Re: GSS-TSIG updates with multiple KSPs on the same BIND server?
On Thu, 04 Jun 2015, 23:04 +, Vinícius Ferrão wrote: I always make my own krb5.conf file. Which krb bits on DNS you're talking about? $ORIGIN example.com. _kerberos TXT EXAMPLE.REALM _kerberos._udp SRV 0 0 88 kdc1 SRV 0 0 88 kdc2 _kerberos._tcp SRV 0 0 88 kdc1 SRV 0 0 88 kdc2 -- John Marshall pgpJLb6PenKSK.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG updates with multiple KSPs on the same BIND server?
Chiming in to provide moral support due to lack of replies... On 04/06/2015 06:44, Doug Barton wrote: Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. No experience to share with multiple KSP's/REALMS. Sorry :-( What I'd like to do instead is to use the tkey-gssapi-keytab option to specify just the keytab file. but I can confirm that this works. I like to use service-specific keytabs, so I have the following as the ONLY 'tkey' statement in our master server's named.conf (currently BIND 9.10.2). options { ... tkey-gssapi-keytab /path/to/bind.keytab; }; and then work happily with 'nsupdate -g' from a client with an authorized UPN in the ACL for relevant zones. No krb5.conf on the server in this case: just all the right krb bits in DNS. I don't have time to mess with setting up and testing a second realm but I just tried adding an alias () record for the master server in a different domain (same realm) and adding a DNS/ service principal for that name to the KDC and to BIND's keytab on the server. I specified server alias.name. in nsupdate but the client still picked up the original service principal (even after restarting BIND). I haven't looked at the code but I'm guessing the service principal selected may be tied to the server name 'options {hostname}' or something similar. Perhaps same domain names in different realms might work? -- John Marshall signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
GSS-TSIG updates with multiple KSPs on the same BIND server?
Folks, Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. The traditional way of configuring GSS-TSIG is the following in options{}: tkey-domain FOO.BAR; tkey-gssapi-credential DNS/dns1.foo.bar; However that configuration restricts the server to use only that one KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option to specify just the keytab file. According to the 9.9.5 ARM: tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab. I'm assuming that if I get the [realms] and [domain_realms] configured correctly in my krb5.conf file that I would be good to go, but I am far from an expert on Kerberos, and while using a single KSP works fine, I haven't yet created a test environment for using multiple KSPs. So before I do that I thought I would ask if what I want to do is even possible, and if so where the landmines are. In case it's not clear, the use case here is to be able to use the same BIND instance as master for multiple AD realms that do not have an existing trust relationship. Thanks, Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users