Hello,
I am trying to allow the DNS-Client to do dynamic updates at the DNS-Server using BIND. I want to use Kerberos as the security protocol. For that I have a small test lab with a client, 3 Kerberos Server and one Suse Linux DNS-Server. The 3 Kerberos-Server are emulated with using VM-Ware.
The Kerberos-Client gets the TGT from the Kerberos-Server. As I understand it should use this TGT for requesting further services via an AP-Request.
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: xxxgsstsig
DomainName: TEST.LOC
TargetDomainName: TEST.LOC
AltTargetDomainName: TEST.LOC
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 1:00:00
StartTime: 12/6/2010 4:18:37
EndTime: 12/6/2010 14:18:37
RenewUntil: 12/10/2010 17:18:37
TimeSkew: 1/1/1601 1:00:00
I have read that there is a special mode called User-To-User Mode. This mode enables the client to ask for a service direct without asking for a TGT before. I found out that my client use this special user-to-user mode. I don’t know why.
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - User to User) <---------
mechToken: 6082047d06092a864886f71201020201006e82046c308204...
krb5_blob: 6082047d06092a864886f71201020201006e82046c308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
0... .... .... .... .... .... .... .... = reserved: RESERVED bit off
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: TEST.LOC
Server Name (Service and Instance): DNS/scdns14p.test.loc
Name-type: Service and Instance (2)
Name: DNS
Name: scdns14p.test.loc
enc-part des-cbc-md5
Encryption type: des-cbc-md5 (3)
Kvno: 3
enc-part: bfd012cc83e2e0050400b56aa8dd50a2404896871830e9f0...
Authenticator des-cbc-md5
Encryption type: des-cbc-md5 (3)
Authenticator data: 249c7a63fd5d9c84137f9dbdfa78eeee10e04fe0d6a5b0cd...
Is this a wanted behavior?
The client has an entry in the AD with DNS/test...@TEST.LOC. The Client, DNS-Server, Kerberos-Server all have a copy of the krb5.keytab. If I do a kinit -k -t c:\krb5.keytab DNS/test...@TEST.LOC then all seem to be ok. I get this message from the DNSserver: 03-Dec-2010 10:42:00.451 general: debug 3: gss cred: "DNS/test...@TEST.LOC", GSS_C_ACCEPT, 4294962027. But when the client do it from its own I get this message from the DNS-Server: 03-Dec-2010 10:42:00.451 general: debug 3: failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Wrong principal in request.
I have installed Bind V 9.7.2 (so the newest) and all PCs are running NTP for time synchronisation.
Any help would be greatly appreciated
Cheers,
Juergen
That's not quite how u2u works.
> TGT before. I found out that my client use this special user-to-user
> mode. I don’t know why.
No. Your client is using SPNego and offering u2u as a *possible*
mechanism to be negotiated.
> GSS-API Generic Security Service Application Program Interface
> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
> Simple Protected Negotiation
> negTokenInit
> mechTypes: 3 items
> MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
> MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
> MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - *User to User*)
>
> Is this a wanted behavior?
Yes. That's how spnego works. I'm willing to bet the server does not
actually *pick* u2u - but the client can do it, so offers it during
negotiation.
I can't help you with your wider question I'm afraid; I don't really
understand what you're asking. But the user2user stuff is a red herring
and can be ignored.
GSS-API Generic Security Service Application Program InterfaceMechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - *User to User*)
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
Yes. That's how spnego works. I'm willing to bet the server does not actually *pick* u2u - but the client can do it, so offers it during negotiation.
Is this a wanted behavior?
I can't help you with your wider question I'm afraid; I don't really understand what you're asking. But the user2user stuff is a red herring and can be ignored.
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
> The Log-File from the DNS-SUSE-Server tells me "wrong principal". Is
> there a way to find out what principal it expects?
You can configure it:
tkey-domain "YOUR.DOMAIN";
tkey-gssapi-credential "DNS/hostname.your.domain";
(I've never managed to make this work under bind, FWIW. Even when I did
get the kerberos working, the ms-self ACL turns out to be useless in a
disjoint domain environment)
Normally you need 2 kerberos principals, one for the DNS Server, one for the client.
If kinit above works on the DNS Server box, and you can see these messages at startup BIND is configured correctly.
27-Sep-2010 18:26:47.860 acquiring credentials for DNS/test.loc
27-Sep-2010 18:26:47.860 gss cred: "DNS/test...@TEST.LOC", GSS_C_ACCEPT, 4294967295
You still need to configure update-policy to allow your client to update DNS, but that is another issue.
A GSS-TSIG-enabled DNS client would request TGT (as a different Kerberos user/principal), then TGS to use the DNS Service identified by the DNS/test...@TEST.LOG service principal. With this it should be able to update the DNS server, as long as DNS Server validates the client's ticket and the policy allows the update.
I hope your understanding is the same, it just wasn't clear from your message.
Regards
Sergiu
That's not what I said.
>
> Forgive me but what is a disjoint domain environment?
domain: EXAMPLE.COM
hostname: host.subdomain.example.com
Bind seems to have trouble in this case.
> Hello Serjiu,
> many thanx for your hint. This I was asking me too for some time. Because the TGT is for the client name (principal) that is logged in at the moment and the service should be always for the same principal name on any client. So yes I will need to define 2 principals.
>
> You wrote:
> You still need to configure update-policy to allow your client to update DNS, but that is another issue.
>
> Do you mean the policy in the active directory? Btw. did you try to do it your own and succeeded?
No, he meant the update-policy statement in named.conf, which sets who can update what in the zone.
Chris Buxton
BlueCat Networks
It does work, but setting it up is very-very painful. Even if you do get it working, and document every step, a slightest mistake is at least an hour or two spent in troubleshooting. When configured properly it works, with a few limitations (in 9.7.2 at least).
>Do you mean the policy in the active directory?
No, I meant the update-policy option in BIND. It allows you to grant/deny ddns update permission to kerberos principals.
>Btw. did you try to do it your own and succeeded?
Yes, we succeeded and got GSS-TSIG in BIND working with Windows clients, Windows DHCP, and implemented our own GSS-TSIG client.
Regards
Sergiu