Hello All. Having some problems getting secure dynamic DNS updates to work with bind in SL6.1 and windos 2k3 Active Directory. I figure that the problem may be with bind and kerberos so I setup wireshark to listen on port 88 on the nameserver (spritle.machx.net) and on the domain controller (chimchim.win.machx.net). The kerberos realm is win.machx.net or in ms WIN.MACHX.NET
I have gotten kerberos working so that when I do a “kinit”: kinit -V -k -t /etc/named/spritleDNS.keytab DNS/[email protected] I get a ticket and I see the kerberos request and reply. If I do a nsupdate, the update works and I also see a kerberos request and reply. If I start bind, I do not get any kerberos traffic at all. If I restart netlogon on the win2k3 domain controller, I do not get any traffic at all either. I have run setsebool -P allow_kerberos 1 Any ideas as to what else I should look at? Relevant stuff is below. /etc/krb5.conf: [logging] default = FILE:/var/log/krb5.log [libdefaults] default_keytab_name = FILE:/etc/named/spritleDNS.keytab default_realm = WIN.MACHX.NET default_tgs_enctypes = RC4-HMAC default_tkt_enctypes = RC4-HMAC dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] WIN.MACHX.NET = { kdc = chimchim.win.machx.net admin_server = chimchim.win.machx.net } [domain_realm] .win.machx.net = WIN.MACHX.NET win.machx.net = WIN.MACHX.NET .machx.net = WIN.MACHX.NET machx.net = WIN.MACHX.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/named.conf tkey-gssapi-credential "DNS/spritle.machx.net"; tkey-domain "WIN.MACHX.NET"; zone "_msdcs.win.machx.net" { type master; file "slaves/db.msdcs.machx.net"; allow-query { trusted; }; check-names ignore; update-policy { grant WIN.MACHX.NET. ms-self * A AAAA; grant CHIMCHIM\$\@WIN.MACHX.NET. subdomain win.machx.net. A AAAA SRV CNAME; grant "DNS/[email protected]" wildcard * A AAAA SRV CNAME; }; }; The other zones are using IP acl's.
