AD DNS and Global sequence number implementation

Amitay Isaacs amitay at gmail.com
Mon Nov 21 18:06:01 MST 2011 

Hi Matthieu,

On Tue, Nov 22, 2011 at 11:39 AM, Matthieu Patou <mat at samba.org> wrote:

> On 22/11/2011 01:05, Amitay Isaacs wrote:
>
>> Hi All,
>>
>> In the current implementation of dlz_bind9, connection to SAM database is
>> made over internal LDAP socket.
>> This creates a dependency between samba and named as named cannot be
>> started without samba first
>> running. And in case samba is restarted, named also has to be restarted.
>>
>> Since DNS data is mainly stored in two separate partitions (DomainDnsZones
>> and ForestDnsZones), Tridge
>> suggested giving named permissions to these two partitions only. In the
>> current samdb scheme, any process
>> requiring write access to specific partitions has to have full access to
>> sam because of the transactions. To
>> overcome this problem, we created a partial copy of the SAM database.
>>
>> In the partial copy
>>   - RootDSE, Schema, Configuration partitions are copied as is,
>>   - New empty Domain partition is created (to prevent access to secrets),
>>   - DomainDnsZones, ForestDnsZones partitions are linked to the main SAM
>> partitions.
>> In addition, permission of DNS partitions are changed to give named write
>> access to these partitions.
>>
>> With this partial copy of SAM and dlz_bind9 connecting to it directly,
>> named can be started
>> without having to start samba first. However, this brings forth another
>> issue when I start replicating
>> DNS partitions with other DCs in the domain. The problem is that when new
>> records are created by
>> dlz_bind9, they are created with wrong sequence number. This is because
>> the
>> sequence number
>> logic relies on the availability of all the partitions since the inception
>> of the SAM. The sequence
>> number is calculated as the sum of the changes done per partition. If we
>> lose any of the partition,
>> then the sequence number calculated is obviously smaller than what it
>> should be.
>>
>
> Why not having a simplier solution: make the bind plugin refuse to serve
> any request for the domain up to the moment the unix socket is readable ?
> It allows bind to start correctly and pretend it is serving our zone.
> Another idea is: while samba is not started bind has only a read access on
> the partial copy and when samba is started it has the write access through
> the unix socket.
>

Some of the concerns on using unix socket are:

1. There is no LDB transaction support over unix socket

2. Over the privileged unix socket, there is no access control.
    Any process that has access to the socket has full access to SAM.

Amitay.

More information about the samba-technical mailing list