GSS-TSIG and Active Directory
Nicholas F Miller
Nicholas.Miller at Colorado.EDU
Fri Oct 1 13:02:30 UTC 2010
Yea, it seems that people got it working when the functionality came out but subsequently I haven't seen it working for anyone in a production environment.
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 3:24 PM, Dave Knight wrote:
>
> On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote:
>
>> Does anyone actually have GSS-TSIG working with an Active Directory? I see plenty of posts from people trying to get it to work. I have yet to see anyone who claims to actually have it working. Did MS change something in 2008r2 since GSS-TSIG was implemented in bind to make it inoperable?
>
> Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating and documenting a working setup.
>
> That lab contained a couple of W2k3 servers, XP clients and BIND servers running on FreeBSD. I went from bare iron to a working W2k domain using BIND+GSS-TSIG exclusively for name service.
>
> As I recall I did the initial population of the zone used for the W2k domain without security enabled, ie: I informed the Windows machine that the BIND server was to be used and configured the BIND server to allow updates from the Windows server on the basis of its IP address, then ran dcpromo.exe to create the domain, then did the necessary Kerberos bits, then locked down the BIND server to henceforth accept only GSS-TSIG authenticated updates.
>
> I haven't touched this stuff since though, so I have nothing to say about how it might work with contemporary Windows and BIND versions.
>
> dave
More information about the bind-users
mailing list