At Fri, 1 Oct 2010 07:05:40 -0600, Nicholas F Miller wrote:
> It is interesting, when I try an update from a client all I get are
> denies. When I try an update using nsupdate -g from the DNS server I
> will get a REFUSED but I will also get a DNS/h...@domain kerb ticket
> from the keytab.

It might be worth watching the Kerberos (UDP port 88) traffic during
both exchanges, to see if there are visible differences.

Basic capture of Kereberos can tell you a fair amount about
principals, realms, and algorithm negotiations.  tshark's -K option
lets you load keytabs, which in theory might let you peer deeper into
the packet, but I've never experimented with that option and don't
know if it's useful in this scenario.

bind-users mailing list

Reply via email to