kerberos dynamic DNS and the internal DNS server

Andrew Bartlett abartlet at
Tue Dec 27 18:57:38 MST 2011

On Wed, 2011-12-28 at 00:31 +0100, Kai Blin wrote:
> On 2011-12-23 02:02, Amitay Isaacs wrote:
> Hi Amitay,
> > Internal DNS server does not yet support dynamic dns updates. So 
> > DNS updates for names (run from samba_dnsupdate script) will not 
> > work. For time being you will have to used BIND with dlz_bind9.
> That's not true anymore. The reason for the failing updates is that
> we're not starting the internal dns server per default. So far you
> need to also add "server services = +dns" to your smb.conf.
> I'll look into submitting a patch to provision that automatically adds
> this line if you provision with the internal backend.

I can't see any support for kerberos authentication of dynamic DNS
updates.  We cannot turn on the DNS server until that is sorted out.

Naturally, I'm happy to help or provide advise in implementing that
against GENSEC.  

(I also think that once we have GSS-TSIG, we should always require it
and the 'allow dns updates' option you added should be removed).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list