At Fri, 1 Oct 2010 07:05:40 -0600, Nicholas F Miller wrote: > > It is interesting, when I try an update from a client all I get are > denies. When I try an update using nsupdate -g from the DNS server I > will get a REFUSED but I will also get a DNS/h...@domain kerb ticket > from the keytab.
It might be worth watching the Kerberos (UDP port 88) traffic during both exchanges, to see if there are visible differences. Basic capture of Kereberos can tell you a fair amount about principals, realms, and algorithm negotiations. tshark's -K option lets you load keytabs, which in theory might let you peer deeper into the packet, but I've never experimented with that option and don't know if it's useful in this scenario. _______________________________________________ bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users