On 19.06.2015 20:25, BIND9 Bugs via RT wrote: > Greetings, > > This message was automatically generated to acknowledge receipt of > your recent email > "nsupdate GSSAPI cross-realm detection does not work", > and to let you know that we have opened a ticket for your request > (a summary of which appears below.) > > We do not need a further response from you, but if you do respond, > please include in the Subject of your reply the ID > '[ISC-Bugs #39840]' > so that we can match up your reply with our trouble ticket. > > What Happens Next > ================= > > Bug reports submitted to us in this manner are handled based on > perceived severity in relation to other bugs. We handle reports as > time permits so there is no guaranteed response time for these > reports. > > If you feel the issue you are reporting is a security issue, please > see http://www.isc.org/security/reporting-issues for details on how > to report it, including the PGP key you may use. > > If it is of a non-security yet still urgent matter, you may reply > to this message to add further information. > > > Other Support Options > ===================== > > If your organization requires more immediate attention, ISC offers > paid support options. Please see http://www.isc.org/services/support > for more information. > > If paid support is not an option, please consider making a donation > to ISC. We don't require a donation -- we will work on your report > just as quickly whether or not you can donate -- but we always need > and welcome community support. See http://www.isc.org/supportisc > > > Run a Supported Version > ======================= > > If you are not running a supported version of BIND, please upgrade. > Bug reports against unsupported versions of BIND are discouraged, > as your issue may have already been addressed. > > You can find the latest version of BIND here: > > https://www.isc.org/software/bind > > > For configuration help... > ========================= > > Questions regarding configuration or setup of BIND are addressed on > the bind-users list - to subscribe, visit: > > https://lists.isc.org/mailman/listinfo/bind-users > > > Thank you, > bind9-bugs@isc.org > > --------------------------------------------------------------------- > > Hello. > > We discovered that when using nsupdate with GSSAPI, the realm detection > does not produce meaningful results in cross-realm setup. nsupdate uses > get_ticket_realm() to figure out the realm, but the function fails to > detect the correct realm in cross-realm setups. One has to specify the > realm explicitly, which is not desired. > > We have a bug [1] in RH Bugszilla with more information and with some > investigation. > > Based on RFC4752 section 3.1 [2], the client side should use > GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name() and use > "service@host" as service name. > > This means that the realm detection should be left to the GSSAPI, which > can detect the realm correctly based on the krb5.conf configuration. > This also makes the "realm" option useless. > > I'm attaching a proposed patch that changes the way the service name is > constructed and the way gss_import_name() is called, to conform with > RFC4752. The patch also removes the "realm" option, since it would not > be used anywhere. > > I tested the fix in cross realm setup and the detection worked correctly. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214827 > [2] https://www.ietf.org/rfc/rfc4752.txt > > > Thank you! > > Regards, > Hi. I reworked the patch for better backward compatibility. I left the 'realm' option. If realm is not specified explicitly, then the realm detection is left up to the GSSAPI. If the 'realm' is specified, the "old" code is used and the explicit realm is used. I also changed the nsupdate documentation to reflect the changes. Looking forward to your comments. Thank you! Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com