Fwd: Problems with Bind-Kerberos-Windows-Linux

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 7 09:17:40 UTC 2010

On 12/07/2010 07:53 AM, Jürgen Dietl wrote:
> Hello Sergiu,
> I tried to put in 2 credential Entries in the named.conf:
> tkey-gssapi-credential "DNS/test.loc"; (that was in before)
> tkey-gssapi-credential "USER/test.loc", (new entry)
> tkey-domain "TEST.LOC";

This is all wrong.

There are two principals involved:

  1. The server - this is what you configure on the DNS server
  2. The client - this is the clients ticket; you don't need to 
configure this, the client obtains it themselves and supplies it when 
they connect

All you need to do is the following:

  1. Ensure there is a prinicpal in your kerberos realm 
"DNS/hostname.domain.com", matching the hostname of your DNS server

  2. Ensure the keytab on the DNS server contains the keys for this 
principal and is readable by bind

  3. List this principal in the "tkey-gssapi-credential" in named.conf

  4. Ensure the SOA for your domain contains a MNAME field matching the 

Unless your DNS server is called "test.loc" I don't think you're doing 
it right. I think you need "DNS/hostname.test.loc"

More information about the bind-users mailing list