Subject: | |
From: | |
Reply To: | |
Date: | Mon, 29 Aug 2011 14:17:33 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hello All.
Having some problems getting secure dynamic DNS updates to work with bind in SL6.1 and windos 2k3 Active Directory. I figure that the problem may be with bind and kerberos so I setup wireshark to listen on port 88 on the nameserver (spritle.machx.net) and on the domain controller (chimchim.win.machx.net). The kerberos realm is win.machx.net or in ms WIN.MACHX.NET
I have gotten kerberos working so that when I do a “kinit”:
kinit -V -k -t /etc/named/spritleDNS.keytab [log in to unmask]
I get a ticket and I see the kerberos request and reply.
If I do a nsupdate, the update works and I also see a kerberos request and reply.
If I start bind, I do not get any kerberos traffic at all. If I restart netlogon on the win2k3 domain controller, I do not get any traffic at all either. I have run
setsebool -P allow_kerberos 1
Any ideas as to what else I should look at? Relevant stuff is below.
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_keytab_name = FILE:/etc/named/spritleDNS.keytab
default_realm = WIN.MACHX.NET
default_tgs_enctypes = RC4-HMAC
default_tkt_enctypes = RC4-HMAC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WIN.MACHX.NET = {
kdc = chimchim.win.machx.net
admin_server = chimchim.win.machx.net
}
[domain_realm]
.win.machx.net = WIN.MACHX.NET
win.machx.net = WIN.MACHX.NET
.machx.net = WIN.MACHX.NET
machx.net = WIN.MACHX.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/named.conf
tkey-gssapi-credential "DNS/spritle.machx.net";
tkey-domain "WIN.MACHX.NET";
zone "_msdcs.win.machx.net" {
type master;
file "slaves/db.msdcs.machx.net";
allow-query { trusted; };
check-names ignore;
update-policy {
grant WIN.MACHX.NET. ms-self * A AAAA;
grant CHIMCHIM\$\@WIN.MACHX.NET. subdomain win.machx.net. A AAAA SRV CNAME;
grant "[log in to unmask]" wildcard * A AAAA SRV CNAME;
};
};
The other zones are using IP acl's.
|
|
|