process: first you create a user account in Active Directory, then you
> map it to a Kerberos principal name and extract the keytab. Windows
> usernames don't use the same naming conventions as Kerberos principals
> (the allowed set of Windows usernames are a subset of the allowed
> Kerberos principal names, and a service principal name like
> DNS/foo.example.org is not a legal Windows username).
>
> Go into Active Directory's new user wizard and create a new user
> account. It's probably best to put accounts like this into a separate
> organization unit (OU) within the active directory tree. This could
> be called unix or bind9 or anything you wish to help organize bind 9
> server credentials and users. The username can be any syntactically
> legal thing you like, but when creating, eg, the DNS service principal
> for host foo.example.org, it's probably best to use a username like
> foo to avoid conflicts.
>
> Select "password never expires" and "user cannot change password" in
> the next screen of the wizard, to make sure that the account's
> password can't change (which would invalidate the keytab).
>
> The second step requires a command line tool, ktpass. ktpass is
> supplied on the Windows installation media but is not installed by
> default.
>
> ktpass accepts the usual /? option to display a help screen, but for
> the task at hand you'll want to do something like this:
>
> C:\> ktpass -out foo.keytab -princ DNS/foo.example....@example.org -pass *
> -mapuser f...@example.org
>
> where
>
> * foo.keytab is the filename for the new keytab
> * DNS/foo.example....@example.org is the principal name
> * f...@example.org is the Active Directory user account
>
> If all goes well, ktpass will tell you what it's doing, prompt you for
> the password you set when creating the user account, and will write
> out the keytab, which you can then install in the usual place on the
> machine to run Bind 9.
The one thing that you missed out is that you need to be logged in as a
Domain administrator in order to do all this otherwise ktpass will not
work (and you cannot create the user account in the Active Directory).
Danny
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
