THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

NIOS DNS DHCP IPAM

Reply

Secure DDNS (GSS-TSIG) update fails
peterl
New Member
Posts: 1

Saturday

30     0

Hi,

I'm experiencing some issues setting up secure DDNS updates.

 

What I would like to achieve

I have a zone zone.corp.com. Whithin this zone is an Microsoft AD-Controller ad01.zone.corp.com. ad01 is Microsoft Primary and my infoblox appliance ibl.corp.com is Grid Secondary for the zone. DHCP and DNS of the zone should be managed by infoblox. New clients of the zone should get an ip address via DHCP. The zone should be updated from the DHCP by secure DDNS with GSS-TSIG.

 

What I already did

I added the Microsoft Server, Zone, DHCP ranges and tried to configure DDNS following the guides from the docs (Configuring DDNS Updates, About GSS-TSIG). As one step of the setup I created, uploaded and assigned the keytab file as well. DNS and DHCP is working correctly.

 

What is not working

Currently the GSS-TSIG DDNS updates fail. This is the output from the syslog:

dhcpd: Enabled GSS-TSIG for zone zone.corp.com. using principal DNS/ibl.corp.com@ZONE.CORP.COM.
dhcpd: GSS-TSIG security thread has started.
dhcpd: GSS-TSIG security update starting at 1736415384.
dhcpd: Acquiring GSS-TSIG credential for DNS/ibl.corp.com@ZONE.CORP.COM.
dhcpd: Retrying DNS updates
dhcpd: Deferring GSS-TSIG DDNS updates to DNS server 192.168.178.2 for principal DNS/ibl.corp.com@ZONE.CORP.COM because security tokens are not yet established.
dhcpd: gss_acquire_cred: No credentials were supplied, or the credentials were unavailable or inaccessible.
dhcpd: Failed to acquire GSS-TSIG credential for DNS/ibl.corp.com@ZONE.CORP.COM.
dhcpd: Failed to renew GSS-TSIG credentials for principal DNS/ibl.corp.com@ZONE.CORP.COM.
dhcpd: GSS-TSIG security update complete at 1736415384. Next update in 292s.

 

I created the keytab on ad01 with the following command:

ktpass -princ DNS/ibl.corp.com@ZONE.CORP.COM -mapuser ibl@ZONE.CORP.COM -pass mySaf3passw0rd -out ns1.keytab -ptype krb5_nt_principal -crypto AES256-SHA1

User ibl exists on ad01 and is member of DnsAdmins.

 

This is the output from show dhcp_gss_tsig config on the infoblox appliance:

DHCP GSS-TSIG configuration for this member:
  KDC address              ad01.zone.corp.com
  KDC IP                   192.168.178.2
  Member principal         DNS/ibl.corp.com@ZONE.CORP.COM
  Member domain            ZONE.CORP.COM
  GSS-TSIG                 enabled
  DDNS updates             enabled
  DHCP service             enabled
  
Test KDC using member configuration? (y or n): y
Requesting TGT for DNS/ibl.corp.com@ZONE.CORP.COM from KDC 192.168.178.2...

Failed to obtain TGT for principal. Please check that the KDC is
reachable, that port 88 (kerberos) is not firewalled, that the
principal is known to the KDC, and that this member's clock is
synchronized with the KDC.

This member is configured to update the following zones:
  zone.corp.com on 192.168.178.2 as DNS/ibl.corp.com@ZONE.CORP.COM

Test configured zones? (y or n): y

Next zone is zone.corp.com on 192.168.178.2.
Test this zone? (y or n): y
Testing external zone zone.corp.com on NS 192.168.178.2...
DNS principal is DNS/ibl.corp.com@ZONE.CORP.COM.
Derived FQDN is ad01.zone.corp.com.
FQDN resolves to nameserver IP.
SOA for zone.corp.com has MNAME ad01.zone.corp.com.
Nameserver is authoritative for zone.
Zone zone.corp.com appears valid.

ibl and ad01 are using the same NTP server. I don't see any blocked traffic between them.

 

Can anyone please help me which detail I've missed?

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements