Can't get BIND to use GSSAPI from /usr/local on FreeBSD

Mark Andrews marka at isc.org
Tue Jun 15 00:31:17 UTC 2010 

In message <4C15371C.7070307 at dougbarton.us>, Doug Barton writes:
> On 06/11/10 02:51, John Marshall wrote:
> >    BIND 9.7.1rc1
> >    FreeBSD 8.1-PRERELEASE
> >
> > I've just stepped into the world of nsupdate (instead of doing the
> > freeze/edit/thaw dance).  I have had success using TSIG (nsupdate -k)
> > but I would like to use TKEY-GSS (nsupdate -g).  When I try to do that,
> > nsupdate dumps core.
> >
> >    $ /usr/bin/nsupdate -g -d
> >    >  prereq nxdomain rwpc12.mby.riverwillow.net.au.
> >    >
> >    Reply from SOA query:
> >    --------<  snip>--------
> >    Found zone name: mby.riverwillow.net.au
> >    The master is: ns1.mby.riverwillow.net.au
> >    start_gssrequest
> >    nsupdate: Failed to generate random block
> >    Abort trap (core dumped)
> >
> > I suspect the operating system at this point but want to build BIND
> > against separate gssapi_krb5 and OpenSSL libraries in order to isolate
> > the problem.
> >
> > Telling configure --with-openssl=/usr/local does the trick for OpenSSL.
> > Telling configure --with-gssapi=/usr/local makes all the right kind of
> > impressions on config.log, but the linker still ends up using the
> > operating system's gssapi libraries under /usr/lib.  Is there something
> > else I need to do to nudge BIND in the direction of libgssapi_krb5 in
> > /usr/local ?
> >
> > Until now I've never built BIND with gssapi, so I'm prepared to be told
> > I've missed something basic.
> 
> John,
> 
> Don't worry, you haven't. There is a thread on 
> freebsd-security at FreeBSD.org atm about the wacky state of our base 
> system kerberos, and unfortunately my understanding is that simply 
> installing kerberos from ports doesn't help much.
> 
> I don't want to get too deep in the weeds on FreeBSD-specific stuff 
> here, so you may want to follow up on -security for that stuff. I do 
> want to leave the door open however for anyone to comment on 
> BIND-specific issues with the configure script.
> 
> FYI, there is also 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests 
> that installing cyrus-sasl2 rather than kerberos from ports may be the 
> right way to go. I haven't even started evaluating that patch yet, but 
> perhaps someone on this list who has implemented GSS-TSIG could comment?
> 
> Personally I loathe kerberos almost as much as windows, so I haven't 
> exactly been eager to dive into this, but because there is user demand 
> for it I would like to get up to speed so this seems as good a time as any.
> 
> 
> Doug

Anything in the base system that is also in ports should be in its
own seperate tree(s).

	/usr/local/<foo>/{bin,lib,include}
or

	/usr/local/{bin,lib,include}/<foo>

This allows one to select the ports or system components on a per
component basis.  I prefer the former.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list