[Samba] Change DNS method?

Matthieu Patou mat at samba.org
Tue Oct 16 11:56:18 MDT 2012

On 10/16/2012 12:57 AM, Kai Blin wrote:
> On 2012-10-16 05:40, Andrew Bartlett wrote:
> Hi,
>> I'm having trouble parsing that, but yes, additional patches are
>> required to have the internal DNS server accept static keys.  We would
>> need a key storage mechanism, and then code to implement that TSIG
>> method.
> I've had patches to do this, but ditched them in favour for conflicting
> patches to implement GSS-TSIG.
>> I think it would be a very valuable improvement.
> The algorithm is pretty straightforward, but I couldn't get the
> signature right the last time I tried. However, the logic on what parts
> of the packet to use for the signature is a bit tricky, but I'm sure
> I've now got that right for GSS-TSIG. Using a static key with md5
> instead of gensec_sign should be straightforward, the interesting
> question is how and where we store the keys.
Well you could have a dedicated account for it, and the secret just have 
to be md4(real_secret) in dhcpd, in this case you can use the 
unicodePwd, the other option is to use the supplementary credentials to 
store the password in clear text (less straight forward).


Matthieu Patou
Samba Team

More information about the samba mailing list