video w2k8r2 joining s4 and dns problems

simo idra at
Tue Jan 12 15:12:56 MST 2010

On Wed, 2010-01-13 at 07:17 +1100, tridge at wrote:
> Hi Matthieu,
>  > I was rethinking at your video concerning your w2k8r2, and I remember 
>  > that you were obliged to edit zone file by hand. Why not using 
>  > ./scripting/bin/ ?
> That works fine against Windows servers, so if I had setup the Windows
> box as the main DNS server then I could have used it.
> Against bind9 it doesn't work as the ms-self access control we setup
> for tsig-gss KRB5 DNS udpates only works for creating your own name in
> the domain, it doesn't work for the $GUID._msdcs names which is what
> needs to be added for a new DC.
> I could have cheated by having more open access controls in the bind
> config, or by using something like a HMAC-MD5 key based update policy,
> but that wouldn't reflect what we need to make DNS updates seamless
> with a mix or windows and Samba DCs.
> We need to work on the generated bind9 config file for s4 so that we
> create a config which allows DCs to add all the names (both SRV and A
> names) that a DC needs to add when it joins. I'm not sure if that is
> possible with the current bind9 code, and if we find it isn't then we
> will need to work with the bind9 developers to find a way to make it
> work.
> As a longer term goal I think we should also try to find a way to
> support storing the zone files in the DNS partitions of AD, which is
> how windows DNS servers store them. That then allows DNS changes to
> flow between DCs using DRS (and should also allow full ACL control
> over DNS updates by admins). Maybe we could build a backend storage
> plugin for bind that uses ldb? 

This shouldn't be too difficult, we at Red Hat recently developed and
submitted code so that finally you can load shared modules in bind.
Also we made it so loaded backends can be used also to store back data
after DNS updates, provided you use the right API.

An example of such a module that is at a good stage and we developed for
use with FreeIPA is here:
taking that module as a guide should make it possible to use ldb or
maybe better just samba4-ldap


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list