patches to make bind9 with TKEY/GSS updates easier to configure
tridge at samba.org
tridge at samba.org
Sun Dec 5 20:51:31 UTC 2010
> Sorry, I misunderstood that this was for nsupdate not named.
no worries - this code is actually used by both named and nsupdate,
it's just that I'm working on the code path within it that comes from
> Still, why an environment variable? Could you get the same effect
> with a a "-r realm" option on the nsupdate command line, or a
> "realm <name>" command at the nsupdate command prompt? Or if
> there's more to it than just the realm, perhaps a "-K <krb5conf>"
nsupdate already knows what realm you want. It even prints it out if
you up the debug level (see the "Found zone name:" message in
The problem is communicating it to the GSSAPI library.
> I'd prefer to reduce the number of things in BIND 9 that are controlled by
> environment variables when it's avoidable; they make the system harder to
> support and debug. It isn't always avoidable of course, but I'd like to
> be sure.
ahh, I think I may have explained it badly.
This is not an environment variable that the user sets. It is an
environment variable that is set automatically within the nsupdate
processq if the detected realm doesn't match the realm from
/etc/krb5.conf. The logic is this (rough pseudo code):
realm = find_what_realm_is_being_updated()
if getenv("KRB5_CONFIG") is NULL:
krb5_default_realm = get_krb5_default_realm()
if krb5_default_realm != realm:
cleanup_needed = True
If you prefer C to pseudo-code, here is the actual patch:
The reason this is needed is that the GSSAPI interface does not offer
any way to override the realm for it to use except by doing the
above. It is one of the big problems with GSSAPI - it doesn't expose
the underlying krb5 context at all, so you can't set any kerberos
defaults except by either editing /etc/krb5.conf, or creating a new
krb5.conf and setting the KRB5_CONFIG environment variable.
More information about the bind-workers