I’m with a problem trying to enable GSS-TSIG with BIND 9.10.
Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I think I’m missing something very specific. If someone would help-me debugging this issue I’ll be very pleased.
Let’s start.
I’m running BIND9 9.10.0P2_5 on FreeBSD 10.0, compiled by myself with the GSSAPI_BASE option enabled. I’ve used this same binary package to deploy it on the other domain that’s working.
Then I’ve enabled GSS-TSIG in my named.conf files:
options {
( … )
tkey-gssapi-keytab "/etc/krb5.keytab”;
( … )
};
zone “local.example.com" {
type master;
file "/usr/local/etc/namedb/dynamic/local.example.com";
notify yes;
check-names ignore;
allow-query { clients; };
allow-transfer { intnameservers; };
# allow-update {
# key "iq-rndc-key";
# domaincontrollers;
# };
update-policy {
grant * subdomain local.iq.ufrj.br. ANY;
};
};
zone "10.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/dynamic/10.in-addr.arpa";
notify yes;
allow-query { clients; };
allow-transfer { intnameservers; };
# allow-update {
# key "iq-rndc-key";
# domaincontrollers;
# };
update-policy {
grant * subdomain 10.in-addr.arpa. PTR TXT;
};
};
Then I’ve joined the AD domain using Samba4 and Kerberos, in this way:
Created the file /etc/krb5.conf with the following content:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
Installed Samba 4.1 and created the file /usr/local/etc/smb4.conf with the following content:
[global]
security = ads
realm = EXAMPLE.COM
workgroup = EXAMPLE
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
log file = /var/log/samba4/%m.log
Asked for a Administrator Kerberos Ticket:
$ kinit Administrator
Then join the domain and create a keytab
$ net ads join createupn=dns/server-hostname.example.com@EXAMPLE.COM -k
$ net ads keytab create -k
After all I’ve successfully received a ticket, created a computer account, and a service principal account with success.
The next step was a chown bind to the /etc/krb5.keytab so BIND9 can read the keytab successfully.
After all, nothing is working… GSS-TSIG doesn't even give errors in the logs, which is frustrating. I’m trying to debug this with those options in named.conf:
logging {
channel update_log {
file "/var/log/named/bind-ddns-updates.log";
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
category update {
update_log;
};
category update-security {
update_log;
};
};
But I don’t see anything useful in the log file.
Thanks in advance,
