Cannot enable GSS-TSIG updates from Active Directory

[Vinícius Ferrão]

Hello guys,

I’m with a problem trying to enable GSS-TSIG with BIND 9.10.

Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I think I’m missing something very specific. If someone would help-me debugging this issue I’ll be very pleased.

Let’s start.

I’m running BIND9 9.10.0P2_5 on FreeBSD 10.0, compiled by myself with the GSSAPI_BASE option enabled. I’ve used this same binary package to deploy it on the other domain that’s working.

Then I’ve enabled GSS-TSIG in my named.conf files:

options {
	( … )
	tkey-gssapi-keytab "/etc/krb5.keytab”;
	( … )
};

zone “local.example.com" {
        type master;
        file "/usr/local/etc/namedb/dynamic/local.example.com";
        notify yes;
        check-names ignore;
        allow-query { clients; };
        allow-transfer { intnameservers; };
#       allow-update {
#               key "iq-rndc-key";
#               domaincontrollers;
#       };
        update-policy {
                grant * subdomain local.iq.ufrj.br. ANY;
        };
};

zone "10.in-addr.arpa" {
        type master;
        file "/usr/local/etc/namedb/dynamic/10.in-addr.arpa";
        notify yes;
        allow-query { clients; };
        allow-transfer { intnameservers; };
#       allow-update { 
#               key "iq-rndc-key"; 
#               domaincontrollers;
#       };
        update-policy {
                grant * subdomain 10.in-addr.arpa. PTR TXT;
        };
};

Then I’ve joined the AD domain using Samba4 and Kerberos, in this way:

Created the file `/etc/krb5.conf` with the following content:

    [libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = yes


Installed Samba 4.1 and created the file `/usr/local/etc/smb4.conf` with the following content:

    [global]
        security = ads
        realm = EXAMPLE.COM
        workgroup = EXAMPLE

        kerberos method = secrets and keytab

        client signing = yes
        client use spnego = yes
        log file = /var/log/samba4/%m.log

Asked for a Administrator Kerberos Ticket:

    $ kinit Administrator

Then join the domain and create a keytab

    $ net ads join createupn=dns/server-hostname.example.com at EXAMPLE.COM -k
    $ net ads keytab create -k

After all I’ve successfully received a ticket, created a computer account, and a service principal account with success.

The next step was a chown bind to the /etc/krb5.keytab so BIND9 can read the keytab successfully.

After all, nothing is working… GSS-TSIG doesn't even give errors in the logs, which is frustrating. I’m trying to debug this with those options in named.conf:

logging {

        channel update_log {
                file "/var/log/named/bind-ddns-updates.log";
                severity debug;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        category update {
                update_log;
        };

        category update-security {
                update_log;
        };
};

But I don’t see anything useful in the log file.

Thanks in advance,
Vinícius.