Using bind 9.5.0 with Active directory
Hi, I need to create a new Windows 2008 domain in a network with an existing Bind setup. I know I need dynamic DNS for the Windows domain. I also know I need GSS support to get secure dynamic updates and this is supported in Bind 9.5.0. However I can't figure out how to configure everything properly (how do I generate the gss credentials? what if I don't have a Kerberos server yet?). Is there anybody who can point me to some documentation on how to bootstrap a Windows domain installation in a bind environment? I'm not interested in running Bind on Windows, I can find plenty of info about that but my binds are running just fine on linux. The main issue is getting secure dynamic updates working. Thanks in advance, Nico -- With kind regards, Nico De Ranter Senior System Administrator Sony Techsoft Centre The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium Phone: +32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail: nico.deran...@eu.sony.com Internet: www.sony-europe.com Sony Technology and Software Centre Europe A division of Sony Service Centre (Europe) N.V. Registered office: Technologielaan 7 · B-1840 Londerzeel · Belgium VAT BE 0413.825.160 · RPR Brussels Fortis Bank Londerzeel 293-0376800-10 GEBA-BE-BB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind 9.5.0 with Active directory
Thank you very much for your very detailed instructions. I'm going to
try it right away.
Nico
On Tue, 2008-12-23 at 17:41 -0500, Rob Austein wrote:
> Four things must be done to allow Bind 9 to support GSS-TKEY:
>
> * kinit must work on the host which will run BIND 9. This means
> krb5.conf must be properly configured with the realm and
> locations of the Kerberos servers.
> * Bind 9 must be compiled with GSSAPI enabled.
> * Bind 9 must have a principal and a keytab.
> * named.conf needs to be told the name of the principal.
>
> options {
>...
>tkey-gssapi-credential "DNS/foo.example.org";
>...
> };
>
> Extracting a Kerberos keytab from Active Directory is a two-step
> process: first you create a user account in Active Directory, then you
> map it to a Kerberos principal name and extract the keytab. Windows
> usernames don't use the same naming conventions as Kerberos principals
> (the allowed set of Windows usernames are a subset of the allowed
> Kerberos principal names, and a service principal name like
> DNS/foo.example.org is not a legal Windows username).
>
> Go into Active Directory's new user wizard and create a new user
> account. It's probably best to put accounts like this into a separate
> organization unit (OU) within the active directory tree. This could
> be called unix or bind9 or anything you wish to help organize bind 9
> server credentials and users. The username can be any syntactically
> legal thing you like, but when creating, eg, the DNS service principal
> for host foo.example.org, it's probably best to use a username like
> foo to avoid conflicts.
>
> Select "password never expires" and "user cannot change password" in
> the next screen of the wizard, to make sure that the account's
> password can't change (which would invalidate the keytab).
>
> The second step requires a command line tool, ktpass. ktpass is
> supplied on the Windows installation media but is not installed by
> default.
>
> ktpass accepts the usual /? option to display a help screen, but for
> the task at hand you'll want to do something like this:
>
> C:\> ktpass -out foo.keytab -princ DNS/foo.example@example.org -pass *
> -mapuser f...@example.org
>
> where
>
> * foo.keytab is the filename for the new keytab
> * DNS/foo.example@example.org is the principal name
> * f...@example.org is the Active Directory user account
>
> If all goes well, ktpass will tell you what it's doing, prompt you for
> the password you set when creating the user account, and will write
> out the keytab, which you can then install in the usual place on the
> machine to run Bind 9.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind 9.5.0 with Active directory
Unfortunately I can't get it to work.
When I add
tkey-gssapi-credential "DNS/";
tkey-domain "...";
to my named.conf file, named doesn't want to start anymore. I get the
following message in /var/log/messages:
Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented
Dec 26 13:55:33 dns named[8546]: loading configuration: not implemented
Dec 26 13:55:33 dns named[8546]: exiting (due to fatal error)
I compiled bind 9.6.0 using the following options:
./configure --with-openssl=yes \
--with-randomdev=/dev/urandom \
--prefix=/opt/bind-${BINDVER} \
--sysconfdir=/etc/bind-${BINDVER} \
--enable-threads \
--with-pkcs11 \
--with-gssapi=/usr
on a Linux system (CentOS 5.2, clean install). The configure/make/make
install seems to run fine. I didn't see any error messages related to
gssapi (configure finds the libraries and header files without
problems.)
named runs fine as long as I don't use the 'tkey' options.
Any idea what might be wrong?
Thanks in advance,
Nico
On Wed, 2008-12-24 at 09:10 +0100, Nico De Ranter wrote:
> Thank you very much for your very detailed instructions. I'm going to
> try it right away.
>
> Nico
>
>
> On Tue, 2008-12-23 at 17:41 -0500, Rob Austein wrote:
> > Four things must be done to allow Bind 9 to support GSS-TKEY:
> >
> > * kinit must work on the host which will run BIND 9. This means
> > krb5.conf must be properly configured with the realm and
> > locations of the Kerberos servers.
> > * Bind 9 must be compiled with GSSAPI enabled.
> > * Bind 9 must have a principal and a keytab.
> > * named.conf needs to be told the name of the principal.
> >
> > options {
> >...
> >tkey-gssapi-credential "DNS/foo.example.org";
> >...
> > };
> >
> > Extracting a Kerberos keytab from Active Directory is a two-step
> > process: first you create a user account in Active Directory, then you
> > map it to a Kerberos principal name and extract the keytab. Windows
> > usernames don't use the same naming conventions as Kerberos principals
> > (the allowed set of Windows usernames are a subset of the allowed
> > Kerberos principal names, and a service principal name like
> > DNS/foo.example.org is not a legal Windows username).
> >
> > Go into Active Directory's new user wizard and create a new user
> > account. It's probably best to put accounts like this into a separate
> > organization unit (OU) within the active directory tree. This could
> > be called unix or bind9 or anything you wish to help organize bind 9
> > server credentials and users. The username can be any syntactically
> > legal thing you like, but when creating, eg, the DNS service principal
> > for host foo.example.org, it's probably best to use a username like
> > foo to avoid conflicts.
> >
> > Select "password never expires" and "user cannot change password" in
> > the next screen of the wizard, to make sure that the account's
> > password can't change (which would invalidate the keytab).
> >
> > The second step requires a command line tool, ktpass. ktpass is
> > supplied on the Windows installation media but is not installed by
> > default.
> >
> > ktpass accepts the usual /? option to display a help screen, but for
> > the task at hand you'll want to do something like this:
> >
> > C:\> ktpass -out foo.keytab -princ DNS/foo.example@example.org -pass *
> > -mapuser f...@example.org
> >
> > where
> >
> > * foo.keytab is the filename for the new keytab
> > * DNS/foo.example@example.org is the principal name
> > * f...@example.org is the Active Directory user account
> >
> > If all goes well, ktpass will tell you what it's doing, prompt you for
> > the password you set when creating the user account, and will write
> > out the keytab, which you can then install in the usual place on the
> > machine to run Bind 9.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind 9.5.0 with Active directory
using view 'internal' 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: request has valid signature 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: recursion available 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: update 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: ns_client_attach: ref = 1 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: updating zone 'test.net/IN': prerequisites are OK 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: updating zone 'test.net/IN': update failed: rejected by secure update (REFUSED) 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: updating zone 'test.net/IN': rolling back 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: send 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: sendto 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: senddone 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: next 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: ns_client_detach: ref = 0 30-Dec-2008 10:51:08.373 client 10.10.10.101#1054: view internal: endrequest 30-Dec-2008 10:51:08.373 client @0xb604b008: udprecv On Fri, 2008-12-26 at 13:29 -0500, Rob Austein wrote: > At Fri, 26 Dec 2008 14:28:13 +0100, Nico De Ranter wrote: > > > > Dec 26 13:55:33 dns named[8546]: configuring TKEY: not implemented > > The error suggests that you don't really have GSSAPI enabled > (dst_gssapi_acquirecred() returns that error when called with GSSAPI > support disabled). Check your build log to make sure that -DGSSAPI > was included on the command line when compiling lib/dns/gssapictx.c. > If not, you've got some kind of autoconf problem or are specifying the > wrong directory for the GSSAPI libraries, so check config.log next to > see what happened. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind 9.5.0 with Active directory
On second thought I think it must be:
named.conf
options {
[...]
tkey-gssapi-credential "DNS/dns.test.net";
tkey-domain "TEST.NET";
};
view "internal" {
[...]
zone "test.net" {
type master;
file "test.net.zone";
update-policy {
grant TEST.NET krb5-subdomain * A;
};
};
}
But it doesn't seem to help.
Nico
--
With kind regards,
Nico De Ranter
Senior System Administrator
Sony Techsoft Centre
The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium
Phone: +32 (0)2 700 8641
Fax: +32 (0)2 700 8622
E-mail: nico.deran...@eu.sony.com
Internet: www.sony-europe.com
Sony Technology and Software Centre Europe
A division of Sony Service Centre (Europe) N.V.
Registered office: Technologielaan 7 · B-1840 Londerzeel · Belgium
VAT BE 0413.825.160 · RPR Brussels
Fortis Bank Londerzeel 293-0376800-10 GEBA-BE-BB
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind 9.5.0 with Active directory
I already tried ms-self and ms-subdomain. Unfortunately that doesn't
seem to make any difference.
Nico
On Tue, 2008-12-30 at 13:44 -0500, Rob Austein wrote:
> At Tue, 30 Dec 2008 16:05:10 +0100, Nico De Ranter wrote:
> >
> > update-policy {
> > grant TEST.NET krb5-subdomain * A;
> > };
>
> Microsoft invented their own naming scheme for host principals
> ("machi...@realm" instead of "host/mach...@realm").
>
> Try "ms-subdomain" instead of "krb5-subdomain".
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Using bind 9.5.0 with Active directory
Found some time to work on it again and it seams I did something wrong last time as ms-subdomain now works! Thanks for your help!! I did notice one strange thing when turning on trace mode of named: Whenever an update request occurs I see a lot of messages like: --- 09-Jan-2009 17:00:56.495 tsig key '1056-ms-7.1-16d2c.a501f663-de66-11dd-2196-000c292d3ce0' (XP5\ $...@test.net): tsig expire: generated=1, refs=1, expire=-86377) --- in named.run. The number of messages seems to increase with every request. After 2 weeks I get hundreds of these messages per update request. Is this normal? What will happen after named has been running for a few months? This looks like a potential DOS attack. (I'm running 9.5.0-P2) Nico On Tue, 2009-01-06 at 18:04 -0500, Rob Austein wrote: > No obvious reason why it shouldn't work with ms-subdomain. > > Next step is probably a protocol trace to see what's happening on the > wire. wireshark/tshark is pretty good for this kind of analysis. > > Probably best to run named with -g while you're doing the trace and > capture the output as well (if you're not doing that already), since > there may be clues in the log that aren't obvious with your normal > logging configuration. > > If possible, do the trace on the same machine that's running named, so > that timestamps in packet trace and log will match up. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
