File README of Package nsupdate-gss
This is an implementation of a tsig-gss dynamic dns update client. It
has been tested against windows 2000 servers using MIT kerberos and
des-cbc-crc kerberos tickets.
Setup
-----
Download the Net-DNS package from http://www.net-dns.org/. Make sure
you grab at least the October 15 2002 CVS snapshot. To see if you have
the right version, it must contain a file called TKEY.pm. If you have
an older version than you could try applying the Net-DNS.patch patch
from this directory, but you are really better off getting a later
version of Net-DNS which has the patch already merged.
You will also need the GSSAPI-0.12 package from
http://search.cpan.org/author/PGUEN/GSSAPI-0.12/ and you will need the
MIT kerberos and MIT gssapi libraries installed.
Kerberos setup
--------------
Your kerberos setup needs to use des-cbc-crc tickets. Unfortunately
HMAC-MD5 (type 23) tickets don't work yet, even if you have a version
of MIT kerberos that supports them. I will try to work out why for a
future version.
Here is a sample /etc/krb5.conf that works for me:
[libdefaults]
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
[realms]
VNET2.HOME.SAMBA.ORG = {
kdc = win2000.vnet2.home.samba.org.
}
Note that the capitalisation is important.
Getting a ticket
----------------
You need to use kinit to get an initial ticket in the domain you wish
to update. For example:
kinit tridge@VNET2.HOME.SAMBA.ORG
After you have a ticket use 'klist -e' to make sure that it is of type
'DES cbc mode with CRC-32'. Other ticket types may work but have not
been tested (except HMAC-MD5 which definately doesn't work).
Adding an A record
------------------
The following will add an A record for myhost.vnet2.home.samba.org
with the given IP and TTL.
nsupdate-gss myhost vnet2.home.samba.org 192.168.2.241 36000
A return value of 0 indicates success.
Author
------
nsupdate-gss was written by Andrew Tridgell (tridge@samba.org).
