Can't get BIND to use GSSAPI from /usr/local on FreeBSD

Doug Barton dougb at dougbarton.us
Sun Jun 13 19:53:00 UTC 2010 

On 06/11/10 02:51, John Marshall wrote:
>    BIND 9.7.1rc1
>    FreeBSD 8.1-PRERELEASE
>
> I've just stepped into the world of nsupdate (instead of doing the
> freeze/edit/thaw dance).  I have had success using TSIG (nsupdate -k)
> but I would like to use TKEY-GSS (nsupdate -g).  When I try to do that,
> nsupdate dumps core.
>
>    $ /usr/bin/nsupdate -g -d
>    >  prereq nxdomain rwpc12.mby.riverwillow.net.au.
>    >
>    Reply from SOA query:
>    --------<  snip>--------
>    Found zone name: mby.riverwillow.net.au
>    The master is: ns1.mby.riverwillow.net.au
>    start_gssrequest
>    nsupdate: Failed to generate random block
>    Abort trap (core dumped)
>
> I suspect the operating system at this point but want to build BIND
> against separate gssapi_krb5 and OpenSSL libraries in order to isolate
> the problem.
>
> Telling configure --with-openssl=/usr/local does the trick for OpenSSL.
> Telling configure --with-gssapi=/usr/local makes all the right kind of
> impressions on config.log, but the linker still ends up using the
> operating system's gssapi libraries under /usr/lib.  Is there something
> else I need to do to nudge BIND in the direction of libgssapi_krb5 in
> /usr/local ?
>
> Until now I've never built BIND with gssapi, so I'm prepared to be told
> I've missed something basic.

John,

Don't worry, you haven't. There is a thread on 
freebsd-security at FreeBSD.org atm about the wacky state of our base 
system kerberos, and unfortunately my understanding is that simply 
installing kerberos from ports doesn't help much.

I don't want to get too deep in the weeds on FreeBSD-specific stuff 
here, so you may want to follow up on -security for that stuff. I do 
want to leave the door open however for anyone to comment on 
BIND-specific issues with the configure script.

FYI, there is also 
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests 
that installing cyrus-sasl2 rather than kerberos from ports may be the 
right way to go. I haven't even started evaluating that patch yet, but 
perhaps someone on this list who has implemented GSS-TSIG could comment?

Personally I loathe kerberos almost as much as windows, so I haven't 
exactly been eager to dive into this, but because there is user demand 
for it I would like to get up to speed so this seems as good a time as any.


Doug

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

More information about the bind-users mailing list