Review request: DNS server implementation
esiotrot at gmail.com
Wed Oct 13 06:37:59 MDT 2010
On 13 October 2010 14:15, simo <idra at samba.org> wrote:
> On Wed, 2010-10-13 at 23:08 +1100, tridge at samba.org wrote:
>> > Just my 2c.
>> > We automated the installation of bind + our ldap backend in freeipa
>> > pretty easily. Granted it would have to be adjusted to fit other
>> > distributions due to where they place files, but that is simply a matter
>> > of making some paths in the python scripts a variable.
>> simply a matter ... yes, I thought this, till I started trying to
>> actually do it!
>> It's the kerberos part that is the killer. It's just really
>> flakey. I've working on patches to improve it, but it will still be
>> less than ideal.
> Do you have any detail ? So far we haven't seen major problems, but we
> also had a dedicate person that knew the bind code base (and wrote
> bind-dyndb-ldap) and did most of the testing.
> But if there are intrinsic kerberos problems I am more than happy to
> help where I can.
I am sure this is not what tridge is referring to, but I'd much prefer
a command line option or something I can put into named.conf to
specify the keytab file to use instead of relying on an environment
Also, on Ubuntu, when you enable the Kerberos stuff, bind wants to
create a file called /var/tmp/DNS_104, which is denied by AppArmor. I
don't know if that name is constant or what happens if there's already
a file/directory called that when bind starts, so my solution of
telling AppArmor to allow it seems possibly fragile.
I haven't tried letting Windows clients do dynamic DNS updates, so I
haven't used the patched version of bind yet.
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical