From thozza@redhat.com Wed Jun 1 07:19:20 2016 X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.26 MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-RT-Interface: API References: <55845E97.6020503@redhat.com> <558D3B04.1040405@redhat.com> Message-ID: content-type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by bugs.isc.org (Postfix) with ESMTP id 7760471B5A8 for ; Wed, 1 Jun 2016 07:19:20 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id EE02B1FCADE for ; Wed, 1 Jun 2016 07:19:16 +0000 (UTC) Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EC4666409F for ; Wed, 1 Jun 2016 07:19:14 +0000 (UTC) Received: from thozza-pc.brq.redhat.com (thozza-pc.brq.redhat.com [10.34.4.205]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u517JD6G011124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 1 Jun 2016 03:19:14 -0400 Delivered-To: bind9-bugs@bugs.isc.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 Subject: Re: [ISC-Bugs #39840] AutoReply: nsupdate GSSAPI cross-realm detection does not work Return-Path: X-Original-To: bind9-bugs@bugs.isc.org Date: Wed, 1 Jun 2016 09:19:11 +0200 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 01 Jun 2016 07:19:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org To: bind9-bugs@isc.org Content-Transfer-Encoding: 8bit From: "Tomas Hozza" RT-Message-ID: Content-Length: 4398 On 06/26/2015 01:44 PM, Tomas Hozza via RT wrote: > On 19.06.2015 20:25, BIND9 Bugs via RT wrote: > > Greetings, > > > > This message was automatically generated to acknowledge receipt of > > your recent email > > "nsupdate GSSAPI cross-realm detection does not work", > > and to let you know that we have opened a ticket for your request > > (a summary of which appears below.) > > > > We do not need a further response from you, but if you do respond, > > please include in the Subject of your reply the ID > > '[ISC-Bugs #39840]' > > so that we can match up your reply with our trouble ticket. > > > > What Happens Next > > ================= > > > > Bug reports submitted to us in this manner are handled based on > > perceived severity in relation to other bugs. We handle reports as > > time permits so there is no guaranteed response time for these > > reports. > > > > If you feel the issue you are reporting is a security issue, please > > see http://www.isc.org/security/reporting-issues for details on how > > to report it, including the PGP key you may use. > > > > If it is of a non-security yet still urgent matter, you may reply > > to this message to add further information. > > > > > > Other Support Options > > ===================== > > > > If your organization requires more immediate attention, ISC offers > > paid support options. Please see http://www.isc.org/services/support > > for more information. > > > > If paid support is not an option, please consider making a donation > > to ISC. We don't require a donation -- we will work on your report > > just as quickly whether or not you can donate -- but we always need > > and welcome community support. See http://www.isc.org/supportisc > > > > > > Run a Supported Version > > ======================= > > > > If you are not running a supported version of BIND, please upgrade. > > Bug reports against unsupported versions of BIND are discouraged, > > as your issue may have already been addressed. > > > > You can find the latest version of BIND here: > > > > https://www.isc.org/software/bind > > > > > > For configuration help... > > ========================= > > > > Questions regarding configuration or setup of BIND are addressed on > > the bind-users list - to subscribe, visit: > > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > Thank you, > > bind9-bugs@isc.org > > > > --------------------------------------------------------------------- > > > > Hello. > > > > We discovered that when using nsupdate with GSSAPI, the realm detection > > does not produce meaningful results in cross-realm setup. nsupdate uses > > get_ticket_realm() to figure out the realm, but the function fails to > > detect the correct realm in cross-realm setups. One has to specify the > > realm explicitly, which is not desired. > > > > We have a bug [1] in RH Bugszilla with more information and with some > > investigation. > > > > Based on RFC4752 section 3.1 [2], the client side should use > > GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name() and use > > "service@host" as service name. > > > > This means that the realm detection should be left to the GSSAPI, which > > can detect the realm correctly based on the krb5.conf configuration. > > This also makes the "realm" option useless. > > > > I'm attaching a proposed patch that changes the way the service name is > > constructed and the way gss_import_name() is called, to conform with > > RFC4752. The patch also removes the "realm" option, since it would not > > be used anywhere. > > > > I tested the fix in cross realm setup and the detection worked correctly. > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214827 > > [2] https://www.ietf.org/rfc/rfc4752.txt > > > > > > Thank you! > > > > Regards, > > > > Hi. > > I reworked the patch for better backward compatibility. I left the > 'realm' option. If realm is not specified explicitly, then the realm > detection is left up to the GSSAPI. If the 'realm' is specified, the > "old" code is used and the explicit realm is used. I also changed the > nsupdate documentation to reflect the changes. > > Looking forward to your comments. > > Thank you! > > Regards, > Hi. Any news on this ticket? Thank you. Regards, -- Tomas Hozza Senior Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com