Default DNS server for Samba 4.0

Andrew Bartlett abartlet at samba.org
Sat Sep 8 03:58:20 MDT 2012


On Sat, 2012-09-08 at 11:18 +0200, Kai Blin wrote:
> On 2012-09-08 07:12, Andrew Bartlett wrote:
> > On Sat, 2012-09-08 at 02:34 +0200, Kai Blin wrote:
> > 
> >> No, it's perfectly clear. It's just that tests for this need support on
> >> the side of libcli/dns, and that's not there yet. 
> > 
> > Can't you use libaddns to test the tsig handling?
> 
> Only half of it. libaddns has no code whatsoever to verify signatures.
> And libaddns doesn't work against BIND because it can't negotioate the
> TKEY exchange. It works against the internal server, of course, because
> net ads dns register was the test case I used for the implementation.
> 
> There is value in getting full TSIG support into libcli/dns beyond
> testing. We could get rid of the samba_dnsupdate->nsupdate construction
> and just call the library. And retire libaddns while we're at it. :)

I'm looking forward to that. 

To focus on something concrete:

The area of testing that concerns me most is the authentication of the
update, and ensuring that only the right users can add the right names
(rules about updating your own name, DC updating the special names,
administrator updating anything), that the correct owners are applied in
the directory, and that the owner rights that implies (due to
creator-owner aces work correctly). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list