patches to make bind9 with TKEY/GSS updates easier to configure
tridge at samba.org
tridge at samba.org
Sun Dec 5 00:13:50 UTC 2010
Hi Love,
> > To overcome that restriction, we can create a temporary krb5.conf and
> > use that via the KRB5_CONFIG environment variable. It is a horrible
> > approach, but unfortunately necessary with gssapi.
>
> I don't understand this patch, can you describe the failure what you are seeing ?
Without this patch the nsupdate command can only do TSIG/GSS updates
for the default_realm from /etc/krb5.conf. That is an annoyance for
administrators, who may wish to do updates for multiple realms.
The problem is that GSSAPI doesn't expose the krb5 context, so we
can't call krb5_set_default_realm() on anything that GSSAPI will
use. Heimdal has gsskrb5_set_default_realm(), but MIT doesn't.
Without this change, I get this back from nsupdate if my
/etc/krb5.conf doesn't have the right default realm:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
That comes from gss_init_sec_context().
If you can suggest a way to avoid this without the horrible tempfile
stuff, that would be great!
Cheers, Tridge
More information about the bind-workers
mailing list