Can't get BIND to use GSSAPI from /usr/local on FreeBSD
Mark Andrews
marka at isc.org
Tue Jun 15 00:31:17 UTC 2010
In message <4C15371C.7070307 at dougbarton.us>, Doug Barton writes:
> On 06/11/10 02:51, John Marshall wrote:
> > BIND 9.7.1rc1
> > FreeBSD 8.1-PRERELEASE
> >
> > I've just stepped into the world of nsupdate (instead of doing the
> > freeze/edit/thaw dance). I have had success using TSIG (nsupdate -k)
> > but I would like to use TKEY-GSS (nsupdate -g). When I try to do that,
> > nsupdate dumps core.
> >
> > $ /usr/bin/nsupdate -g -d
> > > prereq nxdomain rwpc12.mby.riverwillow.net.au.
> > >
> > Reply from SOA query:
> > --------< snip>--------
> > Found zone name: mby.riverwillow.net.au
> > The master is: ns1.mby.riverwillow.net.au
> > start_gssrequest
> > nsupdate: Failed to generate random block
> > Abort trap (core dumped)
> >
> > I suspect the operating system at this point but want to build BIND
> > against separate gssapi_krb5 and OpenSSL libraries in order to isolate
> > the problem.
> >
> > Telling configure --with-openssl=/usr/local does the trick for OpenSSL.
> > Telling configure --with-gssapi=/usr/local makes all the right kind of
> > impressions on config.log, but the linker still ends up using the
> > operating system's gssapi libraries under /usr/lib. Is there something
> > else I need to do to nudge BIND in the direction of libgssapi_krb5 in
> > /usr/local ?
> >
> > Until now I've never built BIND with gssapi, so I'm prepared to be told
> > I've missed something basic.
>
> John,
>
> Don't worry, you haven't. There is a thread on
> freebsd-security at FreeBSD.org atm about the wacky state of our base
> system kerberos, and unfortunately my understanding is that simply
> installing kerberos from ports doesn't help much.
>
> I don't want to get too deep in the weeds on FreeBSD-specific stuff
> here, so you may want to follow up on -security for that stuff. I do
> want to leave the door open however for anyone to comment on
> BIND-specific issues with the configure script.
>
> FYI, there is also
> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests
> that installing cyrus-sasl2 rather than kerberos from ports may be the
> right way to go. I haven't even started evaluating that patch yet, but
> perhaps someone on this list who has implemented GSS-TSIG could comment?
>
> Personally I loathe kerberos almost as much as windows, so I haven't
> exactly been eager to dive into this, but because there is user demand
> for it I would like to get up to speed so this seems as good a time as any.
>
>
> Doug
Anything in the base system that is also in ports should be in its
own seperate tree(s).
/usr/local/<foo>/{bin,lib,include}
or
/usr/local/{bin,lib,include}/<foo>
This allows one to select the ports or system components on a per
component basis. I prefer the former.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list