I recently went through this and have it working. Look through the archives for 'GSS-TSIG and Active Directory'.
https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearch&restrict=&exclude=&method=and&format=short&sort=score&words=GSS-TSIG+and+Active+Directory Things to check: 1) You are running the newest version of Bind. 2) You might try compiling Bind with --with-gssap=/usr 3) Double check your krb5.conf and make sure you have arcfour-hmac-md5 listed first in default_tgs_enctypes and default_tkt_enctypes. 4) When you create your keytab don't define crypto it will default to RC4-HMAC-NT. (ktpass -out foo.keytab -princ DNS/foo.example.org at EXAMPLE.ORG -pass * -mapuser foo at example.org) 5) FWIW, I am not using any of the Samba settings. The DNS server isn't joined to the AD it just has the krb5.conf setup and a keytab for DNS/dnserver.domain. _________________________________________________________ Nicholas Miller, ITS, University of Colorado at Boulder On Nov 10, 2010, at 6:48 AM, Adam Tauno Williams wrote: > I'm attempting to get Bind 9.7.2 (built on openSUSE 11.3) running in > relation to Samba4; this uses GSSAPI authentication to update the Bind > zones. Everything works except this part. I've build bind with > --with-gssapi, verified krb5 is linked in, and verified [at least with > kinit and other trivial krb5 tools] that Kerberos/GSSAPI is working. > But when I add: > > options { > > tkey-gssapi-credential "DNS/ad.mormail.com"; > tkey-domain "AD.MORMAIL.COM"; > ... > } > > - to my bind configuration bind fails to start with - > > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: D.F.IP6.ARPA > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: > 8.E.F.IP6.ARPA > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: > 9.E.F.IP6.ARPA > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: > A.E.F.IP6.ARPA > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: > B.E.F.IP6.ARPA > Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: > 8.B.D.0.1.0.0.2.IP6.ARPA > Nov 10 08:43:32 opensuse named[3021]: configuring TKEY: failure > Nov 10 08:43:32 opensuse named[3021]: loading configuration: failure > Nov 10 08:43:32 opensuse named[3021]: exiting (due to fatal error) > > I've tried playing with log levels, etc... and I just can seem to dig > any more information out of it. Are there any procedures / tips for > debugging a "configuring TKEY: failure" message? > -- > Adam Tauno Williams <awill...@whitemice.org> > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users