[cifs-protocol] question on DNS TSIG dynamic updates
tridge at samba.org
tridge at samba.org
Thu Feb 11 21:29:20 MST 2010
Dear dochelp,
This is with regard to MS-GSSA, and the protocols for kerberized
dynamic DNS updates using TSIG-GSS.
We implemented the client side of this quite a while ago, and now
we're trying to make the server side of it reliable (for when windows
clients register DNS named with a Samba server). We're doing this by
trying to integrate a bit more closely with bind9, which has TSIG
support.
The problem we've hit is a fairly basic one - what are the conditions
under which Windows clients will use a TSIG DNS update?
When we get a Windows w2k8r2 box to join a Samba domain, it does try
and do a dynamic DNS update to add its name, but it doesn't do it
using TSIG. It just sends a plain DNS update. Our current guess is
that perhaps Windows first tries to send a non-TSIG update, and
expects something special about the error return it gets, then based
on that error return it would then do a TSIG based update. Looking at
a Windows DNS server, we notice it sends a more extensive response
when it refuses a non-TSIG update, and we suspect it is something
about this response (perhaps the CNAME pre-requisite?) that triggers
windows to try again with a TSIG update.
Or maybe there is something in the rootDSE or CLDAP responses that
tell a Windows client if the server is capable of TSIG DNS updates?
We're particularly interested in the answer for the following
situations:
1) a normal DNS update when a member of a domain boots
2) updates of the _msdcs zone when a DC joins a domain (and
subsequent updates)
Thanks!
Cheers, Tridge
More information about the cifs-protocol
mailing list