Hello Sergiu,<br>I tried to put in 2 credential Entries in the named.conf:<br><br>tkey-gssapi-credential "DNS/test.loc"; (that was in before)<br>tkey-gssapi-credential "USER/test.loc", (new entry)<br>tkey-domain "TEST.LOC";<br>
<br>The system didnt like the second entry for the user. So how can I put in 2 credentials, or maybe where to put them?<br><br>Another problem with 2 Principal name is that the User Principal is of course different on any pc.<br>
<br>Thanx a lot for your help,<br>cheers,<br><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Sergiu Bivol</b> <span dir="ltr"><<a href="mailto:sbivol@bluecatnetworks.com">sbivol@bluecatnetworks.com</a>></span><br>
Date: 2010/12/6<br>Subject: Re: Problems with Bind-Kerberos-Windows-Linux<br>To: "<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>" <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>><br>
<br><br><div class="im">> The client has an entry in the AD with DNS/test.loc@TEST.LOC. The Client,<br>
> DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If I do a<br>
> kinit -k -t c:\krb5.keytab DNS/test.loc@TEST.LOC then all seem to be ok. I<br>
> get this message from the DNSserver: 03-Dec-2010 10:42:00.451 general: debug<br>
> 3: gss cred: "DNS/test.loc@TEST.LOC", GSS_C_ACCEPT, 4294962027. But when the<br>
> client do it from its own I get this message from the DNS-Server:<br>
> 03-Dec-2010 10:42:00.451 general: debug 3: failed gss_accept_sec_context:<br>
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more<br>
> information, Minor = Wrong principal in request.<br>
<br>
</div>Normally you need 2 kerberos principals, one for the DNS Server, one for the client.<br>
<br>
If kinit above works on the DNS Server box, and you can see these messages at startup BIND is configured correctly.<br>
27-Sep-2010 18:26:47.860 acquiring credentials for DNS/test.loc<br>
27-Sep-2010 18:26:47.860 gss cred: "DNS/test.loc@TEST.LOC", GSS_C_ACCEPT, 4294967295<br>
<br>
You still need to configure update-policy to allow your client to update DNS, but that is another issue.<br>
<br>
A GSS-TSIG-enabled DNS client would request TGT (as a different Kerberos user/principal), then TGS to use the DNS Service identified by the DNS/test.loc@TEST.LOG service principal. With this it should be able to update the DNS server, as long as DNS Server validates the client's ticket and the policy allows the update.<br>
<br>
I hope your understanding is the same, it just wasn't clear from your message.<br>
<br>
Regards<br>
Sergiu<br>
<br>
_______________________________________________<br>
bind-users mailing list<br>
<div><div></div><div class="h5"><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div></div></div><br>