patches to make bind9 with TKEY/GSS updates easier to configure
tridge at samba.org
tridge at samba.org
Sun Dec 5 01:53:02 UTC 2010
Hi Love,
> Please try using GSS_C_NT_HOSTBASED_SERVICE with
> DNS at hostnameyou-have (either fqdn or short name, its matched with
> servicePrincipalName in the KDC). This will trigger referrals in
> modern heimdal, the Heimdal build in to netbsd isn't modern last
> time I checked.
That works on my Ubuntu 10.04 box, but I don't think it's really a
viable solution. We could only tell that this worked by trying it, and
then if it fails I think we'd be stuck, as GSSAPI will have already
loaded its default realm, so the KRB5_CONFIG tmpfile trick won't work.
I think we also want this to work even for older krb5 libraries.
There is also a note in the bind sources like this:
* XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
* here when we're in the acceptor role, which would let us
* default the hostname and use a compiled in default service
* name of "DNS", giving one less thing to configure in
* named.conf. Unfortunately, this creates a circular
* dependency due to DNS-based realm lookup in at least one
* GSSAPI implementation (Heimdal). Oh well.
I suspect that comment only relates to using
GSS_C_NT_HOSTBASED_SERVICE in the named server, not in the client. The
patch I've done is for the nsupdate client.
Cheers, Tridge
More information about the bind-workers
mailing list