Folks,Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. The traditional way of configuring GSS-TSIG is the following in options{}:
tkey-domain "FOO.BAR";
tkey-gssapi-credential "DNS/dns1.foo.bar";
However that configuration restricts the server to use only that one
KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option
to specify just the keytab file. According to the 9.9.5 ARM:
tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab.
I'm assuming that if I get the [realms] and [domain_realms] configured correctly in my krb5.conf file that I would be good to go, but I am far from an expert on Kerberos, and while using a single KSP works fine, I haven't yet created a test environment for using multiple KSPs. So before I do that I thought I would ask if what I want to do is even possible, and if so where the landmines are.
In case it's not clear, the use case here is to be able to use the same BIND instance as master for multiple AD realms that do not have an existing trust relationship.
Thanks, Doug --I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
