Re: GSS-TSIG updates with multiple KSPs on the same BIND server?
On Thu, 04 Jun 2015, 23:04 +, Vinícius Ferrão wrote: I always make my own krb5.conf file. Which krb bits on DNS you're talking about? $ORIGIN example.com. _kerberos TXT EXAMPLE.REALM _kerberos._udp SRV 0 0 88 kdc1 SRV 0 0 88 kdc2 _kerberos._tcp SRV 0 0 88 kdc1 SRV 0 0 88 kdc2 -- John Marshall pgpJLb6PenKSK.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG updates with multiple KSPs on the same BIND server?
Chiming in to provide moral support due to lack of replies...
On 04/06/2015 06:44, Doug Barton wrote:
Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
BIND 9.8+ could be configured to use multiple KSPs.
No experience to share with multiple KSP's/REALMS. Sorry :-(
What I'd like to do instead is to use the tkey-gssapi-keytab option
to specify just the keytab file.
but I can confirm that this works. I like to use service-specific
keytabs, so I have the following as the ONLY 'tkey' statement in our
master server's named.conf (currently BIND 9.10.2).
options {
...
tkey-gssapi-keytab /path/to/bind.keytab;
};
and then work happily with 'nsupdate -g' from a client with an
authorized UPN in the ACL for relevant zones.
No krb5.conf on the server in this case: just all the right krb bits in DNS.
I don't have time to mess with setting up and testing a second realm but
I just tried adding an alias () record for the master server in a
different domain (same realm) and adding a DNS/ service principal for
that name to the KDC and to BIND's keytab on the server. I specified
server alias.name.
in nsupdate but the client still picked up the original service
principal (even after restarting BIND). I haven't looked at the code but
I'm guessing the service principal selected may be tied to the server
name 'options {hostname}' or something similar. Perhaps same domain
names in different realms might work?
--
John Marshall
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
GSS-TSIG updates with multiple KSPs on the same BIND server?
Folks,
Reading through manuals, HOWTOs, etc. on line it SEEMS possible that
BIND 9.8+ could be configured to use multiple KSPs. The traditional way
of configuring GSS-TSIG is the following in options{}:
tkey-domain FOO.BAR;
tkey-gssapi-credential DNS/dns1.foo.bar;
However that configuration restricts the server to use only that one
KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option
to specify just the keytab file. According to the 9.9.5 ARM:
tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If
this option is set and tkey-gssapi-credential is not set, then updates
will be allowed with any key matching a principal in the specified keytab.
I'm assuming that if I get the [realms] and [domain_realms] configured
correctly in my krb5.conf file that I would be good to go, but I am far
from an expert on Kerberos, and while using a single KSP works fine, I
haven't yet created a test environment for using multiple KSPs. So
before I do that I thought I would ask if what I want to do is even
possible, and if so where the landmines are.
In case it's not clear, the use case here is to be able to use the same
BIND instance as master for multiple AD realms that do not have an
existing trust relationship.
Thanks,
Doug
--
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
