Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.

NIOS DNS DHCP IPAM

Reply

Client Fail to update DDNS using gss-tsig

[ Edited ]
Superuser
Posts: 96
2491     0

Hi Teams,

 

Im doing some lab about ddns. The scenario will be client (already join domain to corp.abc.net) update their IP to Infoblox that running dns.

 

here what i've done:

1. create user on domain controller (ib, password P@ssw0rd)

2. create keytab file on domain controller (ktpass -princ DNS/ib.abc.net@CORP.ABC.NET -mapuser ib@corp.abc.net -pass P@ssw0rd -out c:\ns1.keytab -ptype krb5_nt_principal -crypto AES256-SHA1)

3. Already import the keytab to Infoblox.

4. Execute command ipconfig /registerdns from the pc client

 

after the above activity, i check the logs on infoblox:

2020-04-26 21:56:01 ICT daemon ERROR named[13999] gss_accept_sec_context: continuation call to routine required
2020-04-26 21:56:01 ICT daemon INFO named[13999] GSS-TSIG verify stats: 0 ok, 0 failed (0 integrity, 0 time)
2020-04-26 21:56:01 ICT daemon INFO named[13999] GSS-TSIG accept stats: 0 ok, 1 failed (0 NTLM, 1 principal, 0 key, 0 integrity, 0 time)
2020-04-26 21:56:01 ICT daemon ERROR named[13999] 192.168.137.20#59616: GSS-TSIG authentication failed for (DNS/ib.corp.abc.net@CORP.ABC.NET, kvno 4, arcfour-hmac-md5): unknown principal
2020-04-26 21:56:01 ICT daemon ERROR named[13999] client @0x7fd5840f9000 192.168.137.20#57468: update 'corp.abc.net/IN' denied

 

any step that i miss?

 

thanks

Re: Client Fail to update DDNS using gss-tsig

Superuser
Posts: 96
2492     0

This issue happen because the DC adminitrator create a wrong keytab file. it's not mapped to correct user that already created.

 

Thanks

Showing results for 
Search instead for 
Did you mean: 

Recommended for You