At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote: > > Does anyone have instructions on how to setup a Linux bind server to > use GSS-TSIG against an AD? I have found many articles from people > having issues with it but none that had good instructions on how to > get it working. Last year we played around with it but were having > issues getting it to work. kinit would work against the AD on our > RHEL bind server but our clients couldn't update their records.
Beyond what's already been posted here? Not really. I can perhaps tell you two things that might be useful. 1) The code really does work, honest. I have personally seen it work (in the lab -- my last stint as an operator supporting anything on Windows predated AD) with Windows 2000, Windows 2003 Server, and Windows XP. I have not (yet) personally tested it with anything more recent than that, but unless Microsoft has done something weird (nah) it still should. 2) If you run into problems, the best debugging tools I can recommend are: a) Running named with full debugging ("named -g" and capture the stderr output somewhere, or do the equivalent with logging options in named.conf); and b) A good packet sniffer watching both DNS and Kerberos traffic. For (b) I recommend Wireshark (or tshark, same difference). You can use some other tool (eg, tcpdump) to capture the dump, but understanding what happened requires an analyzer that do deep insepction of both DNS and Kerberos. Make sure you capture full packets for both Kerberos and DNS, ie, UDP ports 88 and 53 as well as TCP port 53 (Yes, Windows uses all three). _______________________________________________ bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users