GSS-TSIG one keytab per realm - is it possible?
Juergen Dietl
isclists01 at googlemail.com
Tue Apr 19 07:05:55 UTC 2011
Hello,
as far as I know I can only put one "tkey-gssapi-credential" in the
named.conf. Now at bind 9.8 there is something new:
* Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
allowed for any key matching a Kerberos principal
in the specified keytab file. "tkey-gssapi-credential" is no longer
required and is expected to be deprecated
* It is no longer necessary to have a valid /etc/krb5.conf file. Using the
syntax DNS/hostname at REALM in nsupdate
is sufficient for to correctly set the default realm.
My question:
I have 3 Realms: FUN.TEST, WORK.TEST, SCHOOL.TEST. I have 1 Service-Useri in
each AD-Domain called:
DNS/.user1.fun.test at FUN.TEST
DNS/user2.work.test at WORK.TEST
DNS/user 3.school.test at SCHOOL.TEST
Is it possible to put 3 keys in the keytab and tell bind in the policies
that one Key belongs to FUN.TEST, one to WORK.TEST, one to SCHOOL.TEST.
So that the PC that has the Key for Realm FUN.TEST only can do dynamic
updates in FUN.TEST and the one that know the key for WORK.TEST
only can do dynamic updates in WORK.TEST aso.
Or is it just possible to use more keytabs and as long any of them fits a
client can update all realm-zones?
Thanx a lot for your help,
cheers,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110419/c354040e/attachment.html>
More information about the bind-users
mailing list