Report information
The Basics
Id:
39840
Status:
new
Priority:
Medium/Medium
Queue:
bind9-public
People
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Server
Area:
bug
Attachments
0001-Leave-the-realm-resolution-up-to-GSSAPI.patch 0001-nsupdate-Don-t-extract-REAML-from-ticket-but-leave-i.patch 0002-Remove-the-realm-option-from-nsupdate.patch
Dates
Created:Fri, 19 Jun 2015 14:25:44 -0400
Updated:Wed, 02 Aug 2017 17:51:57 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Fri, 19 Jun 2015 14:25:44 -0400 Tomas Hozza <thozza@redhat.com> - Ticket created
Subject: nsupdate GSSAPI cross-realm detection does not work
Date: Fri, 19 Jun 2015 20:25:27 +0200
To: bind9-bugs@isc.org
From: "Tomas Hozza" <thozza@redhat.com>

Hello. We discovered that when using nsupdate with GSSAPI, the realm detection does not produce meaningful results in cross-realm setup. nsupdate uses get_ticket_realm() to figure out the realm, but the function fails to detect the correct realm in cross-realm setups. One has to specify the realm explicitly, which is not desired. We have a bug [1] in RH Bugszilla with more information and with some investigation. Based on RFC4752 section 3.1 [2], the client side should use GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name() and use "service@host" as service name. This means that the realm detection should be left to the GSSAPI, which can detect the realm correctly based on the krb5.conf configuration. This also makes the "realm" option useless. I'm attaching a proposed patch that changes the way the service name is constructed and the way gss_import_name() is called, to conform with RFC4752. The patch also removes the "realm" option, since it would not be used anywhere. I tested the fix in cross realm setup and the detection worked correctly. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214827 [2] https://www.ietf.org/rfc/rfc4752.txt Thank you! Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com
0001-Leave-the-realm-resolution-up-to-GSSAPI.patch

Message body is not shown because sender requested not to inline it.

0002-Remove-the-realm-option-from-nsupdate.patch

Message body is not shown because sender requested not to inline it.

  Fri, 26 Jun 2015 07:44:16 -0400 Tomas Hozza <thozza@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #39840] AutoReply: nsupdate GSSAPI cross-realm detection does not work
Date: Fri, 26 Jun 2015 13:44:04 +0200
To: bind9-bugs@isc.org
From: "Tomas Hozza" <thozza@redhat.com>

On 19.06.2015 20:25, BIND9 Bugs via RT wrote: > Greetings, > > This message was automatically generated to acknowledge receipt of > your recent email > "nsupdate GSSAPI cross-realm detection does not work", > and to let you know that we have opened a ticket for your request > (a summary of which appears below.) > > We do not need a further response from you, but if you do respond, > please include in the Subject of your reply the ID > '[ISC-Bugs #39840]' > so that we can match up your reply with our trouble ticket. > > What Happens Next > ================= > > Bug reports submitted to us in this manner are handled based on > perceived severity in relation to other bugs. We handle reports as > time permits so there is no guaranteed response time for these > reports. > > If you feel the issue you are reporting is a security issue, please > see http://www.isc.org/security/reporting-issues for details on how > to report it, including the PGP key you may use. > > If it is of a non-security yet still urgent matter, you may reply > to this message to add further information. > > > Other Support Options > ===================== > > If your organization requires more immediate attention, ISC offers > paid support options. Please see http://www.isc.org/services/support > for more information. > > If paid support is not an option, please consider making a donation > to ISC. We don't require a donation -- we will work on your report > just as quickly whether or not you can donate -- but we always need > and welcome community support. See http://www.isc.org/supportisc > > > Run a Supported Version > ======================= > > If you are not running a supported version of BIND, please upgrade. > Bug reports against unsupported versions of BIND are discouraged, > as your issue may have already been addressed. > > You can find the latest version of BIND here: > > https://www.isc.org/software/bind > > > For configuration help... > ========================= > > Questions regarding configuration or setup of BIND are addressed on > the bind-users list - to subscribe, visit: > > https://lists.isc.org/mailman/listinfo/bind-users > > > Thank you, > bind9-bugs@isc.org > > --------------------------------------------------------------------- > > Hello. > > We discovered that when using nsupdate with GSSAPI, the realm detection > does not produce meaningful results in cross-realm setup. nsupdate uses > get_ticket_realm() to figure out the realm, but the function fails to > detect the correct realm in cross-realm setups. One has to specify the > realm explicitly, which is not desired. > > We have a bug [1] in RH Bugszilla with more information and with some > investigation. > > Based on RFC4752 section 3.1 [2], the client side should use > GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name() and use > "service@host" as service name. > > This means that the realm detection should be left to the GSSAPI, which > can detect the realm correctly based on the krb5.conf configuration. > This also makes the "realm" option useless. > > I'm attaching a proposed patch that changes the way the service name is > constructed and the way gss_import_name() is called, to conform with > RFC4752. The patch also removes the "realm" option, since it would not > be used anywhere. > > I tested the fix in cross realm setup and the detection worked correctly. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214827 > [2] https://www.ietf.org/rfc/rfc4752.txt > > > Thank you! > > Regards, > Hi. I reworked the patch for better backward compatibility. I left the 'realm' option. If realm is not specified explicitly, then the realm detection is left up to the GSSAPI. If the 'realm' is specified, the "old" code is used and the explicit realm is used. I also changed the nsupdate documentation to reflect the changes. Looking forward to your comments. Thank you! Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com
0001-nsupdate-Don-t-extract-REAML-from-ticket-but-leave-i.patch

Message body is not shown because sender requested not to inline it.

Tue, 05 Jan 2016 17:58:47 -0500 Carly King <carly@isc.org> - Area bug added
Tue, 05 Jan 2016 17:58:47 -0500 Carly King <carly@isc.org> - Component BIND Server added
  Wed, 01 Jun 2016 03:19:21 -0400 Tomas Hozza <thozza@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #39840] AutoReply: nsupdate GSSAPI cross-realm detection does not work
Date: Wed, 1 Jun 2016 09:19:11 +0200
To: bind9-bugs@isc.org
From: "Tomas Hozza" <thozza@redhat.com>

On 06/26/2015 01:44 PM, Tomas Hozza via RT wrote: > On 19.06.2015 20:25, BIND9 Bugs via RT wrote: > > Greetings, > > > > This message was automatically generated to acknowledge receipt of > > your recent email > > "nsupdate GSSAPI cross-realm detection does not work", > > and to let you know that we have opened a ticket for your request > > (a summary of which appears below.) > > > > We do not need a further response from you, but if you do respond, > > please include in the Subject of your reply the ID > > '[ISC-Bugs #39840]' > > so that we can match up your reply with our trouble ticket. > > > > What Happens Next > > ================= > > > > Bug reports submitted to us in this manner are handled based on > > perceived severity in relation to other bugs. We handle reports as > > time permits so there is no guaranteed response time for these > > reports. > > > > If you feel the issue you are reporting is a security issue, please > > see http://www.isc.org/security/reporting-issues for details on how > > to report it, including the PGP key you may use. > > > > If it is of a non-security yet still urgent matter, you may reply > > to this message to add further information. > > > > > > Other Support Options > > ===================== > > > > If your organization requires more immediate attention, ISC offers > > paid support options. Please see http://www.isc.org/services/support > > for more information. > > > > If paid support is not an option, please consider making a donation > > to ISC. We don't require a donation -- we will work on your report > > just as quickly whether or not you can donate -- but we always need > > and welcome community support. See http://www.isc.org/supportisc > > > > > > Run a Supported Version > > ======================= > > > > If you are not running a supported version of BIND, please upgrade. > > Bug reports against unsupported versions of BIND are discouraged, > > as your issue may have already been addressed. > > > > You can find the latest version of BIND here: > > > > https://www.isc.org/software/bind > > > > > > For configuration help... > > ========================= > > > > Questions regarding configuration or setup of BIND are addressed on > > the bind-users list - to subscribe, visit: > > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > Thank you, > > bind9-bugs@isc.org > > > > --------------------------------------------------------------------- > > > > Hello. > > > > We discovered that when using nsupdate with GSSAPI, the realm detection > > does not produce meaningful results in cross-realm setup. nsupdate uses > > get_ticket_realm() to figure out the realm, but the function fails to > > detect the correct realm in cross-realm setups. One has to specify the > > realm explicitly, which is not desired. > > > > We have a bug [1] in RH Bugszilla with more information and with some > > investigation. > > > > Based on RFC4752 section 3.1 [2], the client side should use > > GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name() and use > > "service@host" as service name. > > > > This means that the realm detection should be left to the GSSAPI, which > > can detect the realm correctly based on the krb5.conf configuration. > > This also makes the "realm" option useless. > > > > I'm attaching a proposed patch that changes the way the service name is > > constructed and the way gss_import_name() is called, to conform with > > RFC4752. The patch also removes the "realm" option, since it would not > > be used anywhere. > > > > I tested the fix in cross realm setup and the detection worked correctly. > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1214827 > > [2] https://www.ietf.org/rfc/rfc4752.txt > > > > > > Thank you! > > > > Regards, > > > > Hi. > > I reworked the patch for better backward compatibility. I left the > 'realm' option. If realm is not specified explicitly, then the realm > detection is left up to the GSSAPI. If the 'realm' is specified, the > "old" code is used and the explicit realm is used. I also changed the > nsupdate documentation to reflect the changes. > > Looking forward to your comments. > > Thank you! > > Regards, > Hi. Any news on this ticket? Thank you. Regards, -- Tomas Hozza Senior Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com
Wed, 28 Jun 2017 15:19:22 -0400 Vicky Risk <vicky@isc.org> - Subject changed from 'nsupdate GSSAPI cross-realm detection does not work' to '[PATCH] nsupdate GSSAPI cross-realm detection does not work'
Wed, 28 Jun 2017 15:19:22 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
Wed, 02 Aug 2017 17:51:57 -0400 Vicky Risk <vicky@isc.org> - Given to Curtis Blackburn <ckb@isc.org>