# BIND doesn't use proper Kerberos CNAME name



## bystrus (Jan 14, 2014)

Hello,

I am trying to make GSSTSIG working with BIND 9.8 from ports (GSS-API enabled) on 

```
root@freebsd:/ # uname -a
FreeBSD freebsd 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Fri Sep 27 03:52:52 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
```

I already did Kerberos client settings running on system (DNS and AD controller are configured properly).


```
root@freebsd:/# ktutil  -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type         Principal
  3  des-cbc-md5  DNS/dns.ad.corp@AD.CORP
```


```
root@freebsd:/ # more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.CORP
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 30d
 forwardable = yes
 default_keytab_name = FILE:/etc/krb5.keytab

[realms]
 AD.CORP = {
  kdc = WIN-IO0KQQ3EBUC.ad.corp:88
  admin_server = WIN-IO0KQQ3EBUC.ad.corp:749
  default_domain = ad.corp
 }

[domain_realm]
 .ad.corp = AD.CORP
 ad.corp = AD.CORP

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
```

kinit looks


```
root@freebsd:/ # kinit -k -t /etc/krb5.keytab DNS/dns.ad.corp
root@freebsd:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: DNS/dns.ad.corp@AD.CORP

  Issued           Expires          Principal
Jan 15 01:48:59  Jan 15 11:48:59  krbtgt/AD.CORP@AD.CORP
```

My BIND statement contains a keytab statement, file itself has "bind" permission


```
options {
        directory "/etc/namedb";
        listen-on-v6 {
                "any";
        };
        tkey-gssapi-keytab "/etc/krb5.keytab";
        version "";
        check-names master ignore;
        dnssec-enable yes;
        edns-udp-size 4096;
        lame-ttl 600;
        max-cache-size 104857600;
        max-udp-size 4096;
        check-integrity no;
        check-sibling no;
        dnssec-secure-to-insecure yes;
        max-journal-size 10485760;
};
```

However, when the AD Controller initializes a TKEY query and BIND wants to obtain the first Kerberos ticket, I can see in a network capture an incorrect CNAME set to "bind" instead my "DNS/dns.ad.corp". Anybody experience similar situation? FYI, the same configuration on Ubuntu works fine. Any guideline how to debug exactly BIND is appreciated (not my area yet).


----------



## bystrus (Jan 14, 2014)

Well, I focused to try build BIND with MIT kerberos. I did manual compilation and to my surprise, it works. 

My new named is compiled and linked as follow*s*:


```
root@freebsd:~ # ldd /usr/local/sbin/named
/usr/local/sbin/named:
        libgssapi_krb5.so => /usr/local//lib/libgssapi_krb5.so (0x282b7000)
        libkrb5.so => /usr/local//lib/libkrb5.so (0x282f8000)
        libk5crypto.so => /usr/local//lib/libk5crypto.so (0x283af000)
        libcom_err.so => /usr/local//lib/libcom_err.so (0x283df000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x283e2000)
        libxml2.so.5 => /usr/local//lib/libxml2.so.5 (0x28545000)
        libz.so.6 => /lib/libz.so.6 (0x28676000)
        libiconv.so.3 => /usr/local//lib/libiconv.so.3 (0x2868a000)
        libm.so.5 => /lib/libm.so.5 (0x28782000)
        libc.so.7 => /lib/libc.so.7 (0x2879d000)
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x288cf000)
        libintl.so.9 => /usr/local/lib/libintl.so.9 (0x288d9000)
        liblzma.so.5 => /usr/lib/liblzma.so.5 (0x288e2000)
```

As I am a newbie, I expected that both Kerberos implementation*s* (MIT and Heimdal) will have _the_ same interfaces, but it looks like it's not the case. Anybody have experience with that?

I am also curious how I can specify in the dns/bind98 port to use MIT Kerberos in /usr/local/ instead of base-included Heimdal.

Thanks in advance,
Peter


----------

