Skip to content

Bind just disables GSSAPI support if no GSSAPI/KRB5 headers found

Summary

Bind just disables GSSAPI support if no GSSAPI/KRB5 headers found, even if I say do it ("yes").

BIND version used

named -V
BIND 9.11.6 (Extended Support Version) <id:f4bd4ca>
running on Linux x86_64 4.19.30-std-def-alt1 #1 SMP Tue Mar 19 19:49:19 UTC 2019
built by make with '--build=x86_64-alt-linux' '--host=x86_64-alt-linux' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--without-included-gettext' '--localstatedir=/var' '--with-randomdev=/dev/random' '--enable-threads' '--enable-linux-caps' '--enable-fetchlimit' '--enable-fixed-rrset' '--disable-seccomp' '--with-openssl' '--with-libjson' '--without-python' '--enable-ipv6' '--disable-static' '--includedir=/usr/include/bind9' '--disable-openssl-version-check' '--with-libtool' '--disable-isc-spnego' '--with-gssapi=yes' 'build_alias=x86_64-alt-linux' 'host_alias=x86_64-alt-linux' 'CFLAGS=-pipe -frecord-gcc-switches -Wall -g -O2'
compiled by GCC 8.3.1 20190311 (ALT Sisyphus 8.3.1-alt2)
compiled with OpenSSL version: OpenSSL 1.1.1b  26 Feb 2019
linked to OpenSSL version: OpenSSL 1.1.1b  26 Feb 2019
compiled with libjson-c version: 0.12.1
linked to libjson-c version: 0.12.1
threads support is enabled

Steps to reproduce

  1. don't bring or remove GSSAPI headers
  2. configure against "with-gssapi=yes":
./configure --with-gssapi=yes

The build log says:

...
checking for GeoIP support... disabled
checking for GSSAPI library... disabled
checking for random device... using "/dev/random"
...
...
Configuration summary:
-------------------------------------------------------------------------------
Optional features enabled:
    Multiprocessing support (--enable-threads)
    ECDSA algorithm support (--with-ecdsa)
    EDDSA algorithm support (--with-eddsa)
    Allow 'fixed' rrset-order (--enable-fixed-rrset)
    Print backtrace on crash (--enable-backtrace)
    Use symbol table for backtrace, named only (--enable-symtable)
    Use GNU libtool (--with-libtool)
    Dynamically loadable zone (DLZ) drivers:
        None
-------------------------------------------------------------------------------
Features disabled or unavailable on this platform:
    Large-system tuning (--with-tuning)
    Allow 'dnstap' packet logging (--enable-dnstap)
    GeoIP access control (--with-geoip)
    GSS-API (--with-gssapi)
...

What is the current bug behavior?

The issue fires on build the thirdparty project (SSSD):

echo realm | nsupdate 
syntax error

echo realm | nsupdate -o
/usr/bin/nsupdate: cannot specify -g or -o, program not linked with GSS API Library

What is the expected correct behavior?

The build should fail, because a user expects the GSSAPI support is ON, but actually - OFF.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information