patches to make bind9 with TKEY/GSS updates easier to configure

tridge at tridge at
Sat Dec 4 10:44:40 UTC 2010

Hi Michael,

I've added 3 more patches to my patch set here:

The patches are:

commit 9d4bcad12a1642a5dd05e848c1b945db9ed1deb9
    nsupdate: propogate gssapi error messages to user
    The "Check your Kerberos ticket, it may have expired" error message is
    not very useful. Give the gssapi error message instead. It's not great
    either, but its more likely to give a useful clue than the existing

commit 8308ed44c5bab6e56915db07f4860685e8016830
    tkey: prevent a const warning when freeing the gssapi_keytab

commit 3c028a3f1e8c4a9f99cf7fafbcdddedff184d665
    nsupdate: allow nsupdate for zones not matching the krb5 default_realm
    GSSAPI has a horrible restriction that it offers no way to override
    the krb5 defaults from /etc/krb5.conf. This means that GSSAPI can't be
    used for anything other than the default realm.
    To overcome that restriction, we can create a temporary krb5.conf and
    use that via the KRB5_CONFIG environment variable. It is a horrible
    approach, but unfortunately necessary with gssapi.

The last patch is certainly strange I know, but GSSAPI doesn't give us
many options if we want to be able to do updates against something
other than the default realm.

Cheers, Tridge

More information about the bind-workers mailing list