patches to make bind9 with TKEY/GSS updates easier to configure

tridge at samba.org tridge at samba.org
Sun Dec 5 20:51:31 UTC 2010


Hi Evan,

 > Sorry, I misunderstood that this was for nsupdate not named.

no worries - this code is actually used by both named and nsupdate,
it's just that I'm working on the code path within it that comes from
nsupdate.

 >  Still, why an environment variable?  Could you get the same effect
 > with a a "-r realm" option on the nsupdate command line, or a
 > "realm <name>" command at the nsupdate command prompt?  Or if
 > there's more to it than just the realm, perhaps a "-K <krb5conf>"
 > option?

nsupdate already knows what realm you want. It even prints it out if
you up the debug level (see the "Found zone name:" message in
nsupdate.c).

The problem is communicating it to the GSSAPI library.

 > I'd prefer to reduce the number of things in BIND 9 that are controlled by
 > environment variables when it's avoidable; they make the system harder to
 > support and debug.  It isn't always avoidable of course, but I'd like to
 > be sure.

ahh, I think I may have explained it badly.

This is not an environment variable that the user sets. It is an
environment variable that is set automatically within the nsupdate
processq if the detected realm doesn't match the realm from
/etc/krb5.conf. The logic is this (rough pseudo code):

 nsupdate
   realm = find_what_realm_is_being_updated()
   if getenv("KRB5_CONFIG") is NULL:
      krb5_default_realm = get_krb5_default_realm()
      if krb5_default_realm != realm:
      	 create_temporary_krb5_conf()
	 setenv("KRB5_CONFIG", temporary_krb5_conf)
	 cleanup_needed = True
   continue_with_nsupdate_gssapi_calls()
   if cleanup_needed:
      unset("KRB5_CONFIG")
      unlink(temporary_krb5_conf)

If you prefer C to pseudo-code, here is the actual patch:

  http://git.samba.org/?p=tridge/bind9.git;a=commitdiff;h=f146778c87e6cb4ed513e0549a9a8fea3aae84c8

The reason this is needed is that the GSSAPI interface does not offer
any way to override the realm for it to use except by doing the
above. It is one of the big problems with GSSAPI - it doesn't expose
the underlying krb5 context at all, so you can't set any kerberos
defaults except by either editing /etc/krb5.conf, or creating a new
krb5.conf and setting the KRB5_CONFIG environment variable.

Cheers, Tridge



More information about the bind-workers mailing list