We use obsolete BIND configuration options for TKEY-GSSAPI configuration. The modern option eases debugging because GSSAPI work without any mystic KRB5* environment variables.
This change is also requirement for bind-dyndb-ldap ticket #100 - "BIND won't start when KDC is unavailable - reconnect is missing". Old options do some checks during BIND start and BIND can die if KDC is unavailable.
In /etc/named.conf replace:
tkey-gssapi-credential "DNS/vm-070.idm.lab.eng.brq.redhat.com"; tkey-domain "R.TEST";
with
tkey-gssapi-keytab "/etc/named.keytab";
It is good idea to do this replacement for new installs and also upgrades. I tested this change on IPA 3.0 under RHEL 6.4 and it worked like a charm.
Reference: http://www.isc.org/community/blog/201012/bind-9-easier-gss-tsig-configuration
attachment freeipa-mkosek-377-use-tkey-gssapi-keytab-in-named.conf.patch
Patch freeipa-mkosek-377-use-tkey-gssapi-keytab-in-named.conf.patch sent for review
master: [[br]] c4ab8da[[br]] 7a2d380[[br]] ca6f7f2[[br]]
Metadata Update from @pspacek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.