tsig-gss dynamic DNS updates

Zuwei Liu zuwei at neopathnetworks.com
Tue Nov 7 00:27:14 GMT 2006


I am worked in a project of provide virtual server services for CIFS 
protocol, and need to add virtual server ip address to the AD 
dynamically. And I wonder whether the nsupdate-gss already integrated 
into samba 3 or samba 4? Or is it still a standalone tool?

>Those of you with win2000 based DNS servers might be interested to
>know that I have just successfully sent a TSIG-GSS dynamic DNS update
>to a win2000 server from a Linux box, using a kerberos ticket from MIT
>kerberos. This is an important piece of the netbiosless support that
>is being added to Samba.
>Thus far I have only sent successful updates using des-cbc-crc
>tickets. I would prefer to be able to use hmac-md5 tickets as that is
>what win2000 uses, but I haven't been able to get that to work
>yet. I'm guessing there may be a bug in the MIT hmac-md5
>implementation, or at least a difference between the MIT and Microsoft
>implementations. The MIT library can certainly generate and use
>hmac-md5 tickets for other things (we use them in Samba ADS support
>all the time) so I suspect the problem is in using them for signing
>(like in calls to gss_get_mic()).
>My current test implementation is a mish-mash of perl and C, using the
>Net::DNS perl module for DNS packet construction and C to interface to
>the MIT kerberos GSSAPI library. I'm still thinking about how I will
>put this into a more palatable form, the choices seem to be to either
>cleanup my perl code a bit or try to modify the bind-9 nsupdate
>utility to handle the necessary TKEY requests. I originally started
>on this project with the aim of updating the bind-9 code but I've
>found it fairly hard to work out how to extend it, which is why I
>switched to the Net::DNS module.
>If anyone out there knows the bind-9 code really well and wants to
>help me produce a patch to that then please let me know.


More information about the samba-technical mailing list