Rob Austein sra at
Sat Sep 18 05:08:42 UTC 2010

At Fri, 17 Sep 2010 13:18:42 -0600, Nicholas F Miller wrote:
> Does anyone have instructions on how to setup a Linux bind server to
> use GSS-TSIG against an AD? I have found many articles from people
> having issues with it but none that had good instructions on how to
> get it working. Last year we played around with it but were having
> issues getting it to work. kinit would work against the AD on our
> RHEL bind server but our clients couldn't update their records.

Beyond what's already been posted here?  Not really.  I can perhaps
tell you two things that might be useful.

1) The code really does work, honest.  I have personally seen it work
   (in the lab -- my last stint as an operator supporting anything on
   Windows predated AD) with Windows 2000, Windows 2003 Server, and
   Windows XP.  I have not (yet) personally tested it with anything
   more recent than that, but unless Microsoft has done something
   weird (nah) it still should.

2) If you run into problems, the best debugging tools I can recommend

   a) Running named with full debugging ("named -g" and capture the
      stderr output somewhere, or do the equivalent with logging
      options in named.conf); and

   b) A good packet sniffer watching both DNS and Kerberos traffic.

   For (b) I recommend Wireshark (or tshark, same difference).  You
   can use some other tool (eg, tcpdump) to capture the dump, but
   understanding what happened requires an analyzer that do deep
   insepction of both DNS and Kerberos.  Make sure you capture full
   packets for both Kerberos and DNS, ie, UDP ports 88 and 53 as well
   as TCP port 53 (Yes, Windows uses all three).

More information about the bind-users mailing list