Re: GSS-TSIG update policy identity field

Mark Andrews Wed, 11 May 2011 04:36:11 -0700

To match machines in the EXAMPLE.COM realm you would use one of these.

Windows uses the following sort of identity for machines


        machinename$@EXAMPLE.COM

        grant EXAMPLE.COM ms-self * any;
        grant EXAMPLE.COM ms-subdomain * any;

Kerberos uses the following identities for machines

        host/machinen...@example.com

        grant EXAMPLE.COM krb5-self * any;
        grant EXAMPLE.COM krb5-subdomain * any;

{ms,krb5}-self allows updates of machinename
{ms,krb5}-subdomain allows updates of *.machinename

For ordinary users there isn't a mapping which turns user@REALM into
user.realm

        grant user@realm subdomain example.test any.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GSS-TSIG update policy identity field

Reply via email to