Yea, it seems that people got it working when the functionality came out but subsequently I haven't seen it working for anyone in a production environment. _________________________________________________________ Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 3:24 PM, Dave Knight wrote: > > On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote: > >> Does anyone actually have GSS-TSIG working with an Active Directory? I see >> plenty of posts from people trying to get it to work. I have yet to see >> anyone who claims to actually have it working. Did MS change something in >> 2008r2 since GSS-TSIG was implemented in bind to make it inoperable? > > Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating > and documenting a working setup. > > That lab contained a couple of W2k3 servers, XP clients and BIND servers > running on FreeBSD. I went from bare iron to a working W2k domain using > BIND+GSS-TSIG exclusively for name service. > > As I recall I did the initial population of the zone used for the W2k domain > without security enabled, ie: I informed the Windows machine that the BIND > server was to be used and configured the BIND server to allow updates from > the Windows server on the basis of its IP address, then ran dcpromo.exe to > create the domain, then did the necessary Kerberos bits, then locked down the > BIND server to henceforth accept only GSS-TSIG authenticated updates. > > I haven't touched this stuff since though, so I have nothing to say about how > it might work with contemporary Windows and BIND versions. > > dave _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
