LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

August 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS August 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	SL6.1, Kerberos, bind, and MSFT Active Directory
From:	Harley Race <[log in to unmask]>
Reply To:	Harley Race <[log in to unmask]>
Date:	Mon, 29 Aug 2011 14:17:33 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (74 lines)

Hello All.

Having some problems getting secure dynamic DNS updates to work with bind in SL6.1 and windos 2k3 Active Directory.  I figure that the problem may be with bind and kerberos so I setup wireshark to listen on port 88 on the nameserver (spritle.machx.net) and on the domain controller (chimchim.win.machx.net).  The kerberos realm is win.machx.net or in ms WIN.MACHX.NET

I have gotten kerberos working so that when I do a “kinit”:  

    kinit -V -k -t /etc/named/spritleDNS.keytab [log in to unmask]

I get a ticket and I see the kerberos request and reply.

If  I do a nsupdate, the update works and  I also see a kerberos request and reply. 

If I start bind, I do not get any kerberos traffic at all.  If I restart netlogon on the win2k3 domain controller, I do not get any traffic at all either.  I have run

setsebool -P allow_kerberos 1

Any ideas as to what else I should look at?  Relevant stuff is below.

/etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5.log

[libdefaults]
 default_keytab_name = FILE:/etc/named/spritleDNS.keytab
 default_realm = WIN.MACHX.NET
 default_tgs_enctypes = RC4-HMAC
 default_tkt_enctypes = RC4-HMAC
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 WIN.MACHX.NET = {
  kdc = chimchim.win.machx.net
  admin_server = chimchim.win.machx.net
 }

[domain_realm]
 .win.machx.net = WIN.MACHX.NET
 win.machx.net = WIN.MACHX.NET
 .machx.net = WIN.MACHX.NET
 machx.net = WIN.MACHX.NET

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


/etc/named.conf

tkey-gssapi-credential "DNS/spritle.machx.net";
tkey-domain "WIN.MACHX.NET";

zone "_msdcs.win.machx.net" {
        type master;
        file "slaves/db.msdcs.machx.net";
        allow-query  { trusted; };
        check-names ignore;
        update-policy {
                grant WIN.MACHX.NET. ms-self * A AAAA;
                grant CHIMCHIM\$\@WIN.MACHX.NET. subdomain win.machx.net. A AAAA SRV CNAME;
                grant "[log in to unmask]" wildcard * A AAAA SRV CNAME;
        };
};

The other zones are using IP acl's.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV