r24909: Patch from Andrew Kroeger <andrew@sprocks.gotdns.com> on the slow road

to working GSS-TSIG DDNS.

Andrew Bartlett
(This used to be commit 99f832e7ed)

source4/setup/named.conf

@@ -4,7 +4,7 @@
 #
 
 #insert this into options {}
-tkey-gssapi-credential "DNS/${DNSDOMAIN}"
+tkey-gssapi-credential "DNS/${DNSDOMAIN}";
 tkey-domain "${REALM}";
 
 #the zone file
@@ -19,9 +19,18 @@ zone "${DNSDOMAIN}." IN {
 };
 
 # Also, you need to change your init scripts to set this environment variable
-# for named: KRB_KTNAME so that it points to the keytab generated.
+# for named: KRB5_KTNAME so that it points to the keytab generated.
 # In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
-# line to the /etc/sysconfig/named file
-# export KRB_KTNAME=/etc/named.keytab
-
-# *TODO*: generate and install a keytab file in /etc/named.keytab
+# line to the /etc/sysconfig/named file:
+# export KRB5_KTNAME=${DNS_KEYTAB}
+#
+# Please note that most distributions have BIND configured to run under
+# a non-root user account.  For example, Fedora Core 6 (FC6) runs BIND as
+# the user "named" once the daemon relinquishes its rights.  Therefore,
+# the file "dns.keytab" must be readable by the user that BIND run as.
+# If BIND is running as a non-root user, the "dns.keytab" file must have its
+# permissions altered to allow thge daemon to read it.  In the FC6
+# example, execute the commands:
+# 
+# chgrp named /usr/local/samba/private/dns.keytab
+# chmod g+r /usr/local/samba/private/dns.keytab