bind 9.11.3 BIND9_FLATFILE update-policy
Andrew Bartlett
abartlet at samba.org
Fri Sep 21 15:02:24 UTC 2018
On Fri, 2018-09-21 at 16:46 +0200, Andreas Schneider via samba-
technical wrote:
> On Friday, 21 September 2018 09:05:24 CEST L.P.H. van Belle via
> samba-
> technical wrote:
> >
> > Hai,
> >
> > From a systems engineers point of view.
> > Totaly agree here. Just drop the flatfile, it has no use for samba
> > in the
> > future.
> >
> > Better improve the current DLZ and its functions then having an old
> > set that
> > raises questions everytime. And it save time chaising and old set
> > of code,
> > which is hardly/(never) used.
> Even the current DLZ module should be removed as it opens an attack
> surface.
> You need to run bin un'chroot'ted and give it root privileges to
> directly work
> on the Samba AD database.
BIND9 does not operate as root, it has access to the dns partition
files only (via a hard link).
Certainly it could do much damage, but please do not overstate it.
> The right thing would be to add Samba support to:
>
> https://pagure.io/bind-dyndb-ldap
This would be a significant effort, and it would still require the
right to update any record in the database.
It would also need a way to pass on the PAC to the LDAP server to allow
it to do the ACL checks.
Certainly not insurmountable but I'm wary of adding even more choices
here, when we already have difficulty maintaining Samba's current array
of optional features.
This doesn't fill me with hope either:
https://docs.pagure.org/bind-dyndb-ldap/Maintainability.html
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list