Add tests for the "tkey-gssapi-credential" option

Four named instances in the "nsupdate" system test have GSS-TSIG support
enabled.  All of them currently use "tkey-gssapi-keytab".  Configure two
of them with "tkey-gssapi-credential" to test that option.

As "tkey-gssapi-keytab" and "tkey-gssapi-credential" both provide the
same functionality, no test modifications are required.  The difference
between the two options is that the value of "tkey-gssapi-keytab" is an
explicit path to the keytab file to acquire credentials from, while the
value of "tkey-gssapi-credential" is the name of the principal whose
credentials should be used; those credentials are looked up in the
keytab file expected by the Kerberos library, i.e. /etc/krb5.keytab by
default.  The path to the default keytab file can be overridden using by
setting the KRB5_KTNAME environment variable.  Utilize that variable to
use existing keytab files with the "tkey-gssapi-credential" option.

The KRB5_KTNAME environment variable should not interfere with the
"tkey-gssapi-keytab" option.  Nevertheless, rename one of the keytab
files used with "tkey-gssapi-keytab" to something else than the contents
of the KRB5_KTNAME environment variable in order to make sure that both
"tkey-gssapi-keytab" and "tkey-gssapi-credential" are actually tested.

bin/tests/system/conf.sh.common

@@ -713,6 +713,7 @@ export KEYGEN
 export KEYSETTOOL
 export KEYSIGNER
 export KRB5_CONFIG
+export KRB5_KTNAME
 export MAKEJOURNAL
 export MDIG
 export NAMED

bin/tests/system/conf.sh.in

@@ -71,6 +71,8 @@ PIPEQUERIES=$TOP_BUILDDIR/bin/tests/system/pipelined/pipequeries
 
 # we don't want a KRB5_CONFIG setting breaking the tests
 KRB5_CONFIG=/dev/null
+# use local keytab instead of default /etc/krb5.keytab
+KRB5_KTNAME=dns.keytab
 
 #
 # Construct the lists of tests to run

bin/tests/system/nsupdate/krb/setup.sh

@@ -101,7 +101,7 @@ kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/m
 kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM'
 
 cp ns7-server.keytab ../ns7/dns.keytab
-cp ns8-server.keytab ../ns8/dns.keytab
+cp ns8-server.keytab ../ns8/dns-other-than-KRB5_KTNAME.keytab
 cp ns9-server.keytab ../ns9/dns.keytab
 cp ns10-server.keytab ../ns10/dns.keytab
 

bin/tests/system/nsupdate/ns10/named.conf.in

@@ -20,7 +20,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
-	tkey-gssapi-keytab "dns.keytab";
+	tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";
 };
 
 key rndc_key {

bin/tests/system/nsupdate/ns8/named.conf.in

@@ -20,7 +20,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
-	tkey-gssapi-keytab "dns.keytab";
+	tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab";
 };
 
 key rndc_key {

bin/tests/system/nsupdate/ns9/named.conf.in

@@ -20,7 +20,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
-	tkey-gssapi-keytab "dns.keytab";
+	tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";
 };
 
 key rndc_key {

util/copyrights

@@ -654,7 +654,7 @@
 ./bin/tests/system/nsupdate/ns6/named.args	X	2018,2019,2020,2021
 ./bin/tests/system/nsupdate/ns7/dns.keytab	X	2018,2019,2020,2021
 ./bin/tests/system/nsupdate/ns7/machine.ccache	X	2018,2019,2020,2021
-./bin/tests/system/nsupdate/ns8/dns.keytab	X	2018,2019,2020,2021
+./bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab	X	2018,2019,2020,2021
 ./bin/tests/system/nsupdate/ns8/machine.ccache	X	2018,2019,2020,2021
 ./bin/tests/system/nsupdate/ns9/dns.keytab	X	2018,2019,2020,2021
 ./bin/tests/system/nsupdate/ns9/machine.ccache	X	2018,2019,2020,2021