Hmm, given the recent f^Hhiccup in mit krb5, I would suggest to try less recent version and/or report this to upstream. -- Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 25. 8. 2025, at 22:45, Peter 'PMc' Much <p...@citylink.dinoex.sub.org> > wrote: > > Hi folks, > > I am upgrading FreeBSD from 13.5 to 14.3. I am running named > 9.18.38; things did work previously with OS-builtin Heimdal krb5. > I noticed issue 4436, and after seeing nsupdate indeed coredump > and the server indeed report "unknown mech-code 0 for mech unknown", > I recompiled both for MIT krb5, and installed and configured these > libs. > > I have another node where both libs are installed and working, > running pgadmin4 server (but that one is still on FBSD 13.5). > > nsupdate is NOT working now with MIT krb5 and FBSD 14.3. > This is the error: > --------------------------------------------- > recvmsg reply from GSS-TSIG query > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4885 > ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;3478577972.sig-conr-e.intra.daemon.contact. ANY TKEY > > ;; ANSWER SECTION: > 3478577972.sig-conr-e.intra.daemon.contact. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY > 0 0 > > dns_tkey_gssnegotiate: TKEY is unacceptable > --------------------------------------------- > With debugging the server reports this: > > client @0x1fd41731b090 fd00::4202#19192 > (3656045201.sig-conr-e.intra.daemon.contact): view intra: query: > 3656045201.sig-conr-e.intra.daemon.contact ANY TKEY -T (fd00::4202) > failed gss_inquire_cred: GSSAPI error: Major = No credentials were > supplied, or the credentials were unavailable or inaccessible, > Minor = No Kerberos credentials available (default cache: > FILE:/tmp/krb5cc_53). > failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS > failure. Minor code may provide more information, Minor = > Cryptosystem internal error. > process_gsstkey(): dns_tsigerror_badkey > > I have removed the "tkey-gssapi-credential" option due to another > recommendation, so the only relevant configuration is now > tkey-gssapi-keytab "/etc/krb5-named.keytab"; > > And that one contain the correct cred, both in root and chroot: > ktutil: rkt /var/named/etc/krb5-named.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 DNS/conr-e.intra.daemon.contact@OUTRA.PHASE23 > > When nsupdate is invoked, it obtains that same cred. > > Inside the server I did follow the proceedings via > process_gsstkey() -> dst_gssapi_acceptctx() -> > gss_accept_sec_context() > which returns GSS_S_FAILURE > > For strange reasons the krb5 tries to create an rcache (but it does > not try to connect the kerberos server): > root@conr:/var/named/etc # ls -l /var/named/var/tmp/ > total 1 > -rw------- 1 bind wheel 0 Aug 25 20:51 krb5_53.rcache2 > > Somehow this looks like the krb5 believes to be a (forwarding?) > client, not a server. > > When I reinsert the deprecated "tkey-gssapi-credential" option, the > behaviour is significantly different: the empty krb5_53.rcache2 file > is not created, the "No Kerberos credentials available" error does not > appear. Instead I see this during startup: > > acquiring credentials for DNS/conr-e.intra.daemon.contact@OUTRA.PHASE23 > acquired accept credentials for DNS/conr-e.intra.daemon.contact@OUTRA.PHASE23 > gss cred: "DNS/conr-e.intra.daemon.contact@OUTRA.PHASE23", > GSS_C_ACCEPT, 4294967295 > > However, the "Cryptosystem internal error." does appear all the same. > > > Here is my MIT krb5 config. This is proven to work with pgadmin4 > in spnego browser signon and ticket delegation mode: > [libdefaults] > default_realm = OUTRA.PHASE23 > allow_weak_crypto = false > dns_canonicalize_hostname = fallback > dns_lookup_kdc = false > dns_uri_lookup = false > enforce_ok_as_delegate = false > forwardable = false > ignore_acceptor_hostname = false > k5login_authoritative = true > noaddresses = false > proxiable = false > realm_try_domains = -1 > ticket_lifetime = 8h > renew_lifetime = 14h > > And the server config: > > starting BIND 9.18.38 (Extended Support Version) <id:0c70859> > running on FreeBSD amd64 14.3-RELEASE-p2 FreeBSD > 14.3-RELEASE-p2[41b6a80e6085=5982521fe3dd+42] C6R14V1 > built with '--disable-linux-caps' '--enable-dnsrps' > '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' > '--with-dlopen=yes' '--with-openssl=/usr' '--with-readline=libedit' > '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' > '--without-maxminddb' 'CFLAGS=-I/usr/local/include -O2 -pipe -O0 -g > -march=haswell -DLIBICONV_PLUG -fstack-protector-strong -isystem > /usr/local/include -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib > -O0 -g -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib:/usr/lib > -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 > -L/usr/local/lib' 'KRB5CONFIG=/usr/local/bin/krb5-config' > '--with-gssapi=/usr/local/bin/krb5-config' '--with-libidn2=/usr/local' > '--disable-largefile' '--without-lmdb' '--disable-querytrace' > '--with-json-c' '--with-libxml2' '--enable-tcp-fastopen' > '--prefix=/usr/local' '--mandir=/usr/local/share/man' > '--disable-silent-rules' '--infodir=/usr/local/share/info/' > '--build=amd64-portbld-freebsd14.3' > 'build_alias=amd64-portbld-freebsd14.3' 'CC=cc' > 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' > 'PKG_CONFIG=pkgconf' > > 'PKG_CONFIG_LIBDIR=/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' > 'READLINE_CFLAGS=-L/usr/local/lib' > running as: named -n 1 -S 10000 -d 99 -g -t /var/named -u bind -c > /usr/local/etc/namedb/named.conf > compiled by CLANG FreeBSD Clang 19.1.7 > (https://github.com/llvm/llvm-project.git > llvmorg-19.1.7-0-gcd708029e0b2) > compiled with OpenSSL version: OpenSSL 3.0.16 11 Feb 2025 > linked to OpenSSL version: OpenSSL 3.0.16 11 Feb 2025 > compiled with libuv version: 1.51.0 > linked to libuv version: 1.51.0 > compiled with libxml2 version: 2.14.5 > linked to libxml2 version: 21405 > compiled with json-c version: 0.18 > linked to json-c version: 0.18 > compiled with zlib version: 1.3.1 > linked to zlib version: 1.3.1 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
