BIND 9 attempts to look up GSSAPI OIDs for the Kerberos 5 and SPNEGO
mechanisms in the relevant header files provided by the Kerberos/GSSAPI
library used. Due to the differences between various Kerberos/GSSAPI
implementations, if any of the expected preprocessor macros
(GSS_KRB5_MECHANISM, GSS_SPNEGO_MECHANISM) is not defined in the header
files provided by the library used, the code in lib/dns/gssapictx.c
defines its own version of each missing macro, so that BIND 9 can
attempt to use the relevant security mechanisms anyway.
Commit
a875dcc66969ea3995eb6fc1545d39dafcb56b26, which contains a
partial backport of the changes introduced in commit
978c7b2e89aa37a7ddfe2f6b6ba12ce73dd04528, left a block of code in the
lib/dns/dst_internal.h header which defines the GSS_SPNEGO_MECHANISM
preprocessor macro to NULL if it is not defined by any header file
provided by the Kerberos/GSSAPI library used. This causes the
gss_add_oid_set_member() call in the mech_oid_set_create() helper
function to always return an error. This in turn causes the
dst_gssapi_acquirecred() function to also always return an error, which
ultimately prevents any named instance whose configuration includes the
"tkey-gssapi-credential" option from starting.
Remove the offending conditional definition of the GSS_SPNEGO_MECHANISM
preprocessor macro from lib/dns/dst_internal.h, so that a proper GSSAPI
OID is assigned to that macro in lib/dns/gssapictx.c when the
Kerberos/GSSAPI library used does not define it.
projects / thirdparty / bind9.git / commitdiff
