GSS-TSIG and Active Directory
Nicholas F Miller
Nicholas.Miller at Colorado.EDU
Fri Oct 1 19:27:16 UTC 2010
YES!!!! Brilliant!!!! Thanks Rob.
I think it is working now. I have the update-policy setup as follows:
grant dc1$@REALM wildcard * ANY;
grant dc2$@REALM wildcard * ANY;
grant dns_server$@REALM wildcard * ANY;
deny REALM ms-self * SRV;
grant REALM ms-self * ANY;
If I understand things correctly I am allowing the DCs and DNS server to update any record type in the domain and any subdomains. The clients are allowed to update any of their own records except SRV, MX and NS. Do I even need to deny NS for ms-self?
If it is truly working correctly, I wonder why I can't deny AAAA records. When I add AAAA to the deny statement it blocks A records as well. If try A6 it still allows AAAA records to be set by client machines.
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder
On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:
> If you're trying to grant update rights to a specific machine (rather
> than every machine in the realm), something like:
>
> grant dc$@REALM. subdomain dnsname.;
>
> might work better, where "dc$@REALM" is (eg) the Kerberos principle
> corresponding to your DC and "dnsname" is the tree to which you want
> to grant rights. The "$" is a Microsoft-ism.
More information about the bind-users
mailing list