Hello Serjiu,<br>many thanx for your hint. This I was asking me too for some time. Because the TGT is for the client name (principal) that is logged in at the moment and the service should be always for the same principal name on any client. So yes I will need to define 2 principals. <br>
<br>You wrote:<br>You still need to configure update-policy to allow your client to update
DNS, but that is another issue.<br><br>Do you mean the policy in the active directory? Btw. did you try to do it your own and succeeded?<br><br><br>thanx a lot,<br>cheers,<br>Juergen<br><br><br><div class="gmail_quote">
2010/12/6 Sergiu Bivol <span dir="ltr"><<a href="mailto:sbivol@bluecatnetworks.com">sbivol@bluecatnetworks.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">> The client has an entry in the AD with DNS/test.loc@TEST.LOC. The Client,<br>
> DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If I do a<br>
> kinit -k -t c:\krb5.keytab DNS/test.loc@TEST.LOC then all seem to be ok. I<br>
> get this message from the DNSserver: 03-Dec-2010 10:42:00.451 general: debug<br>
> 3: gss cred: "DNS/test.loc@TEST.LOC", GSS_C_ACCEPT, 4294962027. But when the<br>
> client do it from its own I get this message from the DNS-Server:<br>
> 03-Dec-2010 10:42:00.451 general: debug 3: failed gss_accept_sec_context:<br>
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more<br>
> information, Minor = Wrong principal in request.<br>
<br>
</div>Normally you need 2 kerberos principals, one for the DNS Server, one for the client.<br>
<br>
If kinit above works on the DNS Server box, and you can see these messages at startup BIND is configured correctly.<br>
27-Sep-2010 18:26:47.860 acquiring credentials for DNS/test.loc<br>
27-Sep-2010 18:26:47.860 gss cred: "DNS/test.loc@TEST.LOC", GSS_C_ACCEPT, 4294967295<br>
<br>
You still need to configure update-policy to allow your client to update DNS, but that is another issue.<br>
<br>
A GSS-TSIG-enabled DNS client would request TGT (as a different Kerberos user/principal), then TGS to use the DNS Service identified by the DNS/test.loc@TEST.LOG service principal. With this it should be able to update the DNS server, as long as DNS Server validates the client's ticket and the policy allows the update.<br>
<br>
I hope your understanding is the same, it just wasn't clear from your message.<br>
<br>
Regards<br>
Sergiu<br>
<br>
_______________________________________________<br>
bind-users mailing list<br>
<div><div></div><div class="h5"><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div></div></blockquote></div><br>