To BIND-USERS:
I'm not sure if I got GSS-TSIG working correctly 'yet'... however it will work
if i use "allow-update { any; };"
and logs shows "28-Aug-2009 21:20:46.813 security: debug 3: client
172.17.1.2#62729: request has valid signature"
The difference...
THIS WORKS FOR ME:
tkey-gssapi-credential "DNS/bindserver.adsauth.net";
tkey-domain "ADSAUTH.NET";
...
zone "gss.org" {
type master;
file "master/gss.org";
allow-update { any; }; };
THIS DOES NOT WORK:
tkey-gssapi-credential "DNS/bindserver.adsauth.net";
tkey-domain "ADSAUTH.NET";
...
zone "gss.org" {
type master;
file "master/gss.org";
update-policy { grant ADSAUTH.NET. subdomain gss.org. ANY; };
};
----
The UNIX (FreeBSD 7.0) client was able to acquire its own ticket and the
service ticket from a Windows 2003 Active Directory Domain Controller, the same
principal listed in the keytab file (krb5.keytab) which is used by the BIND9
server BIND 9.6.1-P1
the "ADSAUTH.NET" is the Active Directory domain, while "gss.org" is just
another domain which i wish to be updated if you have a valid GSS-TSIG key of
that from adsauth.net. I hope that's feasible? The ADSAUTH.NET is on Windows
DNS server while in the target BIND9 there's a forwarder adsauth.net zone.
I have'nt tried Windows (member of the AD domain) yet.
my best guess is there's something wrong with my update-policy config and not
the GSS-TSIG setup.. here's a log of a client REFUSED to update
nsupdate -g
>update add node.gss.org. 300 IN A 192.168.1.1
>send
28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#62729: request
has valid signature
28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#62729: recursion
available
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#62729: update
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#55924: next
28-Aug-2009 21:20:46.813 security: debug 3: client 172.17.1.2#55924: request
failed: end of file
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#55924: endrequest
28-Aug-2009 21:20:46.813 client: debug 3: client 172.17.1.2#55924: closetcp
28-Aug-2009 21:20:46.813 client: debug 3: client @0x801d33800: accept
28-Aug-2009 21:20:46.813 client: debug 3: client @0x802262000: accept
28-Aug-2009 21:20:46.813 update: info: client 172.17.1.2#62729: updating zone
'gss.org/IN': update failed: rejected by secure update (REFUSED)
while if i use the allow-update { any; }; and restart BIND
nsupdate -g
>update add node.gss.org. 300 IN A 192.168.1.1
>send
28-Aug-2009 21:23:12.145 security: debug 3: client 172.17.1.2#50684: request
has valid signature
28-Aug-2009 21:23:12.145 security: debug 3: client 172.17.1.2#50684: recursion
available
28-Aug-2009 21:23:12.145 client: debug 3: client 172.17.1.2#50684: update
28-Aug-2009 21:23:12.145 client: debug 3: client @0x801d33800: accept
28-Aug-2009 21:23:12.145 update-security: info: client 172.17.1.2#50684: signer
"[email protected]" approved
28-Aug-2009 21:23:12.145 update-security: debug 3: client 172.17.1.2#50684:
update 'gss.org/IN' approved
28-Aug-2009 21:23:12.145 update: info: client 172.17.1.2#50684: updating zone
'gss.org/IN': adding an RR at 'node.gss.org' A
28-Aug-2009 21:23:12.146 general: debug 3: writing to journal
Also, on a side note: if I use allow-update { any; }; on the zone
and change the tkey-domain to:
tkey-domain "BLAHBLAH.NET";
The update WILL STILL WORK.
I would like to know if there's an update-policy statement that allows update
on any part of the domain with ANY RR type for as long as its a valid GSS-TSIG
key based on tkey-domain.
any tips on where to look? I've read ARM.
Thanks!
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
