[Samba] The need for Kerberos dynamic DNS updates

Andrew Bartlett abartlet at samba.org
Tue Jan 14 05:59:53 MST 2014

On Thu, 2014-01-09 at 21:08 -0400, Doug Meredith wrote:
> The "Dns-backend bind" page on the wiki recommends that you set up DNS
> dynamic updates via Kerberos.  My understanding is that if you select
> BIND9_DLZ that the DNS zone data is stored in the directory.  I would
> assume that in this case the normal directly replication would take care of
> moving DNS changes to all AD DCs.  If this is correct, it would seem that
> there would be no need for a DNS-specific update mechanism.
> Is there something that I have misunderstood?

Samba as nn AD DC updates itself via Kerberos GSS-TSIG.  Part of why we
do this is that this is how Microsoft's AD does it, and the rest is
because that way we don't have a different code path compared to what
domain members do, which is also Kerberos GSS-TSIG, just of less

Also, while not encouraged for Samba deployments, not every AD DC has to
be a DNS server, so we need to be able to update the DNS server on
another potentially Microsoft AD DC.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list