On Sun, 13 Jun 2010, 12:53 -0700, Doug Barton wrote: > On 06/11/10 02:51, John Marshall wrote: > >Is there something > >else I need to do to nudge BIND in the direction of libgssapi_krb5 in > >/usr/local ? > > > >Until now I've never built BIND with gssapi, so I'm prepared to be told > >I've missed something basic. > > Don't worry, you haven't. There is a thread on > freebsd-secur...@freebsd.org atm about the wacky state of our base > system kerberos, and unfortunately my understanding is that simply > installing kerberos from ports doesn't help much.
Thanks Doug, I might even buy into that thread. > FYI, there is also > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139426 which suggests > that installing cyrus-sasl2 rather than kerberos from ports may be the > right way to go. I haven't even started evaluating that patch yet, but > perhaps someone on this list who has implemented GSS-TSIG could comment? BIND uses GSSAPI directly, SASL is not relevant here at all. (I've looked at the PR: adding the knob for gssapi makes sense to me but requiring SASL doesn't.) - I can build BIND with --with-openssl=/usr/local and it will link against the OpenSSL port. With this configuration nsupdate -g is not available (no gssapi). - I can build BIND with --with-openssl=/usr --with-gssapi=/usr and it links against the base system gssapi and base system OpenSSL. With this configuration nsupdate -g dies. - I can build BIND with --with-openssl=/usr/local --with-gssapi=/usr/local and it links against the OpenSSL port, the BASE gssapi AND the BASE OpenSSL (via the base gssapi). With this configuration nsupdate -g dies. I want to build BIND against a Kerberos port so that I can see whether or not the nsupdate -g crash is a problem in the base system's gssapi or in BIND. This is the backtrace and it makes the base system gssapi look suspicious to me: FreeBSD 8.1-RC1 BIND 9.7.1rc1 rwsrv05> gdb /usr/bin/nsupdate nsupdate.core -------< snip >-------- (gdb) bt #0 0x28677c3f in kill () from /lib/libc.so.7 #1 0x28677b9e in raise () from /lib/libc.so.7 #2 0x286769dc in abort () from /lib/libc.so.7 #3 0x286df8ab in krb5_abortx () from /usr/lib/libkrb5.so.10 #4 0x286f3909 in krb5_generate_random_block () from /usr/lib/libkrb5.so.10 #5 0x286d957b in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10 #6 0x286da3ab in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10 #7 0x286da5cf in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10 #8 0x286da950 in krb5_get_creds_opt_set_ticket () from /usr/lib/libkrb5.so.10 #9 0x286db26a in krb5_get_credentials_with_flags () from /usr/lib/libkrb5.so.10 #10 0x286db350 in krb5_get_credentials () from /usr/lib/libkrb5.so.10 #11 0x281fa9cb in _gsskrb5_init_sec_context () from /usr/lib/libgssapi_krb5.so.10 #12 0x286a8d8b in gss_init_sec_context () from /usr/lib/libgssapi.so.10 #13 0x080d79a5 in dst_gssapi_initctx () #14 0x080a4683 in dns_tkey_buildgssquery () #15 0x080509dd in start_gssrequest () #16 0x08051236 in recvsoa () #17 0x0816f17b in isc__taskmgr_dispatch () #18 0x0817207a in evloop () #19 0x08172238 in isc__app_ctxrun () #20 0x08172252 in isc__app_run () #21 0x0804d7df in main () (gdb) krb5_generate_random_block() fails and, from what I can tell, arguments from dst_gssapi_initctx() don't make it that far down. The above was built with... ./configure --prefix=/usr \ --localstatedir=/var \ --sysconfdir=/data/named \ --disable-ipv6 \ --disable-linux-caps \ --with-randomdev=/dev/random \ --with-openssl=/usr/local \ --with-gssapi=/usr/local \ --disable-isc-spnego \ CFLAGS='-O -pipe -march=prescott' Note how we end up linking against the base system gssapi, the libcrypto (OpenSSL) from ports AND the base libcrypto (via the base gssapi): /usr/bin/nsupdate: libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x281ef000) libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x28206000) libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x28358000) libz.so.5 => /lib/libz.so.5 (0x28477000) libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28489000) libm.so.5 => /lib/libm.so.5 (0x2857e000) libc.so.7 => /lib/libc.so.7 (0x28597000) libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x286a6000) libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x286af000) libhx509.so.10 => /usr/lib/libhx509.so.10 (0x2870a000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x2873e000) libroken.so.10 => /usr/lib/libroken.so.10 (0x28890000) libasn1.so.10 => /usr/lib/libasn1.so.10 (0x2889f000) libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x28910000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x28912000) Configure seems convinced about using gssapi from /usr/local. Entire config.log available at: <http://www.riverwillow.net.au/~john/bind971rc1/config.log> -- John Marshall _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users