Bind9 with tkey-gssapi-* support

Adam Tauno Williams awilliam at
Wed Nov 3 14:54:54 MDT 2010

Sorry to bother the list; but I am failing bad at building a named that
is happy with the tkey-gssapi-credential / tkey-domain options.  GSSAPI
support is built, etc... Is there something I'm overlooking to get those

yum install libattr-devel libacl-devel gcc python-devel pam-devel
ncurses-devel zlib-devel libxslt-devel

curl -o openssl-1.0.0a.tar.gz
curl -o bind-9.7.2.tar.gz
curl -o samba-4.0.0alpha13.tar.gz

tar xzvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./Configure --prefix=/opt/ad/openssl
make install

tar xzvf bind-9.7.2.tar.gz
cd bind-9.7.2
./configure --prefix=/opt/ad/named --sysconfdir=/etc
--with-openssl=/opt/ad/openssl --with-gssapi
checking whether byte ordering is bigendian... no
checking for OpenSSL library... using OpenSSL from /opt/ad/openssl/lib
and /opt/ad/openssl/include
checking whether linking with OpenSSL works... yes
checking whether linking with OpenSSL requires -ldl... yes
checking OpenSSL library version... ok
checking for OpenSSL DSA support... yes
checking for EVP_sha256... yes
checking for EVP_sha512... yes
checking for PKCS11 support... disabled
checking for PKCS11 tools... disabled
checking for GSSAPI library... looking in /usr/lib
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking krb5/krb5.h usability... yes
checking krb5/krb5.h presence... yes
checking for krb5/krb5.h... yes
checking kerberosv5/krb5.h usability... no
checking kerberosv5/krb5.h presence... no
checking for kerberosv5/krb5.h... no
checking linking as -lgssapi_krb5... yes
using GSSAPI from /usr/lib and /usr/include
make install

tar xzvf samba-4.0.0alpha13.tar.gz
cd samba-4.0.0alpha13/source4/
./configure --prefix=/opt/ad/samba4
make install
./setup/provision --realm=AD.MORMAIL.COM --domain=MORMAIL-AD
--adminpass=fred123.7 --server-role='domain controller'

cd /etc
cat named.conf
include "/opt/ad/samba4/private/named.conf";
tkey-gssapi-credential "DNS/";
tkey-domain "AD.WMMI.NET";
ln -s /opt/ad/samba4/private/krb5.conf
useradd named
chgrp named /opt/ad/samba4/private/dns.keytab
chmod g+r /opt/ad/samba4/private/dns.keytab

Test (named aborts on start)
$ strings /opt/ad/named/sbin/named | grep tkey-gssapi-credential
tkey-gssapi-credential (%s) should start with 'DNS/'
badly formatted tkey-gssapi-credentials (%s)
default realm from krb5.conf (%s) does not match tkey-gssapi-credential
#\ttkey-gssapi-credential <none>

$ cat /etc/named_start
export KRB5_KTNAME

/opt/ad/named/sbin/named -u named

Nov  3 12:44:40 localhost named[3428]: using up to 4096 sockets
Nov  3 12:44:40 localhost named[3428]: loading configuration from
Nov  3 12:44:40 localhost named[3428]: /etc/named.conf:2: unknown option
Nov  3 12:44:40 localhost named[3428]: /etc/named.conf:3: unknown option
Nov  3 12:44:40 localhost named[3428]: loading configuration: failure
Nov  3 12:44:40 localhost named[3428]: exiting (due to fatal error)

Adam Tauno Williams <awilliam at>

More information about the samba-technical mailing list