tkey-gssapi-credential

Nicholas F Miller Nicholas.Miller at Colorado.EDU
Fri Sep 17 19:18:42 UTC 2010 

Thanks, that will save me a bunch of time. Of course I spent my morning testing it out to no avail.

Does anyone have instructions on how to setup a Linux bind server to use GSS-TSIG against an AD? I have found many articles from people having issues with it but none that had good instructions on how to get it working. Last year we played around with it but were having issues getting it to work. kinit would work against the AD on our RHEL bind server but our clients couldn't update their records.
_________________________________________________________
Nicholas Miller, ITS, University of Colorado at Boulder



On Sep 17, 2010, at 12:54 PM, Rob Austein wrote:

> At Fri, 17 Sep 2010 09:17:09 -0600, Nicholas F Miller wrote:
>> 
>> I was wondering if it is possible to use the tkey-gssapi-credential
>> and update-policy on a Windows install of bind. It strikes me that
>> running bind on a Windows server, snapped into the AD it will serve
>> DNS to, should be the easiest way of getting DDNS with update-policy
>> control working.
> 
> It would be, except for one small problem: the Windows native Kerberos
> doesn't support GSS-API (or didn't, when last I checked), instead it
> supports some similar-but-different Microsoft proprietary API whose
> name has temporarily escaped my memory.  So either we would have to
> hack Windows-specific code here to use Microsoft's API, or we would
> have to get a Unix-style Kerberos library working on Windows.
> 
> We spent an insane amount of time banging our head against the latter
> approach, but never got it to work, for reasons that never made a lot
> of sense (eg, linking against precompiled MIT Kerberos binaries
> resulted in binaries that worked fine for everything but GSS-TSIG but
> failed silently for that, attempting to build MIT Kerberos for Windows
> from source resulted in Kerberos code that couldn't even kinit, and
> nobody on the MIT Kerberos project could tell us why).  We eventually
> gave up, because we had deadlines to meet and this configuration
> (BIND9 running GSS-TSIG on Windows) wasn't on our critical feature
> list.
> 
>> Am I nuts? Should I just install it on a Linux box and be done?
> 
> Yes, unless you (or some other brave soul) have the time and energy to
> get this working on Windows, in which case please tell us what you did
> (and i will stand you a beer if we ever meet...).
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list