Dear dochelp, This is with regard to MS-GSSA, and the protocols for kerberized dynamic DNS updates using TSIG-GSS.
We implemented the client side of this quite a while ago, and now we're trying to make the server side of it reliable (for when windows clients register DNS named with a Samba server). We're doing this by trying to integrate a bit more closely with bind9, which has TSIG support. The problem we've hit is a fairly basic one - what are the conditions under which Windows clients will use a TSIG DNS update? When we get a Windows w2k8r2 box to join a Samba domain, it does try and do a dynamic DNS update to add its name, but it doesn't do it using TSIG. It just sends a plain DNS update. Our current guess is that perhaps Windows first tries to send a non-TSIG update, and expects something special about the error return it gets, then based on that error return it would then do a TSIG based update. Looking at a Windows DNS server, we notice it sends a more extensive response when it refuses a non-TSIG update, and we suspect it is something about this response (perhaps the CNAME pre-requisite?) that triggers windows to try again with a TSIG update. Or maybe there is something in the rootDSE or CLDAP responses that tell a Windows client if the server is capable of TSIG DNS updates? We're particularly interested in the answer for the following situations: 1) a normal DNS update when a member of a domain boots 2) updates of the _msdcs zone when a DC joins a domain (and subsequent updates) Thanks! Cheers, Tridge _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
