[Samba] The need for Kerberos dynamic DNS updates
abartlet at samba.org
Tue Jan 14 05:59:53 MST 2014
On Thu, 2014-01-09 at 21:08 -0400, Doug Meredith wrote:
> The "Dns-backend bind" page on the wiki recommends that you set up DNS
> dynamic updates via Kerberos. My understanding is that if you select
> BIND9_DLZ that the DNS zone data is stored in the directory. I would
> assume that in this case the normal directly replication would take care of
> moving DNS changes to all AD DCs. If this is correct, it would seem that
> there would be no need for a DNS-specific update mechanism.
> Is there something that I have misunderstood?
Samba as nn AD DC updates itself via Kerberos GSS-TSIG. Part of why we
do this is that this is how Microsoft's AD does it, and the rest is
because that way we don't have a different code path compared to what
domain members do, which is also Kerberos GSS-TSIG, just of less
Also, while not encouraged for Samba deployments, not every AD DC has to
be a DNS server, so we need to be able to update the DNS server on
another potentially Microsoft AD DC.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba