video w2k8r2 joining s4 and dns problems
Matthieu Patou
mat+Informatique.Samba at matws.net
Thu Jan 14 10:10:15 MST 2010
On 13/01/2010 04:11, tridge at samba.org wrote:
> Hi Simo,
>
> > An example of such a module that is at a good stage and we developed for
> > use with FreeIPA is here: https://fedorahosted.org/bind-dyndb-ldap/
> > taking that module as a guide should make it possible to use ldb or
> > maybe better just samba4-ldap
>
> This is great stuff Simo, thanks so much for pointing it out! I think
> we should definately try to build a bind module based on this
> interface that stores DNS records in the AD format.
>
> As we discussed on IRC, the ACL part might need a bit of thinking
> about still, but this is definately very promising.
>
>
So for the ACL, as I told you today on irc, it *looks* like their is
noting.
It didn't mean that we can't provide some patch to bind's developer for
this.
I think a simple test would be to check that the host is member of the
"CN=Domain Controlers,CN=Users,DC=..." group (rid= 516), group
membership is present in the PAC included in the kerberos ticket
attached to DNS update request.
I'm not sure that it's a complete and valid test, and in fact the
biggest part is to teach to bind to parse the content of the PAC.
Matthieu.
More information about the samba-technical
mailing list