Yea, it seems that people got it working when the functionality came out but 
subsequently I haven't seen it working for anyone in a production environment.
Nicholas Miller, ITS, University of Colorado at Boulder

On Sep 30, 2010, at 3:24 PM, Dave Knight wrote:

> On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote:
>> Does anyone actually have GSS-TSIG working with an Active Directory? I see 
>> plenty of posts from people trying to get it to work. I have yet to see 
>> anyone who claims to actually have it working. Did MS change something in 
>> 2008r2 since GSS-TSIG was implemented in bind to make it inoperable?
> Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating 
> and documenting a working setup.
> That lab contained a couple of W2k3 servers, XP clients and BIND servers 
> running on FreeBSD. I went from bare iron to a working W2k domain using 
> BIND+GSS-TSIG exclusively for name service.
> As I recall I did the initial population of the zone used for the W2k domain 
> without security enabled, ie: I informed the Windows machine that the BIND 
> server was to be used and configured the BIND server to allow updates from 
> the Windows server on the basis of its IP address, then ran dcpromo.exe to 
> create the domain, then did the necessary Kerberos bits, then locked down the 
> BIND server to henceforth accept only GSS-TSIG authenticated updates.
> I haven't touched this stuff since though, so I have nothing to say about how 
> it might work with contemporary Windows and BIND versions.
> dave

bind-users mailing list

Reply via email to