<p class="MsoNormal"><span lang="EN-GB">Hello,</span></p>
<p class="MsoNormal"><span lang="EN-GB">I am trying
to allow the DNS-Client to do dynamic updates at the DNS-Server using BIND. I
want to use Kerberos as the security protocol. For that I have a small test lab
with a client, 3 Kerberos Server and one Suse Linux DNS-Server. The 3 Kerberos-Server
are emulated with using VM-Ware.</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">The
Kerberos-Client gets the TGT from the Kerberos-Server. As I understand it
should use this TGT for requesting further services via an AP-Request.</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal">Cached TGT:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-GB">ServiceName:
krbtgt</span></p>
<p class="MsoNormal"><span lang="EN-GB">TargetName:
krbtgt</span></p>
<p class="MsoNormal"><span lang="EN-GB">FullServiceName:
xxxgsstsig</span></p>
<p class="MsoNormal"><span lang="EN-GB">DomainName:
TEST.LOC</span></p>
<p class="MsoNormal"><span lang="EN-GB">TargetDomainName:
TEST.LOC</span></p>
<p class="MsoNormal"><span lang="EN-GB">AltTargetDomainName:
TEST.LOC</span></p>
<p class="MsoNormal"><span lang="EN-GB">TicketFlags:
0x40e00000</span></p>
<p class="MsoNormal"><span lang="EN-GB">KeyExpirationTime:
</span><span lang="EN-GB">1/1/1601</span><span lang="EN-GB"> 1:</span><span lang="EN-GB">00:00</span><span lang="EN-GB"></span></p>
<p class="MsoNormal"><span lang="EN-GB">StartTime: </span><span lang="EN-GB">12/6/2010</span><span lang="EN-GB"> 4:</span><span lang="EN-GB">18:37</span><span lang="EN-GB"></span></p>
<p class="MsoNormal"><span lang="EN-GB">EndTime: </span><span lang="EN-GB">12/6/2010</span><span lang="EN-GB"> 14:</span><span lang="EN-GB">18:37</span><span lang="EN-GB"></span></p>
<p class="MsoNormal"><span lang="EN-GB">RenewUntil:
</span><span lang="EN-GB">12/10/2010</span><span lang="EN-GB"> 17:</span><span lang="EN-GB">18:37</span><span lang="EN-GB"></span></p>
<p class="MsoNormal"><span lang="EN-GB">TimeSkew: </span><span lang="EN-GB">1/1/1601</span><span lang="EN-GB"> 1:</span><span lang="EN-GB">00:00</span><span lang="EN-GB"></span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">I have read
that there is a special mode called User-To-User Mode. This mode enables the
client to ask for a service direct without asking for a TGT before. <span> </span>I found out that my client use this special
user-to-user mode. I don’t know why.</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">GSS-API
Generic Security Service Application Program Interface</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>OID: 1.3.6.1.5.5.2 (SPNEGO
- Simple Protected Negotiation)</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>Simple Protected
Negotiation</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>negTokenInit</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>mechTypes: 3 items</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span></span>MechType:
1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)</p>
<p class="MsoNormal"><span> </span>MechType:
1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)</p>
<p class="MsoNormal"><span> </span>MechType:
1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - <b>User to User</b>) <---------</p>
<p class="MsoNormal"><span>
</span>mechToken: 6082047d06092a864886f71201020201006e82046c308204...</p>
<p class="MsoNormal"><span>
</span>krb5_blob: 6082047d06092a864886f71201020201006e82046c308204...</p>
<p class="MsoNormal"><span>
</span><span> </span>KRB5 OID:
1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)</p>
<p class="MsoNormal"><span> </span>krb5_tok_id:
KRB5_AP_REQ (0x0001)</p>
<p class="MsoNormal"><span> </span>Kerberos AP-REQ</p>
<p class="MsoNormal"><span> </span>Pvno: 5</p>
<p class="MsoNormal"><span> </span>MSG Type:
AP-REQ (14)</p>
<p class="MsoNormal"><span> </span><span lang="EN-GB">Padding: 0</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>APOptions:
20000000 (Mutual required)</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>0...
.... .... .... .... .... .... .... = reserved: RESERVED bit off</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span><span> </span>.0.. .... ....
.... .... .... .... .... = Use Session Key: Do NOT use the session key to
encrypt the ticket</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>..1.
.... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is
REQUIRED</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>Ticket</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span>
</span>Tkt-vno: 5</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>Realm:
TEST.LOC</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span>Server
Name (Service and Instance): DNS/scdns14p.test.loc</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span>
</span>Name-type: Service and Instance (2)</span></p>
<p class="MsoNormal"><span lang="EN-GB"><span> </span></span><span lang="FR">Name: DNS</span></p>
<p class="MsoNormal"><span lang="FR"><span>
</span>Name: scdns14p.test.loc</span></p>
<p class="MsoNormal"><span lang="FR"><span> </span>enc-part
des-cbc-md5</span></p>
<p class="MsoNormal"><span lang="FR"><span>
</span>Encryption type: des-cbc-md5 (3)</span></p>
<p class="MsoNormal"><span lang="FR"><span> </span></span><span lang="IT">Kvno: 3</span></p>
<p class="MsoNormal"><span lang="IT"><span>
</span>enc-part: bfd012cc83e2e0050400b56aa8dd50a2404896871830e9f0...</span></p>
<p class="MsoNormal"><span lang="IT"><span> </span><span> </span>Authenticator
des-cbc-md5</span></p>
<p class="MsoNormal"><span lang="IT"><span> </span></span><span lang="FR">Encryption type: des-cbc-md5 (3)</span></p>
<p class="MsoNormal"><span lang="FR"><span> </span></span><span lang="EN-GB">Authenticator data:
249c7a63fd5d9c84137f9dbdfa78eeee10e04fe0d6a5b0cd...</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">Is this a
wanted behavior?</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">The client
has an entry in the AD with <a href="mailto:DNS/test.loc@TEST.LOC" target="_blank">DNS/test.loc@TEST.LOC</a>.
The Client, DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If
I do a kinit -k -t c:\krb5.keytab </span><a href="mailto:DNS/test.loc@TEST.LOC" target="_blank"><span lang="EN-GB">DNS/test.loc@TEST.LOC</span></a><span lang="EN-GB"> then all seem to be ok. <span> </span>I get this message from the DNSserver: </span><span lang="EN-GB">03-Dec-2010</span><span lang="EN-GB"> 10:42:00.451 general: debug 3: gss
cred: "DNS/test.loc@TEST.LOC", GSS_C_ACCEPT, 4294962027. But when the
client do it from its own I get this message from the DNS-Server: </span><span lang="EN-GB">03-Dec-2010</span><span lang="EN-GB"> 10:42:00.451 general: debug 3:
failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS
failure.<span> </span>Minor code may provide more
information, Minor = Wrong principal in request.</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">I have
installed Bind V 9.7.2 (so the newest) and all PCs are running NTP for time
synchronisation.</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">Any help
would be greatly appreciated</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">Cheers,</span></p>
<p class="MsoNormal"><span lang="EN-GB">Juergen</span></p>
<p class="MsoNormal"><span style="font-size: 12pt;" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size: 12pt;" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>