Hello Mark, thanx for your anwer.
Your first sentence maybe help me to understand why this is the client´s credential that it needs in the rule: WS-YBCL150939\$\@EXAMPLE.COM So fist is the hostname then the slash makes the $-sign just to be a normal letter and not variable for example, and the @example.com is the rest of how windows uses the sort of identity. machinename$@EXAMPLE.COM <http://example.com/> Is it normal that I have to put in the Windows identity in the named.conf and not the kerberus identity? So WS-YBCL150939\$\@EXAMPLE.COM and NOT host/ws-ybcl150...@example.com. What is host .....? I just know the principal as Service-Principal and there its normally for example: DNS/lxdns10t.prim-dns.test1.t...@example.test thanx a lot for all your help, cheers, 2011/5/11 Mark Andrews <ma...@isc.org> > > To match machines in the EXAMPLE.COM realm you would use one of these. > > Windows uses the following sort of identity for machines > > machinename$@EXAMPLE.COM > > grant EXAMPLE.COM ms-self * any; > grant EXAMPLE.COM ms-subdomain * any; > > Kerberos uses the following identities for machines > > host/machinen...@example.com > > grant EXAMPLE.COM krb5-self * any; > grant EXAMPLE.COM krb5-subdomain * any; > > {ms,krb5}-self allows updates of machinename > {ms,krb5}-subdomain allows updates of *.machinename > > For ordinary users there isn't a mapping which turns user@REALM into > user.realm > > grant user@realm subdomain example.test any. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
