Using bind 9.5.0 with Active directory

Nico De Ranter nico at
Wed Dec 24 08:10:48 UTC 2008

Thank you very much for your very detailed instructions. I'm going to
try it right away.


On Tue, 2008-12-23 at 17:41 -0500, Rob Austein wrote:
> Four things must be done to allow Bind 9 to support GSS-TKEY:
>     * kinit must work on the host which will run BIND 9. This means
>       krb5.conf must be properly configured with the realm and
>       locations of the Kerberos servers.
>     * Bind 9 must be compiled with GSSAPI enabled.
>     * Bind 9 must have a principal and a keytab.
>     * named.conf needs to be told the name of the principal. 
>     options {
>        ...
>        tkey-gssapi-credential "DNS/";
>        ...
>     };
> Extracting a Kerberos keytab from Active Directory is a two-step
> process: first you create a user account in Active Directory, then you
> map it to a Kerberos principal name and extract the keytab.  Windows
> usernames don't use the same naming conventions as Kerberos principals
> (the allowed set of Windows usernames are a subset of the allowed
> Kerberos principal names, and a service principal name like
> DNS/ is not a legal Windows username).
> Go into Active Directory's new user wizard and create a new user
> account.  It's probably best to put accounts like this into a separate
> organization unit (OU) within the active directory tree.  This could
> be called unix or bind9 or anything you wish to help organize bind 9
> server credentials and users.  The username can be any syntactically
> legal thing you like, but when creating, eg, the DNS service principal
> for host, it's probably best to use a username like
> foo to avoid conflicts.
> Select "password never expires" and "user cannot change password" in
> the next screen of the wizard, to make sure that the account's
> password can't change (which would invalidate the keytab).
> The second step requires a command line tool, ktpass.  ktpass is
> supplied on the Windows installation media but is not installed by
> default.
> ktpass accepts the usual /? option to display a help screen, but for
> the task at hand you'll want to do something like this:
> C:\> ktpass -out foo.keytab -princ DNS/ at EXAMPLE.ORG -pass * -mapuser foo at
> where
>     * foo.keytab is the filename for the new keytab
>     * DNS/ at EXAMPLE.ORG is the principal name
>     * foo at is the Active Directory user account 
> If all goes well, ktpass will tell you what it's doing, prompt you for
> the password you set when creating the user account, and will write
> out the keytab, which you can then install in the usual place on the
> machine to run Bind 9.

More information about the bind-users mailing list