Skip to content

Build FreeBSD with MIT Kerberos5 instead of Heimdal

Michal Nowak requested to merge mnowak/freebsd-use-mit-kerberos5 into main

tsiggss system tests crash or are unstable with the base FreeBSD (Heimdal-based) GSS-API. FreeBSD devs suggest to use MIT Kerberos5 instead of Heimdal from Ports or Heimdal in their base OS.

Re some tsiggss system tests instability: named is stuck for 18 seconds after a malformed query from the test_cve_2021_25216 test:

Click to expand
22-Mar-2024 01:08:23.995 clientmgr @0x83c988060 attach: 2
22-Mar-2024 01:08:23.995 query client=0x83e136160 thread=0x837fb0500(<unknown-query>): query_reset
22-Mar-2024 01:08:23.995 client @0x83e136160 (no-peer): allocate new client
22-Mar-2024 01:08:23.995 client @0x83e136160 10.53.0.1#49476: TCP request
22-Mar-2024 01:08:23.995 client @0x83e136160 10.53.0.1#49476: using view '_default'
22-Mar-2024 01:08:23.995 client @0x83e136160 10.53.0.1#49476: request is not signed
22-Mar-2024 01:08:23.995 client @0x83e136160 10.53.0.1#49476: recursion not available (recursion not enabled for view)
22-Mar-2024 01:08:23.995 query client=0x83e136160 thread=0x837fb0500(<unknown-query>): ns_query_start
22-Mar-2024 01:08:41.917 gss cred: "host/freebsd.fqdn@FQDN", GSS_C_ACCEPT, 4294967295
22-Mar-2024 01:08:41.917 failed gss_accept_sec_context: GSSAPI error: Major =  An unsupported mechanism was requested, Minor = unknown mech-code 0 for mech unknown.
22-Mar-2024 01:08:41.917 process_gsstkey(): dns_tsigerror_badkey
22-Mar-2024 01:08:41.917 no longer listening on 127.0.0.1#28130
22-Mar-2024 01:08:41.923 gss cred: "host/freebsd.fqdn@FQDN", GSS_C_ACCEPT, 4294967295
22-Mar-2024 01:08:41.923 failed gss_accept_sec_context: GSSAPI error: Major =  A token was invalid, Minor = unknown mech-code 1859794437 for mech unknown.
22-Mar-2024 01:08:41.923 process_gsstkey(): dns_tsigerror_badkey
22-Mar-2024 01:08:41.923 client @0x83e136160 10.53.0.1#49476 (.): send failed: operation canceled
22-Mar-2024 01:08:41.923 client @0x83e136160 10.53.0.1#49476 (.): reset client
22-Mar-2024 01:08:41.923 no longer listening on 10.53.0.1#28130
22-Mar-2024 01:08:41.923 query client=0x83e136160 thread=0x837fb0500(./TKEY): query_reset
22-Mar-2024 01:08:41.923 client @0x83e136160 10.53.0.1#49476: freeing client
22-Mar-2024 01:08:41.923 query client=0x83e136160 thread=0x837fb0500(<unknown-query>): query_reset
22-Mar-2024 01:08:41.923 clientmgr @0x83c988060 detach: 1
22-Mar-2024 01:08:41.923 exclusive task mode: starting
22-Mar-2024 01:08:41.924 exclusive task mode: started
22-Mar-2024 01:08:41.924 shutting down

Also, I saw the GSSAPI error: Major = An unsupported mechanism was requested, Minor = unknown mech-code 0 for mech unknown. error with Heimdal before.

Prereq: isc-projects/images!308

Edited by Michal Nowak

Merge request reports