Hello, as far as I know I can only put one "tkey-gssapi-credential" in the named.conf. Now at bind 9.8 there is something new:
* Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated * It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. My question: I have 3 Realms: FUN.TEST, WORK.TEST, SCHOOL.TEST. I have 1 Service-Useri in each AD-Domain called: DNS/.user1.fun.t...@fun.test DNS/user2.work.t...@work.test DNS/user 3.school.t...@school.test Is it possible to put 3 keys in the keytab and tell bind in the policies that one Key belongs to FUN.TEST, one to WORK.TEST, one to SCHOOL.TEST. So that the PC that has the Key for Realm FUN.TEST only can do dynamic updates in FUN.TEST and the one that know the key for WORK.TEST only can do dynamic updates in WORK.TEST aso. Or is it just possible to use more keytabs and as long any of them fits a client can update all realm-zones? Thanx a lot for your help, cheers,
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
