Use tkey-gssapi-keytab in named.conf

Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations are updated. https://fedorahosted.org/freeipa/ticket/3429
author: Martin Kosek <mkosek@redhat.com> 2013-03-14 10:30:32 +0100
committer: Rob Crittenden <rcritten@redhat.com> 2013-03-14 10:50:24 -0400
commit: 7a2d3804af8e477cf8bfcc36eed78b72c8d8c980 (patch)
tree: 988b9d15c16861d52f361123f5fa499b99ff54d5 /install/share
parent: ca6f7f24509de8aa6346f847a3647c582cb913b4 (diff)
download: freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.gz
freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.xz
freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.zip
1 files changed, 1 insertions, 2 deletions
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 9fdd91319..b12df593a 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -14,8 +14,7 @@ options {
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
 
-	tkey-gssapi-credential "DNS/$FQDN";
-	tkey-domain "$REALM";
+	tkey-gssapi-keytab "/etc/named.keytab";
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
author	Martin Kosek <mkosek@redhat.com>	2013-03-14 10:30:32 +0100
committer	Rob Crittenden <rcritten@redhat.com>	2013-03-14 10:50:24 -0400
commit	7a2d3804af8e477cf8bfcc36eed78b72c8d8c980 (patch)
tree	988b9d15c16861d52f361123f5fa499b99ff54d5 /install/share
parent	ca6f7f24509de8aa6346f847a3647c582cb913b4 (diff)
download	freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.gz freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.xz freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.zip