Re: GSS-TSIG and Active Directory
Second try: > Is there a bug in the implementation of the update-policy or do I not have a grasp on how it should work? If wanted to only allow machines in an Active Directory the ability to update their 'A' records shouldn't I be able to use a statement like this: update-policy { grant ms-self * A; } For some reason the only thing that works is setting a grant ANY and then restricting records with a deny before the grant statement. This seems like overkill if all I want to allow is 'A' records. Also, it appears that you cannot deny '' and allow 'A'. Any time I set a deny for '' it also blocks 'A' records. Are these bugs or by design? > _ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 5, 2010, at 12:45 PM, Nicholas F Miller wrote: > On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote: > >> YES Brilliant Thanks Rob. >> >> I think it is working now. I have the update-policy setup as follows: >> >> grant d...@realm wildcard * ANY; >> grant d...@realm wildcard * ANY; >> grant dns_serv...@realm wildcard * ANY; >> deny REALM ms-self * SRV; >> grant REALM ms-self * ANY; >> >> If I understand things correctly I am allowing the DCs and DNS server to >> update any record type in the domain and any subdomains. The clients are >> allowed to update any of their own records except SRV, MX and NS. Do I even >> need to deny NS for ms-self? >> >> If it is truly working correctly, I wonder why I can't deny records. >> When I add to the deny statement it blocks A records as well. If try A6 >> it still allows records to be set by client machines. >> _ >> Nicholas Miller, ITS, University of Colorado at Boulder >> >> >> >> On Oct 1, 2010, at 12:12 PM, Rob Austein wrote: >> >>> If you're trying to grant update rights to a specific machine (rather >>> than every machine in the realm), something like: >>> >>> grant d...@realm. subdomain dnsname.; >>> >>> might work better, where "d...@realm" is (eg) the Kerberos principle >>> corresponding to your DC and "dnsname" is the tree to which you want >>> to grant rights. The "$" is a Microsoft-ism. >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
Is there a bug in the implementation of the update-policy or do I not have a grasp on how it should work? If wanted to only allow machines in an Active Directory the ability to update their 'A' records shouldn't I be able to use a statement like this: update-policy { grant ms-self * A; } For some reason the only thing that works is setting a grant ANY and then restricting records with a deny before the grant statement. This seems like overkill if all I want to allow is 'A' records. Also, it appears that you cannot deny '' and allow 'A'. Any time I set a deny for '' it also blocks 'A' records. Are these bugs or by design? _ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote: > YES Brilliant Thanks Rob. > > I think it is working now. I have the update-policy setup as follows: > >grant d...@realm wildcard * ANY; >grant d...@realm wildcard * ANY; >grant dns_serv...@realm wildcard * ANY; >deny REALM ms-self * SRV; >grant REALM ms-self * ANY; > > If I understand things correctly I am allowing the DCs and DNS server to > update any record type in the domain and any subdomains. The clients are > allowed to update any of their own records except SRV, MX and NS. Do I even > need to deny NS for ms-self? > > If it is truly working correctly, I wonder why I can't deny records. > When I add to the deny statement it blocks A records as well. If try A6 > it still allows records to be set by client machines. > _ > Nicholas Miller, ITS, University of Colorado at Boulder > > > > On Oct 1, 2010, at 12:12 PM, Rob Austein wrote: > >> If you're trying to grant update rights to a specific machine (rather >> than every machine in the realm), something like: >> >> grant d...@realm. subdomain dnsname.; >> >> might work better, where "d...@realm" is (eg) the Kerberos principle >> corresponding to your DC and "dnsname" is the tree to which you want >> to grant rights. The "$" is a Microsoft-ism. > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
YES Brilliant Thanks Rob. I think it is working now. I have the update-policy setup as follows: grant d...@realm wildcard * ANY; grant d...@realm wildcard * ANY; grant dns_serv...@realm wildcard * ANY; deny REALM ms-self * SRV; grant REALM ms-self * ANY; If I understand things correctly I am allowing the DCs and DNS server to update any record type in the domain and any subdomains. The clients are allowed to update any of their own records except SRV, MX and NS. Do I even need to deny NS for ms-self? If it is truly working correctly, I wonder why I can't deny records. When I add to the deny statement it blocks A records as well. If try A6 it still allows records to be set by client machines. _ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 1, 2010, at 12:12 PM, Rob Austein wrote: > If you're trying to grant update rights to a specific machine (rather > than every machine in the realm), something like: > > grant d...@realm. subdomain dnsname.; > > might work better, where "d...@realm" is (eg) the Kerberos principle > corresponding to your DC and "dnsname" is the tree to which you want > to grant rights. The "$" is a Microsoft-ism. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
If you're trying to grant update rights to a specific machine (rather than every machine in the realm), something like: grant d...@realm. subdomain dnsname.; might work better, where "d...@realm" is (eg) the Kerberos principle corresponding to your DC and "dnsname" is the tree to which you want to grant rights. The "$" is a Microsoft-ism. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
Updating to 9.7.2-P2 seems to be working. Of course it is not working exactly like we think it should. When we have a things set like this: deny ms-self * SRV ; grant ms-self * ANY; Nothing will update. When we set it like this: deny ms-self * SRV; grant ms-self * ANY; Things seem to work when a client reboots. When we try to add grants for the DCs like this: grant ms-self * ANY; grant ms-subdomain * ANY; deny ms-self * SRV; grant ms-self * ANY; The DCs cannot update their SRV records. _ Nicholas Miller, ITS, University of Colorado at Boulder On Oct 1, 2010, at 7:00 AM, Nicholas F Miller wrote: > Thanks, I'll give it a try and see if things begin to work. > _ > Nicholas Miller, ITS, University of Colorado at Boulder > > > > On Sep 30, 2010, at 10:15 AM, Tony Finch wrote: > >> On Thu, 30 Sep 2010, Nicholas F Miller wrote: >> >>> Does anyone actually have GSS-TSIG working with an Active Directory? >> >> There are some GSS-TSIG interop fixes in 9.7.2. >> >> Tony. >> -- >> f.anthony.n.finchhttp://dotat.at/ >> HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, >> DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR >> ROUGH. RAIN THEN FAIR. GOOD. > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
Thanks, I'll give it a try and see if things begin to work. _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2010, at 10:15 AM, Tony Finch wrote: > On Thu, 30 Sep 2010, Nicholas F Miller wrote: > >> Does anyone actually have GSS-TSIG working with an Active Directory? > > There are some GSS-TSIG interop fixes in 9.7.2. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR > ROUGH. RAIN THEN FAIR. GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
Yea, it seems that people got it working when the functionality came out but subsequently I haven't seen it working for anyone in a production environment. _ Nicholas Miller, ITS, University of Colorado at Boulder On Sep 30, 2010, at 3:24 PM, Dave Knight wrote: > > On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote: > >> Does anyone actually have GSS-TSIG working with an Active Directory? I see >> plenty of posts from people trying to get it to work. I have yet to see >> anyone who claims to actually have it working. Did MS change something in >> 2008r2 since GSS-TSIG was implemented in bind to make it inoperable? > > Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating > and documenting a working setup. > > That lab contained a couple of W2k3 servers, XP clients and BIND servers > running on FreeBSD. I went from bare iron to a working W2k domain using > BIND+GSS-TSIG exclusively for name service. > > As I recall I did the initial population of the zone used for the W2k domain > without security enabled, ie: I informed the Windows machine that the BIND > server was to be used and configured the BIND server to allow updates from > the Windows server on the basis of its IP address, then ran dcpromo.exe to > create the domain, then did the necessary Kerberos bits, then locked down the > BIND server to henceforth accept only GSS-TSIG authenticated updates. > > I haven't touched this stuff since though, so I have nothing to say about how > it might work with contemporary Windows and BIND versions. > > dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
On 2010-09-30, at 11:24 AM, Nicholas F Miller wrote: > Does anyone actually have GSS-TSIG working with an Active Directory? I see > plenty of posts from people trying to get it to work. I have yet to see > anyone who claims to actually have it working. Did MS change something in > 2008r2 since GSS-TSIG was implemented in bind to make it inoperable? Right after GSS-TSIG appeared I built a lab for the purpose of demonstrating and documenting a working setup. That lab contained a couple of W2k3 servers, XP clients and BIND servers running on FreeBSD. I went from bare iron to a working W2k domain using BIND+GSS-TSIG exclusively for name service. As I recall I did the initial population of the zone used for the W2k domain without security enabled, ie: I informed the Windows machine that the BIND server was to be used and configured the BIND server to allow updates from the Windows server on the basis of its IP address, then ran dcpromo.exe to create the domain, then did the necessary Kerberos bits, then locked down the BIND server to henceforth accept only GSS-TSIG authenticated updates. I haven't touched this stuff since though, so I have nothing to say about how it might work with contemporary Windows and BIND versions. dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GSS-TSIG and Active Directory
On Thu, 30 Sep 2010, Nicholas F Miller wrote: > Does anyone actually have GSS-TSIG working with an Active Directory? There are some GSS-TSIG interop fixes in 9.7.2. Tony. -- f.anthony.n.finchhttp://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
GSS-TSIG and Active Directory
Does anyone actually have GSS-TSIG working with an Active Directory? I see plenty of posts from people trying to get it to work. I have yet to see anyone who claims to actually have it working. Did MS change something in 2008r2 since GSS-TSIG was implemented in bind to make it inoperable? _ Nicholas Miller, ITS, University of Colorado at Boulder ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users