kerberos dynamic DNS and the internal DNS server
kai at samba.org
Wed Dec 28 00:34:23 MST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 2011-12-28 02:57, Andrew Bartlett wrote:
> I can't see any support for kerberos authentication of dynamic DNS
> updates. We cannot turn on the DNS server until that is sorted
Why? I mean of course I'm planning to support kerberos authentication
for the internal DNS, but why is this a hard requirement for allowing
people to turn on this thing? BIND DLZ was activatable before it could
do GSS-TSIG. I'm not even talking about making the internal server the
default, just that if people provision the internal backend, we add
the appropriate line to smb.conf.
> Naturally, I'm happy to help or provide advise in implementing that
> against GENSEC.
I haven't actually looked into how the key negotiation works and what
keys are used.
> (I also think that once we have GSS-TSIG, we should always require
> it and the 'allow dns updates' option you added should be
That sounds like the Gnome3 way of thinking, and I don't like the "we
know better than our users, let's decide for them" approach. I'm all
for having the default setting be "always require GSS-TSIG", but why
take away people's ability to completely allow or disallow updates?
Anyway, if everybody keeps telling people to not use the internal DNS
until it's tested, and does have all sorts of extra features, it'll
never get tested. I know it's still missing features, but currently
it's only me working on this thing and I do have a day job.
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the samba-technical