07-09-2011 10:33 AM
I have a request to make HP UX machines get registered in a Windows 2000 Active Directory integrated DNS configured to allow only Secure Conections. By my undestanding this means that only machines registered in the Active Directory Domain can register/update their IP addresses in the DNS. At this point I already installed Kerberos V5 and Samba in the HP UX V11.3 server and finally have the HP UX server machine account displayed in the Windows Active Directory. Finally I tried to update the DNS entry with nsupdate and got a REFUSED error. When I change the security mode in the Windows DNS Zone to Nonsecure the nsupdate works fine. Checking the documentation I found that ADS works in secure mode with a security protocol called GSS-TSIG while the default for nsupdate is TSIG. I have installed BIND 9.3 that is supposed to support GSS-TSIG but I don't know what to do in order to get nsupdate to work with GSS-TSIG.
Have somebidy do this configuration before? All I need to do to end this issue is dinamically register and update my HP UX server to a Windows 2000 DNS server integrated with the Active Directory and configured as Secure Only.
Thanks in advance
07-11-2011 08:08 AM
Full ADS intregration is probably required.
Do the systems have CIFS/9000 installed?
swlist -l product | grep -i cifs.
The software is available from http://software.hp.com
The client requires a reboot.
Once installed a net join is required to join the system into the domain.
net join prompts you for an administrative users password on the ADS domain, which will have to be provided by your Windows Systems Administrators.
Additional software/ingegration may be required.
These links are giving me trouble.
Owner of ISN Corporation
07-11-2011 09:10 AM
Thanks for your comments.
The server has CIFS installed and is already joined to Windows Domain as a member server in the ADS. At this point we need to move forward with the secure dns update using nsupdate, but this has to be done with the option nsupdate -g -o and is not available in this version of BIND (9.3.2). The fact is that DNS Secure updates support the security protocol GSS-TSIG and nsupdate works with TSIG. We are trying to compile an Open version of BIND (GSS is supported from 9.5 version) but no results at this time. the server is HP UX 11.31 and Itanium.