patches to make bind9 with TKEY/GSS updates easier to configure
tridge at samba.org
tridge at samba.org
Sat Dec 4 10:44:40 UTC 2010
Hi Michael,
I've added 3 more patches to my patch set here:
http://samba.org/tridge/bind9-patches/
git://git.samba.org/tridge/bind9.git
The patches are:
commit 9d4bcad12a1642a5dd05e848c1b945db9ed1deb9
nsupdate: propogate gssapi error messages to user
The "Check your Kerberos ticket, it may have expired" error message is
not very useful. Give the gssapi error message instead. It's not great
either, but its more likely to give a useful clue than the existing
message.
commit 8308ed44c5bab6e56915db07f4860685e8016830
tkey: prevent a const warning when freeing the gssapi_keytab
commit 3c028a3f1e8c4a9f99cf7fafbcdddedff184d665
nsupdate: allow nsupdate for zones not matching the krb5 default_realm
GSSAPI has a horrible restriction that it offers no way to override
the krb5 defaults from /etc/krb5.conf. This means that GSSAPI can't be
used for anything other than the default realm.
To overcome that restriction, we can create a temporary krb5.conf and
use that via the KRB5_CONFIG environment variable. It is a horrible
approach, but unfortunately necessary with gssapi.
The last patch is certainly strange I know, but GSSAPI doesn't give us
many options if we want to be able to do updates against something
other than the default realm.
Cheers, Tridge
More information about the bind-workers
mailing list