From: Michał Kępień Date: Mon, 6 Oct 2025 11:19:50 +0000 (+0200) Subject: Stop using "tkey-gssapi-credential" in tests X-Git-Tag: v9.21.15~80^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73197feec7709b164f9154b2a6d1e67747d86f97;p=thirdparty%2Fbind9.git Stop using "tkey-gssapi-credential" in tests Since the "tkey-gssapi-credential" statement is now deprecated and is about to be removed, migrate the only system test using it ("nsupdate") to "tkey-gssapi-keytab". Currently, the GSS-TSIG parts of the "nsupdate" system test require properly setting up a combination of: - "tkey-gssapi-credential" statements in named.conf files, - the KRB5_KTNAME environment variable. Specifically, this configuration causes named startup to include acquiring the credential that GSS-API is allowed to match keys against from a keytab file specified by the KRB5_KTNAME environment variable. By contrast, the revised configuration uses the "tkey-gssapi-keytab" statement, which makes GSS-API match keys against any credential present in the specified keytab file. Since both keytabs in question (ns9/dns.keytab, ns10/dns.keytab) only contain a single credential, the two configurations are functionally equivalent, with the revised one being significantly more readable and simpler to prepare. --- diff --git a/bin/tests/system/isctest/vars/basic.py b/bin/tests/system/isctest/vars/basic.py index 07709d4ebbf..683bb600b73 100644 --- a/bin/tests/system/isctest/vars/basic.py +++ b/bin/tests/system/isctest/vars/basic.py @@ -54,7 +54,6 @@ BASIC_VARS = { "PIPEQUERIES": f"{BUILD_VARS['TOP_BUILDDIR']}/pipequeries", "TMPDIR": os.getenv("TMPDIR", "/tmp"), "KRB5_CONFIG": "/dev/null", # we don't want a KRB5_CONFIG setting breaking the tests - "KRB5_KTNAME": "dns.keytab", # use local keytab instead of default /etc/krb5.keytab "LC_ALL": "C", "ANS_LOG_LEVEL": "debug", "DYLIB": ("dylib" if os.uname().sysname == "Darwin" else "so"), diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in index 51a0b4f5873..1ba82fa3d99 100644 --- a/bin/tests/system/nsupdate/ns10/named.conf.in +++ b/bin/tests/system/nsupdate/ns10/named.conf.in @@ -26,7 +26,7 @@ options { notify yes; minimal-responses no; dnssec-validation no; - @TKEY_CONFIGURATION@ + tkey-gssapi-keytab "dns.keytab"; }; key rndc_key { diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in index 07e38d2d41a..7c3141ed4b6 100644 --- a/bin/tests/system/nsupdate/ns9/named.conf.in +++ b/bin/tests/system/nsupdate/ns9/named.conf.in @@ -24,7 +24,7 @@ options { notify yes; minimal-responses no; dnssec-validation no; - @TKEY_CONFIGURATION@ + tkey-gssapi-keytab "dns.keytab"; }; key rndc_key { diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index 38942ba2970..d42af7f1e3d 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -27,23 +27,8 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named1.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf - -# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is -# not available, named will refuse to start. As the test system framework does -# not support starting named instances conditionally, ensure that -# "tkey-gssapi-credential" is only present in named.conf if GSSAPI support is -# available. -copy_setports ns9/named.conf.in ns9/named.conf.in.tkey -copy_setports ns10/named.conf.in ns10/named.conf.in.tkey -if $FEATURETEST --gssapi; then - sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey >ns9/named.conf - sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey >ns10/named.conf -else - sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey >ns9/named.conf - sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey >ns10/named.conf -fi -rm -f ns9/named.conf.in.tkey -rm -f ns10/named.conf.in.tkey +copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf copy_setports verylarge.in verylarge