Install Bind With Gss-spnego Enabled

Home » CentOS » Install Bind With Gss-spnego Enabled
CentOS 10 Comments

CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured).

The samba wiki Readme First page states, “Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND
as DNS backend on your Samba DC. This circumstance requires to self compile BIND9.”

Is there any way to use a yum command to install Bind9 with gss-spnego enabled?

I’m worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server?

If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked.

Thanks for your time and patience.

10 thoughts on - Install Bind With Gss-spnego Enabled

  • That is a bind build option, the only way to enable it is to build it.

    Is there some reason you don’t want to use the samba-4.1 that is shipped in CentOS-7?

  • Hi Johnny,

    Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme:

    Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn’t supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources.

    I do want to use samba as an AD DC. Does the above not apply to CentOS distro?

    Thanks for reading.

  • Nope, you are correct. The samba in CentOS-7 currently does not work as a Active Directory Domain Controller. If you already have a domain controller, you can make the CentOS-7 samba connect to that DC and serve as a File or Print server.

    So, if you want a linux samba DC, then that would mean that you will need to use sernet and maintain bind yourself for that feature.

    Whether that is safe or not is up to you.

    I have no idea specifically about the GSS-SPNEGO .. I can tell you that if you look at current bind spec file, you can see in lines 409-412
    how/why “–disable-isc-spnego” gets selected.

    I do not know what the answer is, if gssapi and gss-spnego can coexist, of if one is better than the other in a give situation, etc.

    BUT .. If I was going to solve this problem, I would do so asking the sernet guys and I would rebuild the “bind” sources in CentOS with the proper configure switches so it would likely still meet all the other software requires for CentOS that bind needs to meet. You could also then only track when CentOS releases a new bind (because RH has released new source code) .. and thereby not have to track bind upstream tarball releases for security.

  • on Samba
    (to be
    .

    This was required for kerberos secured updates prior to el7.1 and el6.6 …

    The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn’t need to be compiled in.

  • James, thank you for your reply. This sounds like good news for me; I can stay planted in the accepted CentOS repo. biosphere.

    | | | | | | | | | | | | | | |

    I installed bind-9.9.4 package from the CentOS repo. I’ve been reading the Changes and Readme file but don’t see where this issue is addressed.

    Can you point me to the CentOS announcements or release notes that deal with the bind package and gss-spnego. I’d like to try to understand and possibly aggregate the right info to send to the samba wiki maintainers.

    | | | | | | | | | | | | | | | | | | | | | | | | |

    named -V on the installed package produces:

    BIND 9.9.4-RedHat-9.9.4-18.el7_1.1 (Extended Support Version)
    built with ‘–build=x86_64-redhat-linux-gnu’
    ‘–host=x86_64-redhat-linux-gnu’ ‘–program-prefix=’
    ‘–disable-dependency-tracking’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’
    ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’

    <<>>

    ‘–with-gssapi=yes’ ‘–disable-isc-spnego’

    using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
    using libxml2 version: 2.9.1
    END

    Does the above output show that gss-spnego is actually enabled?
    Thanks for your help.

  • Zoinks! I didn’t realize I was corresponding with the fellow who actually maintains this section of the Samba Wiki. :-)
    Thanks for your expertise and synergy between the OS and the Samba software.

  • software.

    Just to be clear I don’t do that.

    However I have had a fair bit of my professional life in the realm of samba in an AD context on CentOS this past year.

    I happen to know someone who does maintain that wiki though so will give him the heads up over drinks in a few weeks ;)

  • K, clear. Still very much appreciative of your experience and insight. I’m a wannabe who never has enough time amongst my duties to get my sys-admin skills tight.

    Cheers,

    Mike