Can't get BIND to use GSSAPI from /usr/local on FreeBSD
Doug Barton
dougb at dougbarton.us
Sun Jun 13 19:53:00 UTC 2010
On 06/11/10 02:51, John Marshall wrote:
> BIND 9.7.1rc1
> FreeBSD 8.1-PRERELEASE
>
> I've just stepped into the world of nsupdate (instead of doing the
> freeze/edit/thaw dance). I have had success using TSIG (nsupdate -k)
> but I would like to use TKEY-GSS (nsupdate -g). When I try to do that,
> nsupdate dumps core.
>
> $ /usr/bin/nsupdate -g -d
> > prereq nxdomain rwpc12.mby.riverwillow.net.au.
> >
> Reply from SOA query:
> --------< snip>--------
> Found zone name: mby.riverwillow.net.au
> The master is: ns1.mby.riverwillow.net.au
> start_gssrequest
> nsupdate: Failed to generate random block
> Abort trap (core dumped)
>
> I suspect the operating system at this point but want to build BIND
> against separate gssapi_krb5 and OpenSSL libraries in order to isolate
> the problem.
>
> Telling configure --with-openssl=/usr/local does the trick for OpenSSL.
> Telling configure --with-gssapi=/usr/local makes all the right kind of
> impressions on config.log, but the linker still ends up using the
> operating system's gssapi libraries under /usr/lib. Is there something
> else I need to do to nudge BIND in the direction of libgssapi_krb5 in
> /usr/local ?
>
> Until now I've never built BIND with gssapi, so I'm prepared to be told
> I've missed something basic.
John,
Don't worry, you haven't. There is a thread on
freebsd-security at FreeBSD.org atm about the wacky state of our base
system kerberos, and unfortunately my understanding is that simply
installing kerberos from ports doesn't help much.
I don't want to get too deep in the weeds on FreeBSD-specific stuff
here, so you may want to follow up on -security for that stuff. I do
want to leave the door open however for anyone to comment on
BIND-specific issues with the configure script.
FYI, there is also
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests
that installing cyrus-sasl2 rather than kerberos from ports may be the
right way to go. I haven't even started evaluating that patch yet, but
perhaps someone on this list who has implemented GSS-TSIG could comment?
Personally I loathe kerberos almost as much as windows, so I haven't
exactly been eager to dive into this, but because there is user demand
for it I would like to get up to speed so this seems as good a time as any.
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the bind-users
mailing list