[PATCH][WIP] Create DC DNS entires at domain join
Andrew Bartlett
abartlet at samba.org
Mon May 29 08:38:17 UTC 2017
On Mon, 2017-05-29 at 09:51 +0200, Stefan Metzmacher wrote:
> Am 29.05.2017 um 07:05 schrieb Andrew Bartlett:
> >
> > I plan to add in a couple of tests for the join.py changes and propose
> > it for review tomorrow, so if you do see something you are still really
> > unhappy about, please let me know.
>
> Can't we do the dns rpc calls with the machine account and avoid
> resetting the security descriptors manually?
The difficulty there is that we then need to race with the KDC, or
write out a private krb5.conf with our join partner as the KDC (as the
source3 code does, I think).
The challenge is that the KDC we select via the krb5.conf we use for
the join might not have the new machine account yet. (And I don't want
to fall back to NTLMSSP for new code if I can at all avoid it).
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list