Can't get BIND to use GSSAPI from /usr/local on FreeBSD

John Marshall john.marshall at riverwillow.com.au
Tue Jun 15 06:40:04 UTC 2010 

On Sun, 13 Jun 2010, 12:53 -0700, Doug Barton wrote:
> On 06/11/10 02:51, John Marshall wrote:
> >Is there something
> >else I need to do to nudge BIND in the direction of libgssapi_krb5 in
> >/usr/local ?
> >
> >Until now I've never built BIND with gssapi, so I'm prepared to be told
> >I've missed something basic.
> 
> Don't worry, you haven't. There is a thread on 
> freebsd-security at FreeBSD.org atm about the wacky state of our base 
> system kerberos, and unfortunately my understanding is that simply 
> installing kerberos from ports doesn't help much.

Thanks Doug, I might even buy into that thread.

> FYI, there is also 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests 
> that installing cyrus-sasl2 rather than kerberos from ports may be the 
> right way to go. I haven't even started evaluating that patch yet, but 
> perhaps someone on this list who has implemented GSS-TSIG could comment?

BIND uses GSSAPI directly, SASL is not relevant here at all.  (I've
looked at the PR: adding the knob for gssapi makes sense to me but
requiring SASL doesn't.)

 - I can build BIND with --with-openssl=/usr/local
   and it will link against the OpenSSL port.
   With this configuration nsupdate -g is not available (no gssapi).

 - I can build BIND with --with-openssl=/usr
                         --with-gssapi=/usr
   and it links against the base system gssapi and base system OpenSSL.
   With this configuration nsupdate -g dies.

 - I can build BIND with --with-openssl=/usr/local
                         --with-gssapi=/usr/local
   and it links against the OpenSSL port, the BASE gssapi AND the BASE
   OpenSSL (via the base gssapi).
   With this configuration nsupdate -g dies.

I want to build BIND against a Kerberos port so that I can see whether
or not the nsupdate -g crash is a problem in the base system's gssapi or
in BIND.

This is the backtrace and it makes the base system gssapi look
suspicious to me:

  FreeBSD 8.1-RC1
  BIND 9.7.1rc1

rwsrv05> gdb /usr/bin/nsupdate nsupdate.core
 -------< snip >--------
(gdb) bt
#0  0x28677c3f in kill () from /lib/libc.so.7
#1  0x28677b9e in raise () from /lib/libc.so.7
#2  0x286769dc in abort () from /lib/libc.so.7
#3  0x286df8ab in krb5_abortx () from /usr/lib/libkrb5.so.10
#4  0x286f3909 in krb5_generate_random_block () from /usr/lib/libkrb5.so.10
#5  0x286d957b in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#6  0x286da3ab in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#7  0x286da5cf in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#8  0x286da950 in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#9  0x286db26a in krb5_get_credentials_with_flags () from /usr/lib/libkrb5.so.10
#10 0x286db350 in krb5_get_credentials () from /usr/lib/libkrb5.so.10
#11 0x281fa9cb in _gsskrb5_init_sec_context () from /usr/lib/libgssapi_krb5.so.10
#12 0x286a8d8b in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#13 0x080d79a5 in dst_gssapi_initctx ()
#14 0x080a4683 in dns_tkey_buildgssquery ()
#15 0x080509dd in start_gssrequest ()
#16 0x08051236 in recvsoa ()
#17 0x0816f17b in isc__taskmgr_dispatch ()
#18 0x0817207a in evloop ()
#19 0x08172238 in isc__app_ctxrun ()
#20 0x08172252 in isc__app_run ()
#21 0x0804d7df in main ()
(gdb) 

krb5_generate_random_block() fails and, from what I can tell, arguments
from dst_gssapi_initctx() don't make it that far down.

The above was built with...

  ./configure	--prefix=/usr \
		--localstatedir=/var \
		--sysconfdir=/data/named \
		--disable-ipv6 \
		--disable-linux-caps \
		--with-randomdev=/dev/random \
		--with-openssl=/usr/local \
		--with-gssapi=/usr/local \
		--disable-isc-spnego \
		CFLAGS='-O -pipe -march=prescott'

Note how we end up linking against the base system gssapi, the libcrypto
(OpenSSL) from ports AND the base libcrypto (via the base gssapi):

  /usr/bin/nsupdate:
	libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x281ef000)
	libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x28206000)
	libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x28358000)
	libz.so.5 => /lib/libz.so.5 (0x28477000)
	libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28489000)
	libm.so.5 => /lib/libm.so.5 (0x2857e000)
	libc.so.7 => /lib/libc.so.7 (0x28597000)
	libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x286a6000)
	libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x286af000)
	libhx509.so.10 => /usr/lib/libhx509.so.10 (0x2870a000)
	libcrypto.so.6 => /lib/libcrypto.so.6 (0x2873e000)
	libroken.so.10 => /usr/lib/libroken.so.10 (0x28890000)
	libasn1.so.10 => /usr/lib/libasn1.so.10 (0x2889f000)
	libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x28910000)
	libcrypt.so.5 => /lib/libcrypt.so.5 (0x28912000)

Configure seems convinced about using gssapi from /usr/local.  Entire
config.log available at:
  <http://www.riverwillow.net.au/~john/bind971rc1/config.log>

-- 
John Marshall

More information about the bind-users mailing list