You might try changing your update-policy from:
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant * zonesub ANY;
to
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant LAB.BRANDEIS.EDU zonesub ANY;
I’m not positive this is the proper syntax since we don’t use the zonesub
option. We use the ms-subdomain and krb5-subdomain options:
grant LAB.BRANDEIS.EDU ms-subdomain LAB.BRANDEIS.EDU;
grant LAB.BRANDEIS.EDU krb5-subdomain LAB.BRANDEIS.EDU;
_
Nicholas Miller, OIT, University of Colorado at Boulder
On May 2, 2014, at 5:16 PM, John Miller johnm...@brandeis.edu wrote:
Hi folks,
I'm trying to get our AD domain controllers to update our BIND 9.8.2
servers--specifically for the zone
_msdcs.lab.brandeis.edu.
I've got updates working in general: I can run kinit username@REALM
(johnmill-dns-t...@lab.brandeis.edu in this case), then successfully run
nsupdate -g from my desktop:
server dns-ext-dev1.lab.brandeis.edu
zone _msdcs.lab.brandeis.edu.
update add yourmom._msdcs.lab.brandeis.edu. 300 IN A 127.0.0.1
send
This works fine--I grab the necessary tickets from our domain controllers,
and BIND accepts my update.
My update-policy {} directive for the zone looks like:
update-policy {
grant johnmill-dnst...@lab.brandeis.edu zonesub ANY;
grant * zonesub ANY;
}
This is uber-lenient--I don't plan to leave things this way. but the wildcard
should allow anything with a pulse to update.
When I try to use Windows (the domain controller itself) to send updates, the
update first gets sent insecurely (which fails), then Windows attempts secure
authentication (and succeeds), but doesn't actually send a secured update:
named[13861]: client 129.64.102.112#64501: UDP request
named[13861]: client 129.64.102.112#64501: using view '_default'
named[13861]: client 129.64.102.112#64501: request is not signed
named[13861]: client 129.64.102.112#64501: recursion not available
named[13861]: client 129.64.102.112#64501: update
named[13861]: client 129.64.102.112#64501: update
'_msdcs.lab.brandeis.edu/IN' denied
named[13861]: client 129.64.102.112#64501: send
named[13861]: client 129.64.102.112#64501: sendto
named[13861]: client 129.64.102.112#64501: senddone
named[13861]: client 129.64.102.112#64501: next
named[13861]: client 129.64.102.112#64501: endrequest
named[13861]: client @0x7f75640f6980: udprecv
named[13861]: client 129.64.102.112#52448: new TCP connection
named[13861]: client 129.64.102.112#52448: replace
named[13861]: clientmgr @0x7f7564003f98: createclients
named[13861]: clientmgr @0x7f7564003f98: recycle
named[13861]: client 129.64.102.112#52448: read
named[13861]: client 129.64.102.112#52448: TCP request
named[13861]: client 129.64.102.112#52448: using view '_default'
named[13861]: client 129.64.102.112#52448: request is not signed
named[13861]: client 129.64.102.112#52448: recursion not available
named[13861]: client 129.64.102.112#52448: query
named[13861]: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Success.
named[13861]: gss-api source name (accept) is AD-2K8-DEV1$@LAB.BRANDEIS.EDU
named[13861]: process_gsstkey(): dns_tsigerror_noerror
named[13861]: client 129.64.102.112#52448: send
named[13861]: client 129.64.102.112#52448: sendto
named[13861]: client 129.64.102.112#52448: senddone
named[13861]: client 129.64.102.112#52448: next
named[13861]: client 129.64.102.112#52448: endrequest
named[13861]: client 129.64.102.112#52448: read
named[13861]: client @0x7f7564104b70: accept
named[13861]: client 129.64.102.112#52448: next
named[13861]: client 129.64.102.112#52448: request failed: end of file
named[13861]: client 129.64.102.112#52448: endrequest
named[13861]: client 129.64.102.112#52448: closetcp
named[13861]: client 129.64.102.112#64230: UDP request
named[13861]: client 129.64.102.112#64230: using view '_default'
named[13861]: client 129.64.102.112#64230: request is not signed
named[13861]: client 129.64.102.112#64230: recursion not available
named[13861]: client 129.64.102.112#64230: query
named[13861]: client 129.64.102.112#64230: query
'_msdcs.lab.brandeis.edu/SOA/IN' approved
named[13861]: client 129.64.102.112#64230: send
named[13861]: client 129.64.102.112#64230: sendto
named[13861]: client 129.64.102.112#64230: senddone
named[13861]: client 129.64.102.112#64230: next
named[13861]: client 129.64.102.112#64230: endrequest
named[13861]: client @0x7f75640f6980: udprecv
named[13861]: client 129.64.102.112#63381: UDP request
named[13861]: client 129.64.102.112#63381: using view '_default'
named[13861]: client 129.64.102.112#63381: request is not signed
named[13861]: client 129.64.102.112#63381: recursion not available
named[13861]: client 129.64.102.112#63381: query
named[13861]: client 129.64.102.112#63381: query (cache)