Friends,
I now went the boring way of pimping each and every occurrence
of this "Cryptosystem error" in the krb5 code with fprintf. That went
surprizingly smooth and showed the location of the failure:
krb5 tries to obtain some random from the OS, and it does so
by accessing /dev/urandom.
urandom is supposed to be a symlink to random. But in a chroot
the /dev entries have to be explicitely enabled ("unhidden"). And
while the maintainer-provided rc.d script for the server does so
for /dev/random, it doesn't enable /dev/urandom.
This is probably nobody's fault, because in recent times FreeBSD
customs have developed to only make sure a port can run with it's
default options, and the named defaults are apparently without any
krb5.
BTW, this rcache thing has now also filled:
# ls -l /var/named/var/tmp/
total 5
-rw------- 1 root wheel 13344 Aug 26 15:36 krb5_0.rcache2
-rw------- 1 bind wheel 0 Aug 26 05:17 krb5_53.rcache2
Providing a /var/tmp directory is also not happening in the startup
script. But that's probably normal; I also had to take care for
some things on my own when enabling the Heimdal krb5 support
(see https://gitr.daemon.contact/tools/tree/rc.d/named-krb5 )
Cordial thanks for Your presence and support!
best regards,
Peter
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
