bind 9.11.3 BIND9_FLATFILE update-policy

Andrew Bartlett abartlet at samba.org
Fri Sep 21 15:02:24 UTC 2018


On Fri, 2018-09-21 at 16:46 +0200, Andreas Schneider via samba-
technical wrote:
> On Friday, 21 September 2018 09:05:24 CEST L.P.H. van Belle via
> samba-
> technical wrote:
> > 
> > Hai,
> > 
> > From a systems engineers point of view.
> > Totaly agree here. Just drop the flatfile, it has no use for samba
> > in the
> > future.
> > 
> > Better improve the current DLZ and its functions then having an old
> > set that
> > raises questions everytime. And it save time chaising and old set
> > of code,
> > which is hardly/(never) used.
> Even the current DLZ module should be removed as it opens an attack
> surface. 
> You need to run bin un'chroot'ted and give it root privileges to
> directly work 
> on the Samba AD database.

BIND9 does not operate as root, it has access to the dns partition
files only (via a hard link).

Certainly it could do much damage, but please do not overstate it. 

> The right thing would be to add Samba support to:
> 
> https://pagure.io/bind-dyndb-ldap

This would be a significant effort, and it would still require the
right to update any record in the database.

It would also need a way to pass on the PAC to the LDAP server to allow
it to do the ACL checks.  

Certainly not insurmountable but I'm wary of adding even more choices
here, when we already have difficulty maintaining Samba's current array
of optional features. 

This doesn't fill me with hope either:
https://docs.pagure.org/bind-dyndb-ldap/Maintainability.html

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list