patches to make bind9 with TKEY/GSS updates easier to configure

tridge at tridge at
Sun Dec 5 00:13:50 UTC 2010

Hi Love,

 > >    To overcome that restriction, we can create a temporary krb5.conf and
 > >    use that via the KRB5_CONFIG environment variable. It is a horrible
 > >    approach, but unfortunately necessary with gssapi.
 > I don't understand this patch, can you describe the failure what you are seeing ?

Without this patch the nsupdate command can only do TSIG/GSS updates
for the default_realm from /etc/krb5.conf. That is an annoyance for
administrators, who may wish to do updates for multiple realms.

The problem is that GSSAPI doesn't expose the krb5 context, so we
can't call krb5_set_default_realm() on anything that GSSAPI will
use. Heimdal has gsskrb5_set_default_realm(), but MIT doesn't.

Without this change, I get this back from nsupdate if my
/etc/krb5.conf doesn't have the right default realm:

  tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

That comes from gss_init_sec_context().

If you can suggest a way to avoid this without the horrible tempfile
stuff, that would be great!

Cheers, Tridge

More information about the bind-workers mailing list