GSS-TSIG and MS 2003 server
Adam Tkac
atkac at redhat.com
Fri Oct 12 11:00:13 UTC 2007
On Thu, Oct 11, 2007 at 02:10:08PM -0400, Rob Austein wrote:
> At Thu, 11 Oct 2007 19:51:26 +0200, Adam Tkac wrote:
> >
> > does anybody know if is possible do GSS-TSIG DDNS update with
> > nsupdate to MS 2003 server? I always get REFUSED from MS server. Or
> > this functionality still doesn't work :(
>
> Hmm, we were focused primarily on MS clients being able to update
> named using DDNS with GSS-TSIG, and we had that working in our lab.
> We also had nsupdate being able to update named using GSS-TSIG (BIND
> client talking to BIND server). I no longer recall whether we tested
> nsupdate talking to MS server.
Yes, you're right. I haven't tested MS client -> BIND update but nsupdate and BIND works as expected.
> My guess, and it's just a guess based on the other tests, is that the
> GSS-TSIG code itself works, and this is really an authorization
> problem off in Microsoft-land. nsupdate is just a DDNS client with
> GSS-TSIG support, it's not an Active Directory client, doesn't speak
> LDAP, etc.
>
Maybe. I also did some tests. I've found that net utility from samba source is able to do DDNS update (but only add A record) to AD server. I've modified nsupdate to send same query like net utility and I still get REFUSED response from MS server. But when I enabled nonsecure updates on MS server I was able add/delete RRs. It looks like GSS authentication isn't sufficient and some LDAP negotiation has to be done before. Will be interesting for ISC make nsupdate workable AD client? I don't know about any UN*X AD client with DNS related functionality like nsupdate will be (if exists, please point me :) ). I'm sure it is possible base proposed patches on samba's source.
Adam
More information about the bind-workers
mailing list