BIND 9.5.0a6 and Windows Server 2003 R2 DDNS updates with GSS-TSIG
Danny Mayer
mayer at gis.net
Sun Aug 19 23:26:02 UTC 2007
David Holder wrote:
> I had a little trouble getting this message onto the list - here it is at last (I hope).
>
>
>> Hi! I am trying to use BIND 9.5's GSS-TSIG functionality to carry out secure
>> updates to a Windows Server 2003 R2 AD domain controller.
>>
>>
>>
>> I am using a few different Linux clients. They are all configured to use the
>> AD DC as their KDC. This works fine.
>>
>>
>>
>> I have built and tested BIND 9.5 with GSSAPI. So far I have not been able to
>> get it to work with Windows.
>>
It doesn't work yet.
>>
>>
>> Here is an example of the failure messages I get.
>>
>> /usr/local/bin/nsupdate -d -g -o
>>
>
>>>> update add oak2.active.com 86400 A 192.168.100.100
>>
>>
>
>>>> send
>>
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53990
>>
>> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>>
>> ;oak2.active.com. IN SOA
>>
>>
>>
>> ;; AUTHORITY SECTION:
>>
>> active.com. 3600 IN SOA w2003r2.active.com.
>> hostmaster. 32 900 600 86400 3600
>>
>>
>>
>> ;; ADDITIONAL SECTION:
>>
>> w2003r2.active.com. 3600 IN A 192.168.100.101
>>
>>
>>
>> Found zone name: active.com
>>
>> The master is: w2003r2.active.com
>>
>> start_gssrequest
>>
>> nsupdate.c:2192: INSIST(result == 0) failed.
>>
>> Aborted
>>
>>
>>
>> If I do a klist I see the following.
>>
>> Ticket cache: FILE:/tmp/krb5cc_513
>>
>> Default principal: administrator at ACTIVE.COM
>>
>>
>>
>> Valid starting Expires Service principal
>>
>> 08/08/07 13:06:09 08/08/07 23:07:35 krbtgt/ACTIVE.COM at ACTIVE.COM
>>
>> renew until 08/09/07 13:06:09
>>
>> 08/08/07 13:31:26 08/08/07 23:07:35 DNS/w2003r2.active.com at ACTIVE.COM
>>
>> renew until 08/09/07 13:06:09
>>
>>
>>
>> I have carried out network traces and found that Windows to Windows dynamic
>> updates look different from the BIND to Windows dynamic updates.
>>
I wouldn't be surprised.
>>
>>
>> Has anyone tried this before? What information do you need to look at this?
>> Traces logs configuration info? And is this the correct mailing list for
>> this problem?
>>
The network traces would be useful. Is this with wireshark?
Danny
More information about the bind-users
mailing list