On 12/07/2010 07:53 AM, Jürgen Dietl wrote:
Hello Sergiu,
I tried to put in 2 credential Entries in the named.conf:
tkey-gssapi-credential "DNS/test.loc"; (that was in before)
tkey-gssapi-credential "USER/test.loc", (new entry)
tkey-domain "TEST.LOC";
This is all wrong.
There are two principals involved:
1. The server - this is what you configure on the DNS server
2. The client - this is the clients ticket; you don't need to
configure this, the client obtains it themselves and supplies it when
they connect
All you need to do is the following:
1. Ensure there is a prinicpal in your kerberos realm
"DNS/hostname.domain.com", matching the hostname of your DNS server
2. Ensure the keytab on the DNS server contains the keys for this
principal and is readable by bind
3. List this principal in the "tkey-gssapi-credential" in named.conf
4. Ensure the SOA for your domain contains a MNAME field matching the
hostname
Unless your DNS server is called "test.loc" I don't think you're doing
it right. I think you need "DNS/hostname.test.loc"
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
