FreeBSD-14.3 nsupdate krb5 failure (beyond issue 4436)

Ondřej Surý ondrej at isc.org
Tue Aug 26 12:34:34 UTC 2025 

Hmm, given the recent f^Hhiccup in mit krb5, I would suggest to try less recent version and/or report this to upstream.
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 25. 8. 2025, at 22:45, Peter 'PMc' Much <pmc at citylink.dinoex.sub.org> wrote:
> 
> Hi folks,
> 
>  I am upgrading FreeBSD from 13.5 to 14.3. I am running named
> 9.18.38; things did work previously with OS-builtin Heimdal krb5.
> I noticed issue 4436, and after seeing nsupdate indeed coredump
> and the server indeed report "unknown mech-code 0 for mech unknown",
> I recompiled both for MIT krb5, and installed and configured these
> libs.
> 
> I have another node where both libs are installed and working,
> running pgadmin4 server (but that one is still on FBSD 13.5).
> 
> nsupdate is NOT working now with MIT krb5 and FBSD 14.3.
> This is the error:
> ---------------------------------------------
> recvmsg reply from GSS-TSIG query
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   4885
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;3478577972.sig-conr-e.intra.daemon.contact. ANY        TKEY
> 
> ;; ANSWER SECTION:
> 3478577972.sig-conr-e.intra.daemon.contact. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
> 
> dns_tkey_gssnegotiate: TKEY is unacceptable
> ---------------------------------------------
> With debugging the server reports this:
> 
> client @0x1fd41731b090 fd00::4202#19192
>       (3656045201.sig-conr-e.intra.daemon.contact): view intra: query:
>       3656045201.sig-conr-e.intra.daemon.contact ANY TKEY -T (fd00::4202)
> failed gss_inquire_cred: GSSAPI error: Major = No credentials were
>       supplied, or the credentials were unavailable or inaccessible,
>       Minor = No Kerberos credentials available (default cache:
>       FILE:/tmp/krb5cc_53).
> failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS
>       failure.  Minor code may provide more information, Minor =
>       Cryptosystem internal error.
> process_gsstkey(): dns_tsigerror_badkey
> 
> I have removed the "tkey-gssapi-credential" option due to another
> recommendation, so the only relevant configuration is now
>        tkey-gssapi-keytab      "/etc/krb5-named.keytab";
> 
> And that one contain the correct cred, both in root and chroot:
> ktutil:  rkt /var/named/etc/krb5-named.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>   1    1 DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23
> 
> When nsupdate is invoked, it obtains that same cred.
> 
> Inside the server I did follow the proceedings via
>    process_gsstkey() -> dst_gssapi_acceptctx() ->
>    gss_accept_sec_context()
>    which returns GSS_S_FAILURE
> 
> For strange reasons the krb5 tries to create an rcache (but it does
> not try to connect the kerberos server):
>   root at conr:/var/named/etc # ls -l /var/named/var/tmp/
>   total 1
>   -rw-------  1 bind wheel 0 Aug 25 20:51 krb5_53.rcache2
> 
> Somehow this looks like the krb5 believes to be a (forwarding?)
> client, not a server.
> 
> When I reinsert the deprecated "tkey-gssapi-credential" option, the
> behaviour is significantly different: the empty krb5_53.rcache2 file
> is not created, the "No Kerberos credentials available" error does not
> appear. Instead I see this during startup:
> 
> acquiring credentials for DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23
> acquired accept credentials for DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23
> gss cred: "DNS/conr-e.intra.daemon.contact at OUTRA.PHASE23",
>    GSS_C_ACCEPT, 4294967295
> 
> However, the "Cryptosystem internal error." does appear all the same.
> 
> 
> Here is my MIT krb5 config. This is proven to work with pgadmin4
> in spnego browser signon and ticket delegation mode:
> [libdefaults]
>        default_realm = OUTRA.PHASE23
>        allow_weak_crypto = false
>        dns_canonicalize_hostname = fallback
>        dns_lookup_kdc = false
>        dns_uri_lookup = false
>        enforce_ok_as_delegate = false
>        forwardable = false
>        ignore_acceptor_hostname = false
>        k5login_authoritative = true
>        noaddresses = false
>        proxiable = false
>        realm_try_domains = -1
>        ticket_lifetime = 8h
>        renew_lifetime = 14h
> 
> And the server config:
> 
> starting BIND 9.18.38 (Extended Support Version) <id:0c70859>
> running on FreeBSD amd64 14.3-RELEASE-p2 FreeBSD
>        14.3-RELEASE-p2[41b6a80e6085=5982521fe3dd+42] C6R14V1
> built with  '--disable-linux-caps' '--enable-dnsrps'
>      '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb'
>      '--with-dlopen=yes' '--with-openssl=/usr' '--with-readline=libedit'
>      '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip'
>      '--without-maxminddb' 'CFLAGS=-I/usr/local/include -O2 -pipe -O0 -g
>      -march=haswell  -DLIBICONV_PLUG -fstack-protector-strong -isystem
>      /usr/local/include -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib
>      -O0 -g -L/usr/local/lib -ljson-c  -Wl,-rpath,/usr/local/lib:/usr/lib
>      -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5
>      -L/usr/local/lib' 'KRB5CONFIG=/usr/local/bin/krb5-config'
>      '--with-gssapi=/usr/local/bin/krb5-config' '--with-libidn2=/usr/local'
>      '--disable-largefile' '--without-lmdb' '--disable-querytrace'
>      '--with-json-c' '--with-libxml2' '--enable-tcp-fastopen'
>      '--prefix=/usr/local' '--mandir=/usr/local/share/man'
>      '--disable-silent-rules' '--infodir=/usr/local/share/info/'
>      '--build=amd64-portbld-freebsd14.3'
>      'build_alias=amd64-portbld-freebsd14.3' 'CC=cc'
>      'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'
>      'PKG_CONFIG=pkgconf'
>      'PKG_CONFIG_LIBDIR=/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig'
>      'READLINE_CFLAGS=-L/usr/local/lib'
> running as: named -n 1 -S 10000 -d 99 -g -t /var/named -u bind -c
>        /usr/local/etc/namedb/named.conf
> compiled by CLANG FreeBSD Clang 19.1.7
>         (https://github.com/llvm/llvm-project.git
>         llvmorg-19.1.7-0-gcd708029e0b2)
> compiled with OpenSSL version: OpenSSL 3.0.16 11 Feb 2025
> linked to OpenSSL version: OpenSSL 3.0.16 11 Feb 2025
> compiled with libuv version: 1.51.0
> linked to libuv version: 1.51.0
> compiled with libxml2 version: 2.14.5
> linked to libxml2 version: 21405
> compiled with json-c version: 0.18
> linked to json-c version: 0.18
> compiled with zlib version: 1.3.1
> linked to zlib version: 1.3.1
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list