Hello,
i run GSS-TSIG on a SuSE Enterprise 11 Server using bind 9.8 latest version.
I have 3 domains:
example1.test
example2.test
example3.test
I created 3 keys and merge them with ktutil.
Now I want to use update policy:
For this I have the follwoing rule:
update-policy {
grant * subdomain
Juergen,
> I use GSS-TSIG and the handbook says that in gss-tsig the content of the
> identity field ist the common secret which is the kerberos principal.
I believe you'll have to set `tkey-gssapi-credential' and `tkey-domain` for
this to work the way you want, though I do confess to not have a
To match machines in the EXAMPLE.COM realm you would use one of these.
Windows uses the following sort of identity for machines
machinename$@EXAMPLE.COM
grant EXAMPLE.COM ms-self * any;
grant EXAMPLE.COM ms-subdomain * any;
Kerberos uses the following identities for mac
On 11/05/11 12:17, Mark Andrews wrote:
{ms,krb5}-subdomain allows updates of *.machinename
One note - this isn't so handy if you have a disjoint namespace, where:
machinename.*.example.com
...is what you want. We are in this boat, and can't use the built in
ACLs for this very reason.
_
Hello,
and thanx for all your answeres.
I want to ask the question again in a shorter way:
If I look in the log the client tells the dns-server:
request has valid signature: WS-YBCL150939\$\@EXAMPLE.TEST
when I now put in the rule:
grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY
Hello Mark,
thanx for your anwer.
Your first sentence maybe help me to understand why this is the client´s
credential that it needs in the rule:
WS-YBCL150939\$\@EXAMPLE.COM
So fist is the hostname then the slash makes the $-sign just to be a normal
letter and not variable for example, and the
> So I look for a way that I can say that all clients from EXAMPLE.TEST are
> allowed to update their own record (or whatever).
Sounds like a task for update-policy external [1], but note that that
requires updates to be sent via TCP and not UDP. [2]
-JP
[1]: https://lists.isc.org/piperm
In message , Juergen Dietl
writes:
> Hello Mark,
>
> thanx for your anwer.
>
> Your first sentence maybe help me to understand why this is the client=B4s
> credential that it needs in the rule:
>
> WS-YBCL150939\$\@EXAMPLE.COM
>
> So fist is the hostname then the slash makes the $-sign just t
Try:
grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
_
Nicholas Miller, ITS, University of Colorado at Boulder
On May 11, 2011, at 7:08 AM, Juergen Dietl wrote:
> Hello,
>
> and thanx for all your answeres.
>
> I want to ask the question
On 11/05/11 14:55, Mark Andrews wrote:
In message<4dca7893.5060...@imperial.ac.uk>, Phil Mayers writes:
On 11/05/11 12:17, Mark Andrews wrote:
{ms,krb5}-subdomain allows updates of *.machinename
One note - this isn't so handy if you have a disjoint namespace, where:
machinename.*.example.c
In message <4dca7893.5060...@imperial.ac.uk>, Phil Mayers writes:
> On 11/05/11 12:17, Mark Andrews wrote:
>
> > {ms,krb5}-subdomain allows updates of *.machinename
>
> One note - this isn't so handy if you have a disjoint namespace, where:
>
> machinename.*.example.com
>
> ...is what you want
Hello Mark,
thanx a lot for your feedback.
the rule that works at the moment for only ONE client:
grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
Because bind support both it should also work with:
grant ws-ybcl150...@example.test subdomain example.test. ANY;
right?
But for
Hello Mark
i am not that professional in bind. Normally I am a CISCO expert but now I
also do the bind for 6 months. I cannot imagine why this post should help
me.
What do this match-type "external" mean? I am not aware of running any
external daemon. Or was this just for the ACLs problem from Ph
Hi Nicholas,
thanx for your hint but unfortunately it gets also a refuse.
cheers,
2011/5/11 Nicholas F Miller
> Try:
>
> grant EXAMPLE.TEST subdomain EXAMPLE.TEST ANY;
> _
> Nicholas Miller, ITS, University of Colorado at Boulder
>
>
>
>
On 12/05/11 09:33, Juergen Dietl wrote:
Hello Mark
i am not that professional in bind. Normally I am a CISCO expert but now
I also do the bind for 6 months. I cannot imagine why this post should
help me.
It doesn't really.
You should only need this:
grant EXAMPLE.COM ms-self * any;
What
Hello Phil, Hello Mark,
after trying a lot the last hours I came to the same result.
grant EXAMPLE.COM ms-self * any;
works. All the other things for example EXAMPLE.COM krb5-self * any;
etc. dont work.
So I will put this rule in any zone with the relating domain. The ms-self
command is not do
In message , Juergen Dietl
writes:
> --20cf30549e9f7b6a2604a30ffc67
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello Mark,
>
> thanx a lot for your feedback.
>
> the rule that works at the moment for only ONE client:
>
> grant WS-YBCL150939\$\@EXAMPLE.TEST subdomain example.test. ANY;
2011/5/12 Mark Andrews
>
>
>
> I suggest that you look at the documentation for "external" and use
> it.
>
> Hello Mark,
thanx a lot for your explanation. One last question.
What do you mean with your sentence above? Do you mean that?:
+++
external Th
In message , Juergen Dietl
writes:
> --90e6ba6134ba89740204a312cb5f
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello Phil, Hello Mark,
>
> after trying a lot the last hours I came to the same result.
>
> grant EXAMPLE.COM ms-self * any;
>
> works. All the other things for example EXAM
19 matches
Mail list logo
