Default DNS server for Samba 4.0
Andrew Bartlett
abartlet at samba.org
Sun Sep 9 17:20:34 MDT 2012
On Sat, 2012-09-08 at 19:58 +1000, Andrew Bartlett wrote:
> On Sat, 2012-09-08 at 11:18 +0200, Kai Blin wrote:
> > On 2012-09-08 07:12, Andrew Bartlett wrote:
> > > On Sat, 2012-09-08 at 02:34 +0200, Kai Blin wrote:
> > >
> > >> No, it's perfectly clear. It's just that tests for this need support on
> > >> the side of libcli/dns, and that's not there yet.
> > >
> > > Can't you use libaddns to test the tsig handling?
> >
> > Only half of it. libaddns has no code whatsoever to verify signatures.
> > And libaddns doesn't work against BIND because it can't negotioate the
> > TKEY exchange. It works against the internal server, of course, because
> > net ads dns register was the test case I used for the implementation.
> >
> > There is value in getting full TSIG support into libcli/dns beyond
> > testing. We could get rid of the samba_dnsupdate->nsupdate construction
> > and just call the library. And retire libaddns while we're at it. :)
>
> I'm looking forward to that.
>
> To focus on something concrete:
>
> The area of testing that concerns me most is the authentication of the
> update, and ensuring that only the right users can add the right names
> (rules about updating your own name, DC updating the special names,
> administrator updating anything), that the correct owners are applied in
> the directory, and that the owner rights that implies (due to
> creator-owner aces work correctly).
Specifically, what I'm saying is that we should, at least in the
interim, walk this code path using libaddns as a client. That should
get us past this impasse without needing to conclude the libcli/dns
layer.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list