Can't get BIND to use GSSAPI from /usr/local on FreeBSD
John Marshall
john.marshall at riverwillow.com.au
Tue Jun 15 06:40:04 UTC 2010
On Sun, 13 Jun 2010, 12:53 -0700, Doug Barton wrote:
> On 06/11/10 02:51, John Marshall wrote:
> >Is there something
> >else I need to do to nudge BIND in the direction of libgssapi_krb5 in
> >/usr/local ?
> >
> >Until now I've never built BIND with gssapi, so I'm prepared to be told
> >I've missed something basic.
>
> Don't worry, you haven't. There is a thread on
> freebsd-security at FreeBSD.org atm about the wacky state of our base
> system kerberos, and unfortunately my understanding is that simply
> installing kerberos from ports doesn't help much.
Thanks Doug, I might even buy into that thread.
> FYI, there is also
> http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests
> that installing cyrus-sasl2 rather than kerberos from ports may be the
> right way to go. I haven't even started evaluating that patch yet, but
> perhaps someone on this list who has implemented GSS-TSIG could comment?
BIND uses GSSAPI directly, SASL is not relevant here at all. (I've
looked at the PR: adding the knob for gssapi makes sense to me but
requiring SASL doesn't.)
- I can build BIND with --with-openssl=/usr/local
and it will link against the OpenSSL port.
With this configuration nsupdate -g is not available (no gssapi).
- I can build BIND with --with-openssl=/usr
--with-gssapi=/usr
and it links against the base system gssapi and base system OpenSSL.
With this configuration nsupdate -g dies.
- I can build BIND with --with-openssl=/usr/local
--with-gssapi=/usr/local
and it links against the OpenSSL port, the BASE gssapi AND the BASE
OpenSSL (via the base gssapi).
With this configuration nsupdate -g dies.
I want to build BIND against a Kerberos port so that I can see whether
or not the nsupdate -g crash is a problem in the base system's gssapi or
in BIND.
This is the backtrace and it makes the base system gssapi look
suspicious to me:
FreeBSD 8.1-RC1
BIND 9.7.1rc1
rwsrv05> gdb /usr/bin/nsupdate nsupdate.core
-------< snip >--------
(gdb) bt
#0 0x28677c3f in kill () from /lib/libc.so.7
#1 0x28677b9e in raise () from /lib/libc.so.7
#2 0x286769dc in abort () from /lib/libc.so.7
#3 0x286df8ab in krb5_abortx () from /usr/lib/libkrb5.so.10
#4 0x286f3909 in krb5_generate_random_block () from /usr/lib/libkrb5.so.10
#5 0x286d957b in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#6 0x286da3ab in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#7 0x286da5cf in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#8 0x286da950 in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10
#9 0x286db26a in krb5_get_credentials_with_flags () from /usr/lib/libkrb5.so.10
#10 0x286db350 in krb5_get_credentials () from /usr/lib/libkrb5.so.10
#11 0x281fa9cb in _gsskrb5_init_sec_context () from /usr/lib/libgssapi_krb5.so.10
#12 0x286a8d8b in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#13 0x080d79a5 in dst_gssapi_initctx ()
#14 0x080a4683 in dns_tkey_buildgssquery ()
#15 0x080509dd in start_gssrequest ()
#16 0x08051236 in recvsoa ()
#17 0x0816f17b in isc__taskmgr_dispatch ()
#18 0x0817207a in evloop ()
#19 0x08172238 in isc__app_ctxrun ()
#20 0x08172252 in isc__app_run ()
#21 0x0804d7df in main ()
(gdb)
krb5_generate_random_block() fails and, from what I can tell, arguments
from dst_gssapi_initctx() don't make it that far down.
The above was built with...
./configure --prefix=/usr \
--localstatedir=/var \
--sysconfdir=/data/named \
--disable-ipv6 \
--disable-linux-caps \
--with-randomdev=/dev/random \
--with-openssl=/usr/local \
--with-gssapi=/usr/local \
--disable-isc-spnego \
CFLAGS='-O -pipe -march=prescott'
Note how we end up linking against the base system gssapi, the libcrypto
(OpenSSL) from ports AND the base libcrypto (via the base gssapi):
/usr/bin/nsupdate:
libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x281ef000)
libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x28206000)
libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x28358000)
libz.so.5 => /lib/libz.so.5 (0x28477000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28489000)
libm.so.5 => /lib/libm.so.5 (0x2857e000)
libc.so.7 => /lib/libc.so.7 (0x28597000)
libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x286a6000)
libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x286af000)
libhx509.so.10 => /usr/lib/libhx509.so.10 (0x2870a000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x2873e000)
libroken.so.10 => /usr/lib/libroken.so.10 (0x28890000)
libasn1.so.10 => /usr/lib/libasn1.so.10 (0x2889f000)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x28910000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x28912000)
Configure seems convinced about using gssapi from /usr/local. Entire
config.log available at:
<http://www.riverwillow.net.au/~john/bind971rc1/config.log>
--
John Marshall
More information about the bind-users
mailing list