Hello Sergiu, I tried to put in 2 credential Entries in the named.conf: tkey-gssapi-credential "DNS/test.loc"; (that was in before) tkey-gssapi-credential "USER/test.loc", (new entry) tkey-domain "TEST.LOC";
The system didnt like the second entry for the user. So how can I put in 2 credentials, or maybe where to put them? Another problem with 2 Principal name is that the User Principal is of course different on any pc. Thanx a lot for your help, cheers, ---------- Forwarded message ---------- From: Sergiu Bivol <sbi...@bluecatnetworks.com> Date: 2010/12/6 Subject: Re: Problems with Bind-Kerberos-Windows-Linux To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> > The client has an entry in the AD with DNS/test....@test.loc. The Client, > DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If I do a > kinit -k -t c:\krb5.keytab DNS/test....@test.loc then all seem to be ok. I > get this message from the DNSserver: 03-Dec-2010 10:42:00.451 general: debug > 3: gss cred: "DNS/test....@test.loc", GSS_C_ACCEPT, 4294962027. But when the > client do it from its own I get this message from the DNS-Server: > 03-Dec-2010 10:42:00.451 general: debug 3: failed gss_accept_sec_context: > GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Wrong principal in request. Normally you need 2 kerberos principals, one for the DNS Server, one for the client. If kinit above works on the DNS Server box, and you can see these messages at startup BIND is configured correctly. 27-Sep-2010 18:26:47.860 acquiring credentials for DNS/test.loc 27-Sep-2010 18:26:47.860 gss cred: "DNS/test....@test.loc", GSS_C_ACCEPT, 4294967295 You still need to configure update-policy to allow your client to update DNS, but that is another issue. A GSS-TSIG-enabled DNS client would request TGT (as a different Kerberos user/principal), then TGS to use the DNS Service identified by the DNS/test....@test.log service principal. With this it should be able to update the DNS server, as long as DNS Server validates the client's ticket and the policy allows the update. I hope your understanding is the same, it just wasn't clear from your message. Regards Sergiu _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
