[PATCH] Create a 'binddns dir' for files used by the bind_dlz module and named

Wed Sep 6 10:27:26 UTC 2017

Hi,

Am 06.09.2017 um 11:27 schrieb Andreas Schneider via samba-technical:
> Yesterday I asked Marc for help. He tested the feature and we discussed 
> several aspects, especially security concerns, like file and directory 
> permission.
> We fixed some issues we found during extensive testing and we improved the 
> messages samba-tool and samba_upgradedns print so that the user knows what he 
> has to do.
> 
> The attached patchset addresses the remaining issues. Marc will answer and add 
> the test plan we created and he followed.

I tested the following scenarios with both Fedora 26 (build with MIT
support) and CentOS 7.3 (build with Heimdal):

Note: When I say "master" in the following list, I mean samba-master
from yesterday (without the patch Jeremy pushed today):

* Build Samba (master + patch)
  - bind-dns directory root:root 770 (OK)
  - private directory root:root 700 (OK)
  * Provisioned new DC with BIND back end
    - bind-dns directory new permissions: root:named, 770 (OK)
    - Dynamic DNS updates (OK)

* Build Samba (master)
  - no bind-dns directory (OK, expected)
  - private directory root:root 755 (OK, expected)
  * Provisioned new DC with BIND back end
    - Dynamic DNS updates
      Fedora 26/MIT: (FAILED, "refused"). Bug in master?
      CentOS 7.3/Heimdal: (OK)
    * Updated to master + patch
      - bind-dns directory root:root 770 (OK)
      - private directory root:root 755 (OK, expected)
      * Ran: samba_upgradedns --dns-backend=BIND9_DLZ (OK)
        - named.conf, named.txt and dns (directory) have been
          removed from private directory (OK)
      * Set new path to dns.keytab and DLZ named.conf in /etc/named.conf
        - Dynamic DNS updates (OK)

* Provisioned new DC with SAMBA_INTERNAL back end
    - Dynamic DNS updates (FAILED: "NOTAUTH(BADSIG)",
      This is a bug in master/4.7. See BZ#13019)
    * Updated to master + patch
      - bind-dns directory root:root 770 (OK)
      - private directory root:root 755 (OK, expected)
      - Dynamic DNS updates (FAILED. See above)
      * Switched from SAMBA_INTERNAL to BIND9_DLZ back end
        - bind-dns directory root:named 770 (OK)
        - private directory root:root 755 (OK, expected)
      * Set "-dns" in smb.conf to disable the internal DNS
      * Set new path to dns.keytab and DLZ named.conf in /etc/named.conf
        - Dynamic DNS updates (OK)

> We also found some things we need to fix in the documentation
> in the wiki.

I updated the Wiki yesterday for things not related to this patch.

If Andreas' patch will go into 4.7, I will update all docs affected by
this patch before we release the final version.

Regards,
Marc