Nico De Ranter wrote:
> Found some time to work on it again and it seams I did something wrong
> last time as ms-subdomain now works!
>
> Thanks for your help!!
>
> I did notice one strange thing when turning on trace mode of named:
>
> Whenever an update request occurs I see a lot of messages
Found some time to work on it again and it seams I did something wrong
last time as ms-subdomain now works!
Thanks for your help!!
I did notice one strange thing when turning on trace mode of named:
Whenever an update request occurs I see a lot of messages like:
-
No obvious reason why it shouldn't work with ms-subdomain.
Next step is probably a protocol trace to see what's happening on the
wire. wireshark/tshark is pretty good for this kind of analysis.
Probably best to run named with -g while you're doing the trace and
capture the output as well (if you
I already tried ms-self and ms-subdomain. Unfortunately that doesn't
seem to make any difference.
Nico
On Tue, 2008-12-30 at 13:44 -0500, Rob Austein wrote:
> At Tue, 30 Dec 2008 16:05:10 +0100, Nico De Ranter wrote:
> >
> > update-policy {
> > grant TEST.NET krb
At Tue, 30 Dec 2008 16:05:10 +0100, Nico De Ranter wrote:
>
> update-policy {
> grant TEST.NET krb5-subdomain * A;
> };
Microsoft invented their own naming scheme for host principals
("machi...@realm" instead of "host/mach...@realm").
Try "ms-subdomain
On second thought I think it must be:
named.conf
options {
[...]
tkey-gssapi-credential "DNS/dns.test.net";
tkey-domain "TEST.NET";
};
view "internal" {
[...]
zone "test.net" {
type master;
file "test.net.zone
On second thought I think it must be:
named.conf
options {
[...]
tkey-gssapi-credential "DNS/dns.test.net";
tkey-domain "TEST.NET";
};
view "internal" {
[...]
zone "test.net" {
type master;
file "test.net.zone
You were correct (of course). I had my versions mixed up and was
starting an older version without GSSAPI support.
The kerberos authentication seems to be working now but I still can't
the updates working. If I understand the output in named.run correctly,
I believe the kerberos authentication
At Fri, 26 Dec 2008 14:28:13 +0100, Nico De Ranter wrote:
>
> Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
The error suggests that you don't really have GSSAPI enabled
(dst_gssapi_acquirecred() returns that error when called with GSSAPI
support disabled). Check your build l
Unfortunately I can't get it to work.
When I add
tkey-gssapi-credential "DNS/";
tkey-domain "...";
to my named.conf file, named doesn't want to start anymore. I get the
following message in /var/log/messages:
Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
Dec 26 13
Thank you very much for your very detailed instructions. I'm going to
try it right away.
Nico
On Tue, 2008-12-23 at 17:41 -0500, Rob Austein wrote:
> Four things must be done to allow Bind 9 to support GSS-TKEY:
>
> * kinit must work on the host which will run BIND 9. This means
> kr
Rob Austein wrote:
> Four things must be done to allow Bind 9 to support GSS-TKEY:
>
> * kinit must work on the host which will run BIND 9. This means
> krb5.conf must be properly configured with the realm and
> locations of the Kerberos servers.
> * Bind 9 must be compiled wit
Four things must be done to allow Bind 9 to support GSS-TKEY:
* kinit must work on the host which will run BIND 9. This means
krb5.conf must be properly configured with the realm and
locations of the Kerberos servers.
* Bind 9 must be compiled with GSSAPI enabled.
* Bind 9
13 matches
Mail list logo
