Four named instances in the "nsupdate" system test have GSS-TSIG support
enabled. All of them currently use "tkey-gssapi-keytab". Configure two
of them with "tkey-gssapi-credential" to test that option.
As "tkey-gssapi-keytab" and "tkey-gssapi-credential" both provide the
same functionality, no test modifications are required. The difference
between the two options is that the value of "tkey-gssapi-keytab" is an
explicit path to the keytab file to acquire credentials from, while the
value of "tkey-gssapi-credential" is the name of the principal whose
credentials should be used; those credentials are looked up in the
keytab file expected by the Kerberos library, i.e. /etc/krb5.keytab by
default. The path to the default keytab file can be overridden using by
setting the KRB5_KTNAME environment variable. Utilize that variable to
use existing keytab files with the "tkey-gssapi-credential" option.
The KRB5_KTNAME environment variable should not interfere with the
"tkey-gssapi-keytab" option. Nevertheless, rename one of the keytab
files used with "tkey-gssapi-keytab" to something else than the contents
of the KRB5_KTNAME environment variable in order to make sure that both
"tkey-gssapi-keytab" and "tkey-gssapi-credential" are actually tested.
(cherry picked from commit
1746d2e84acee77ec88bf3f61eaa8f11cc1039a5)
export KEYSETTOOL
export KEYSIGNER
export KRB5_CONFIG
+export KRB5_KTNAME
export MAKEJOURNAL
export MDIG
export NAMED
# we don't want a KRB5_CONFIG setting breaking the tests
KRB5_CONFIG=/dev/null
+# use local keytab instead of default /etc/krb5.keytab
+KRB5_KTNAME=dns.keytab
#
# Construct the lists of tests to run
kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
cp ns7-server.keytab ../ns7/dns.keytab
-cp ns8-server.keytab ../ns8/dns.keytab
+cp ns8-server.keytab ../ns8/dns-other-than-KRB5_KTNAME.keytab
cp ns9-server.keytab ../ns9/dns.keytab
cp ns10-server.keytab ../ns10/dns.keytab
recursion no;
notify yes;
minimal-responses no;
- tkey-gssapi-keytab "dns.keytab";
+ tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";
};
key rndc_key {
recursion no;
notify yes;
minimal-responses no;
- tkey-gssapi-keytab "dns.keytab";
+ tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab";
};
key rndc_key {
recursion no;
notify yes;
minimal-responses no;
- tkey-gssapi-keytab "dns.keytab";
+ tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";
};
key rndc_key {
./bin/tests/system/nsupdate/ns6/named.args X 2018,2019,2020,2021
./bin/tests/system/nsupdate/ns7/dns.keytab X 2018,2019,2020,2021
./bin/tests/system/nsupdate/ns7/machine.ccache X 2018,2019,2020,2021
-./bin/tests/system/nsupdate/ns8/dns.keytab X 2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab X 2018,2019,2020,2021
./bin/tests/system/nsupdate/ns8/machine.ccache X 2018,2019,2020,2021
./bin/tests/system/nsupdate/ns9/dns.keytab X 2018,2019,2020,2021
./bin/tests/system/nsupdate/ns9/machine.ccache X 2018,2019,2020,2021
projects / thirdparty / bind9.git / commitdiff
