Using bind 9.5.0 with Active directory

Rob Austein Rob_Austein at
Tue Dec 23 22:41:19 UTC 2008

Four things must be done to allow Bind 9 to support GSS-TKEY:

    * kinit must work on the host which will run BIND 9. This means
      krb5.conf must be properly configured with the realm and
      locations of the Kerberos servers.
    * Bind 9 must be compiled with GSSAPI enabled.
    * Bind 9 must have a principal and a keytab.
    * named.conf needs to be told the name of the principal. 

    options {
       tkey-gssapi-credential "DNS/";

Extracting a Kerberos keytab from Active Directory is a two-step
process: first you create a user account in Active Directory, then you
map it to a Kerberos principal name and extract the keytab.  Windows
usernames don't use the same naming conventions as Kerberos principals
(the allowed set of Windows usernames are a subset of the allowed
Kerberos principal names, and a service principal name like
DNS/ is not a legal Windows username).

Go into Active Directory's new user wizard and create a new user
account.  It's probably best to put accounts like this into a separate
organization unit (OU) within the active directory tree.  This could
be called unix or bind9 or anything you wish to help organize bind 9
server credentials and users.  The username can be any syntactically
legal thing you like, but when creating, eg, the DNS service principal
for host, it's probably best to use a username like
foo to avoid conflicts.

Select "password never expires" and "user cannot change password" in
the next screen of the wizard, to make sure that the account's
password can't change (which would invalidate the keytab).

The second step requires a command line tool, ktpass.  ktpass is
supplied on the Windows installation media but is not installed by

ktpass accepts the usual /? option to display a help screen, but for
the task at hand you'll want to do something like this:

C:\> ktpass -out foo.keytab -princ DNS/ at EXAMPLE.ORG -pass * -mapuser foo at


    * foo.keytab is the filename for the new keytab
    * DNS/ at EXAMPLE.ORG is the principal name
    * foo at is the Active Directory user account 

If all goes well, ktpass will tell you what it's doing, prompt you for
the password you set when creating the user account, and will write
out the keytab, which you can then install in the usual place on the
machine to run Bind 9.

More information about the bind-users mailing list