BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with GSS-TSIG

David Holder david.holder at erion.co.uk
Sun Aug 19 15:02:25 UTC 2007 

I had a little trouble getting this message onto the list - here it is at last (I hope).


> Hi! I am trying to use BIND 9.5's GSS-TSIG functionality to carry out secure
> updates to a Windows Server 2003 R2 AD domain controller.
> 
>  
> 
> I am using a few different Linux clients. They are all configured to use the
> AD DC as their KDC. This works fine.
> 
>  
> 
> I have built and tested BIND 9.5 with GSSAPI. So far I have not been able to
> get it to work with Windows.
> 
>  
> 
> Here is an example of the failure messages I get.
> 
> /usr/local/bin/nsupdate -d -g -o
> 

> > > update add oak2.active.com 86400 A 192.168.100.100
>   
> 

> > > send
>   
> 
> Reply from SOA query:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  53990
> 
> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; QUESTION SECTION:
> 
> ;oak2.active.com.               IN      SOA
> 
>  
> 
> ;; AUTHORITY SECTION:
> 
> active.com.             3600    IN      SOA     w2003r2.active.com.
> hostmaster. 32 900 600 86400 3600
> 
>  
> 
> ;; ADDITIONAL SECTION:
> 
> w2003r2.active.com.     3600    IN      A       192.168.100.101
> 
>  
> 
> Found zone name: active.com
> 
> The master is: w2003r2.active.com
> 
> start_gssrequest
> 
> nsupdate.c:2192: INSIST(result == 0) failed.
> 
> Aborted
> 
>  
> 
> If I do a klist I see the following.
> 
> Ticket cache: FILE:/tmp/krb5cc_513
> 
> Default principal: administrator at ACTIVE.COM
> 
>  
> 
> Valid starting     Expires            Service principal
> 
> 08/08/07 13:06:09  08/08/07 23:07:35  krbtgt/ACTIVE.COM at ACTIVE.COM
> 
>         renew until 08/09/07 13:06:09
> 
> 08/08/07 13:31:26  08/08/07 23:07:35  DNS/w2003r2.active.com at ACTIVE.COM
> 
>         renew until 08/09/07 13:06:09
> 
>  
> 
> I have carried out network traces and found that Windows to Windows dynamic
> updates look different from the BIND to Windows dynamic updates. 
> 
>  
> 
> Has anyone tried this before? What information do you need to look at this?
> Traces logs configuration info? And is this the correct mailing list for
> this problem?
> 
>  
> 
> Many thanks,
> 
> David

-- 
------------------------------------------------------------------------
Dr David Holder CEng MIET MIEEE

Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT

Reception: +44 (0)1422 207000

Direct Dial: +44 (0)131 2026317

Cell: +44 (0) 7768 456831

Registered in England and Wales. Registered Number 3521142
VAT Number: GB 698 3633 78

More information about the bind-users mailing list