Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:bind9-nsupdate-gssapi-1755439 into ubuntu/+source/bind9:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. bind9-nsupdate-gssapi-1755439
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 4e030a0f8ffd6821db3421f218452d2be8778119
Proposed branch: ~ahasenack/ubuntu/+source/bind9:bind9-nsupdate-gssapi-1755439
Merge into: ubuntu/+source/bind9:ubuntu/devel
Diff against target: 52 lines (+30/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/nsupdate-gssapi-fails-ad-45854.patch (+21/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+341410@code.launchpad.net

Description of the change

Grabbed upstream fix for nsupdate when using kerberos/gssapi against a microsoft DNS server in an AD controller. This was first reported in the sssd mailing list (https://<email address hidden>/thread/OHSTI2VHQKDKKDNVITOIHBOT47RFRP5R/) and then a bug report in launchpad (https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1755439).

There is no new upstream bind release with the fix yet, it's just in their git.

Testing this against an actual AD server will be a bit time consuming. I prepared test packages and uploaded them to https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-nsupdate-gssapi-windows-1755439/ and asked the reporter to give them a try in his environment.

I did a simple kerberized nsupdate test with a local bind9 server and that worked:
ubuntu@bionic-bind9-nsupdate:~$ kinit
Password for ubuntu@LXD:

ubuntu@bionic-bind9-nsupdate:~$ nsupdate -g
> server 127.0.0.1
> update add xenial.lxd. 120 TXT "Goodbye from kerberos"
> send

ubuntu@bionic-bind9-nsupdate:~$ dig @127.0.0.1 -t txt xenial.lxd +short
"Goodbye from kerberos"

ubuntu@bionic-bind9-nsupdate:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@LXD

Valid starting Expires Service principal
03/14/18 15:02:21 03/15/18 01:02:21 krbtgt/LXD@LXD
        renew until 03/15/18 15:02:20
03/14/18 15:02:45 03/15/18 01:02:21 DNS/lxd@LXD
        renew until 03/15/18 15:02:20

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

As discussed testing is up to you and the reporter.
Packaging wise this looks good - and I didn't find issues doing some simple tests with it.
Also ran the qa regression suite on it and all were good (16 tests good, except 2 due to ipv6 not avail in my env).
Further ran the integrated unit tests against a rebuild from your source.
    216 R:PASS
      5 R:SKIPPED
      1 R:UNTESTED

I also wanted to mention that this is not entirely new code.
As it is "Restore workaround for Microsoft Windows TSIG ...".
Which makes it slightly better than a random new change.

Presuming the reporter tests it ok from your ppa.

Approve (under the condition that it was tested for the reported issue before upload).

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Rebased on top of 1:9.11.2.P1-1ubuntu4 which was uploaded to the archive yesterday.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The reporter has checked the ppa and is ok with it (as we have a hard time testing it).
Did some minor rechecks if versions still are ok and such, but the rebase was good.

As discussed on IRC tagged, pushed and sponsored.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index ddac13c..4e31f03 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
7+
8+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
9+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
10+ <marka@isc.org>. (LP: #1755439)
11+
12+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
13+
14 bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
15
16 * Fix apparmor profile filename (LP: #1754981)
17diff --git a/debian/patches/nsupdate-gssapi-fails-ad-45854.patch b/debian/patches/nsupdate-gssapi-fails-ad-45854.patch
18new file mode 100644
19index 0000000..50e1ca6
20--- /dev/null
21+++ b/debian/patches/nsupdate-gssapi-fails-ad-45854.patch
22@@ -0,0 +1,21 @@
23+Description: fix updating DNS records in Microsoft AD using GSSAPI
24+ Restore workaround for Microsoft Windows TSIG hash computation bug.
25+Author: Mark Andrews <marka@isc.org>
26+Origin: upstream, https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a8a20462b516b0cc39e9b1fb1a8dd514eb1aed29
27+Bug: https://bugs.isc.org/Public/Bug/Display.html?id=45854
28+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1755439
29+Last-Update: 2018-03-14
30+---
31+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
32+--- a/lib/dns/rdataset.c
33++++ b/lib/dns/rdataset.c
34+@@ -467,6 +467,9 @@
35+ dns_name_copy(owner_name, name, NULL);
36+ dns_rdataset_getownercase(rdataset, name);
37+
38++ if ((owner_name->attributes & DNS_NAMEATTR_NOCOMPRESS) != 0)
39++ name->attributes |= DNS_NAMEATTR_NOCOMPRESS;
40++
41+ do {
42+ /*
43+ * Copy out the name, type, class, ttl.
44diff --git a/debian/patches/series b/debian/patches/series
45index bddc35c..af40ba4 100644
46--- a/debian/patches/series
47+++ b/debian/patches/series
48@@ -12,3 +12,4 @@ Add_--install-layout=deb_to_setup.py_call.patch
49 0012-Use-stdatomic.h-in-acache-code-46085.patch
50 0013-Check-if-latomic-is-needed-to-handle-64-bit-stdatomi.patch
51 add-ply-dependency-to-python-scripts.patch
52+nsupdate-gssapi-fails-ad-45854.patch

Subscribers

People subscribed via source and target branches