FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)
Peter 'PMc' Much
pmc at citylink.dinoex.sub.org
Mon Aug 25 20:41:17 UTC 2025
Hi folks,
I am upgrading FreeBSD from 13.5 to 14.3. I am running named
9.18.38; things did work previously with OS-builtin Heimdal krb5.
I noticed issue 4436, and after seeing nsupdate indeed coredump
and the server indeed report "unknown mech-code 0 for mech unknown",
I recompiled both for MIT krb5, and installed and configured these
libs.
I have another node where both libs are installed and working,
running pgadmin4 server (but that one is still on FBSD 13.5).
nsupdate is NOT working now with MIT krb5 and FBSD 14.3.
This is the error:
---------------------------------------------
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4885
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3478577972.sig-conr-e.intra.daemon.contact. ANY TKEY
;; ANSWER SECTION:
3478577972.sig-conr-e.intra.daemon.contact. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0
dns_tkey_gssnegotiate: TKEY is unacceptable
---------------------------------------------
With debugging the server reports this:
client @0x1fd41731b090 fd00::4202#19192
(3656045201.sig-conr-e.intra.daemon.contact): view intra: query:
3656045201.sig-conr-e.intra.daemon.contact ANY TKEY -T (fd00::4202)
failed gss_inquire_cred: GSSAPI error: Major = No credentials were
supplied, or the credentials were unavailable or inaccessible,
Minor = No Kerberos credentials available (default cache:
FILE:/tmp/krb5cc_53).
failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor =
Cryptosystem internal error.
process_gsstkey(): dns_tsigerror_badkey
I have removed the "tkey-gssapi-credential" option due to another
recommendation, so the only relevant configuration is now
tkey-gssapi-keytab "/etc/krb5-named.keytab";
And that one contain the correct cred, both in root and chroot:
ktutil: rkt /var/named/etc/krb5-named.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23
When nsupdate is invoked, it obtains that same cred.
Inside the server I did follow the proceedings via
process_gsstkey() -> dst_gssapi_acceptctx() ->
gss_accept_sec_context()
which returns GSS_S_FAILURE
For strange reasons the krb5 tries to create an rcache (but it does
not try to connect the kerberos server):
root at conr:/var/named/etc # ls -l /var/named/var/tmp/
total 1
-rw------- 1 bind wheel 0 Aug 25 20:51 krb5_53.rcache2
Somehow this looks like the krb5 believes to be a (forwarding?)
client, not a server.
When I reinsert the deprecated "tkey-gssapi-credential" option, the
behaviour is significantly different: the empty krb5_53.rcache2 file
is not created, the "No Kerberos credentials available" error does not
appear. Instead I see this during startup:
acquiring credentials for DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23
acquired accept credentials for DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23
gss cred: "DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23",
GSS_C_ACCEPT, 4294967295
However, the "Cryptosystem internal error." does appear all the same.
Here is my MIT krb5 config. This is proven to work with pgadmin4
in spnego browser signon and ticket delegation mode:
[libdefaults]
default_realm = OUTRA.PHASE23
allow_weak_crypto = false
dns_canonicalize_hostname = fallback
dns_lookup_kdc = false
dns_uri_lookup = false
enforce_ok_as_delegate = false
forwardable = false
ignore_acceptor_hostname = false
k5login_authoritative = true
noaddresses = false
proxiable = false
realm_try_domains = -1
ticket_lifetime = 8h
renew_lifetime = 14h
And the server config:
starting BIND 9.18.38 (Extended Support Version) <id:0c70859>
running on FreeBSD amd64 14.3-RELEASE-p2 FreeBSD
14.3-RELEASE-p2[41b6a80e6085=5982521fe3dd+42] C6R14V1
built with '--disable-linux-caps' '--enable-dnsrps'
'--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb'
'--with-dlopen=yes' '--with-openssl=/usr' '--with-readline=libedit'
'--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip'
'--without-maxminddb' 'CFLAGS=-I/usr/local/include -O2 -pipe -O0 -g
-march=haswell -DLIBICONV_PLUG -fstack-protector-strong -isystem
/usr/local/include -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib
-O0 -g -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib:/usr/lib
-fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5
-L/usr/local/lib' 'KRB5CONFIG=/usr/local/bin/krb5-config'
'--with-gssapi=/usr/local/bin/krb5-config' '--with-libidn2=/usr/local'
'--disable-largefile' '--without-lmdb' '--disable-querytrace'
'--with-json-c' '--with-libxml2' '--enable-tcp-fastopen'
'--prefix=/usr/local' '--mandir=/usr/local/share/man'
'--disable-silent-rules' '--infodir=/usr/local/share/info/'
'--build=amd64-portbld-freebsd14.3'
'build_alias=amd64-portbld-freebsd14.3' 'CC=cc'
'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'
'PKG_CONFIG=pkgconf'
'PKG_CONFIG_LIBDIR=/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig'
'READLINE_CFLAGS=-L/usr/local/lib'
running as: named -n 1 -S 10000 -d 99 -g -t /var/named -u bind -c
/usr/local/etc/namedb/named.conf
compiled by CLANG FreeBSD Clang 19.1.7
(https://github.com/llvm/llvm-project.git
llvmorg-19.1.7-0-gcd708029e0b2)
compiled with OpenSSL version: OpenSSL 3.0.16 11 Feb 2025
linked to OpenSSL version: OpenSSL 3.0.16 11 Feb 2025
compiled with libuv version: 1.51.0
linked to libuv version: 1.51.0
compiled with libxml2 version: 2.14.5
linked to libxml2 version: 21405
compiled with json-c version: 0.18
linked to json-c version: 0.18
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
More information about the bind-users
mailing list