In message <BANLkTi=f=LP2WTSEck940CvqzxL=dsi...@mail.gmail.com>, Juergen Dietl writes: > --20cf30549e9f7b6a2604a30ffc67 > Content-Type: text/plain; charset=ISO-8859-1 > > Hello Mark, > > thanx a lot for your feedback. > > the rule that works at the moment for only ONE client: > > grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY; > > Because bind support both it should also work with: > > grant ws-ybcl150...@example.test subdomain example.test. ANY; > > right?
No. WS-YBCL150939\$\@EXAMPLE.TEST != ws-ybcl150...@example.test WS-YBCL150939\$\@EXAMPLE.TEST is what is the credential. Now ms-self would allow it to update WS-YBCL150939.EXAMPLE.TEST as ms-self knows how to turn WS-YBCL150939\$\@EXAMPLE.TEST into WS-YBCL150939.EXAMPLE.TEST. > But for any reason it dont. When I use that form I get a refuse. I hope that > in that form I could use the syntax: > > grant *@EXAMPLE.TEST subdomain example.test. ANY; *@EXAMPLE.TEST is two DNS labels "*@EXAMPLE" and "TEST". *.TEST would match. krb5-* and ms-* know that the realm starts in the middle of a label and look for it there. The other methods use the dns labels in the records. They were designed to work with TSIG and KEY records. I suggest that you look at the documentation for "external" and use it. > to mach all Clients from EXAMPLE.TEST that have a valid key from Active > Directory. > > thanx a lot, > cheers, > > > 2011/5/11 Mark Andrews <ma...@isc.org> > > > > > In message <BANLkTim7k4KYxYoz=awj9mwtczvxb32...@mail.gmail.com>, Juergen > > Dietl > > writes: > > > Hello Mark, > > > > > > thanx for your anwer. > > > > > > Your first sentence maybe help me to understand why this is the > > client=B4s > > > credential that it needs in the rule: > > > > > > WS-YBCL150939\$\@EXAMPLE.COM > > > > > > So fist is the hostname then the slash makes the $-sign just to be a > > normal > > > letter and not variable for example, and the @example.com is the rest of > > ho= > > > w > > > windows uses the sort of identity. > > > machinename$@EXAMPLE.COM <http://example.com/> > > > > You don't need the backslashes in 9.8, earlier versions still need > > the backslashes. $ and @ are special characters in master files > > which is why they were escaped. We added name -> principle routines > > in 9.8 which don't do unnecessary escapes. > > > > > Is it normal that I have to put in the Windows identity in the named.conf > > > and not the kerberus identity? > > > > > > So WS-YBCL150939\$\@EXAMPLE.COM and NOT host/ws-ybcl150...@example.com. > > > > It depends on the network. > > > > > What is host .....? I just know the principal as Service-Principal and > > ther= > > > e > > > its normally > > > for example: DNS/lxdns10t.prim-dns.test1.t...@example.test > > > > > > thanx a lot for all your help, > > > cheers, > > > > There are multiple conventions. Windows does it one way. MIT does > > it a different way. named has code for both. > > > > Mark > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > > --20cf30549e9f7b6a2604a30ffc67 > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > Hello Mark,<br><br>thanx a lot for your feedback.<br><br>the rule that work= > s at the moment for only ONE client:<br><br>grant WS-YBCL150939\$\@EXAMPLE.= > TEST subdomain example.test. ANY;<br><br>Because bind support both it shoul= > d also work with:<br> > <br>grant ws-ybcl150...@example.test subdomain example.test. ANY;<br><br>ri= > ght?<br><br>But for any reason it dont. When I use that form I get a refuse= > . I hope that in that form I could use the syntax:<br><br>grant *@EXAMPLE.T= > EST subdomain example.test. ANY;<br> > <br>to mach all Clients from EXAMPLE.TEST that have a valid key from Active= > Directory.<br><br>thanx a lot,<br>cheers,<br><br><br><div class=3D"gmail_q= > uote">2011/5/11 Mark Andrews <span dir=3D"ltr"><<a href=3D"mailto:marka@= > isc.org">ma...@isc.org</a>></span><br> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= > x #ccc solid;padding-left:1ex;"><br> > In message <BANLkTim7k4KYxYoz=3D<a href=3D"mailto:awj9mwtCzvxB32Vog@mail= > .gmail.com">awj9mwtczvxb32...@mail.gmail.com</a>>, Juergen Dietl<br> > writes:<br> > <div class=3D"im">> Hello Mark,<br> > ><br> > > thanx for your anwer.<br> > ><br> > </div>> Your first sentence maybe help me to understand why this is the = > client=3DB4s<br> > <div class=3D"im">> credential that it needs in the rule:<br> > ><br> > > WS-YBCL150939\$\@<a href=3D"http://EXAMPLE.COM" target=3D"_blank">EXAM= > PLE.COM</a><br> > ><br> > > So fist is the hostname then the slash makes the $-sign just to be a n= > ormal<br> > </div>> letter and not variable for example, and the @<a href=3D"http://= > example.com" target=3D"_blank">example.com</a> is the rest of ho=3D<br> > > w<br> > <div class=3D"im">> windows uses the sort of identity.<br> > </div>> machinename$@<a href=3D"http://EXAMPLE.COM" target=3D"_blank">EX= > AMPLE.COM</a> <<a href=3D"http://example.com/" target=3D"_blank">http://= > example.com/</a>><br> > <br> > You don't need the backslashes in 9.8, earlier versions still need<br> > the backslashes. =A0$ and @ are special characters in master files<br> > which is why they were escaped. =A0We added name -> principle routines<b= > r> > in 9.8 which don't do unnecessary escapes.<br> > <div class=3D"im"><br> > > Is it normal that I have to put in the Windows identity in the named.c= > onf<br> > > and not the kerberus identity?<br> > ><br> > > So WS-YBCL150939\$\@<a href=3D"http://EXAMPLE.COM" target=3D"_blank">E= > XAMPLE.COM</a> and NOT host/<a href=3D"mailto:ws-ybcl150...@example.com">WS= > -ybcl150...@example.com</a>.<br> > <br> > </div>It depends on the network.<br> > <br> > > What is host .....? I just know the principal as Service-Principal and= > ther=3D<br> > > e<br> > <div class=3D"im">> its normally<br> > > for example: DNS/lxdns10t.prim-dns.test1.t...@example.test<br> > ><br> > > thanx a lot for all your help,<br> > > cheers,<br> > <br> > </div>There are multiple conventions. =A0Windows does it one way. =A0MIT do= > es<br> > it a different way. =A0named has code for both.<br> > <div><div></div><div class=3D"h5"><br> > Mark<br> > <br> > --<br> > Mark Andrews, ISC<br> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: <a href=3D= > "mailto:ma...@isc.org">ma...@isc.org</a><br> > </div></div></blockquote></div><br> > > --20cf30549e9f7b6a2604a30ffc67-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users