[Samba] Change DNS method?
Matthieu Patou
mat at samba.org
Tue Oct 16 11:56:18 MDT 2012
On 10/16/2012 12:57 AM, Kai Blin wrote:
> On 2012-10-16 05:40, Andrew Bartlett wrote:
>
> Hi,
>
>> I'm having trouble parsing that, but yes, additional patches are
>> required to have the internal DNS server accept static keys. We would
>> need a key storage mechanism, and then code to implement that TSIG
>> method.
> I've had patches to do this, but ditched them in favour for conflicting
> patches to implement GSS-TSIG.
>
>> I think it would be a very valuable improvement.
> The algorithm is pretty straightforward, but I couldn't get the
> signature right the last time I tried. However, the logic on what parts
> of the packet to use for the signature is a bit tricky, but I'm sure
> I've now got that right for GSS-TSIG. Using a static key with md5
> instead of gensec_sign should be straightforward, the interesting
> question is how and where we store the keys.
Well you could have a dedicated account for it, and the secret just have
to be md4(real_secret) in dhcpd, in this case you can use the
unicodePwd, the other option is to use the supplementary credentials to
store the password in clear text (less straight forward).
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba
mailing list