Problems with Bind-Kerberos-Windows-Linux

Sergiu Bivol sbivol at
Mon Dec 6 16:32:43 UTC 2010

> The client has an entry in the AD with DNS/test.loc at TEST.LOC. The Client,
> DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If I do a
> kinit -k -t c:\krb5.keytab DNS/test.loc at TEST.LOC then all seem to be ok.  I
> get this message from the DNSserver: 03-Dec-2010 10:42:00.451 general: debug
> 3: gss cred: "DNS/test.loc at TEST.LOC", GSS_C_ACCEPT, 4294962027. But when the
> client do it from its own I get this message from the DNS-Server:
> 03-Dec-2010 10:42:00.451 general: debug 3: failed gss_accept_sec_context:
> GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more
> information, Minor = Wrong principal in request.

Normally you need 2 kerberos principals, one for the DNS Server, one for the client. 

If kinit above works on the DNS Server box, and you can see these messages at startup BIND is configured correctly.
27-Sep-2010 18:26:47.860 acquiring credentials for DNS/test.loc
27-Sep-2010 18:26:47.860 gss cred: "DNS/test.loc at TEST.LOC", GSS_C_ACCEPT, 4294967295

You still need to configure update-policy to allow your client to update DNS, but that is another issue.

A GSS-TSIG-enabled DNS client would request TGT (as a different Kerberos user/principal), then TGS to use the DNS Service identified by the DNS/test.loc at TEST.LOG service principal. With this it should be able to update the DNS server, as long as DNS Server validates the client's ticket and the policy allows the update.

I hope your understanding is the same, it just wasn't clear from your message.


More information about the bind-users mailing list