[Samba] Internal DNS logging

mathias dufresne infractory at gmail.com
Thu Nov 5 09:55:08 UTC 2015

Code is like books, or art (painting...). Some guy produce something, as he
likes, some others use/watch/listen it, as they like. Most of the time
these two ways are different.

What I mean is it is not because something was not developed to be used in
some way that way of usage is not a good way of usage.

Perhaps for most of us this is not the right way the OP want to do. Anyway
it is his way. Who are we to tell what he's doing should not be? I thought
opensource was more open than the other world.

Same thing but about SSSD: I was thinking providing to my client same
behaviour for Linux systems as on Windows systems about local
administrators of computers (clients). On Windows you can define groups and
using GPO put some group(s) in client's local "administrators" group. There
you have people able to manage clients systems without any rights on AD.
This can be done using LDAP tree and user accounts with UID = 0. SSSD comes
also with filters to avoid peoples with UID=0 which have no right to
connect on some systems can connect on these refused systems.
So I had all I wanted to give my client same way of managing all their
systems with nominative accounts, to be able to trace a little bit what
admins do.
This is not possible because SSSD refuses (hardcoded...) users with UID=0
to connect on SSSD systems. I was told this is for security reason: SSSD
through LDAP can, under certain configuration, grant man in the middle
attack (or something like that).
The fact is using AD servers are also authenticated, this security reason
disappear. Not the refusal because devs think what they thought is the only
to think. I don't.

2015-11-04 23:21 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 04/11/15 22:02, John Gardeniers wrote:
>> Thanks Marc,
>> That's a nice unambiguous answer, so I'll stop looking.
>> I really doubt I'll be doing any coding on Samba, so it's kind of
>> unlikely I'll be supplying a patch. If I did create a patch it would be to
>> return to BIND flat files, so that the DNS can be made fully functional
>> again.
>> regards,
>> John
>> On 05/11/15 08:25, Marc Muehlfeld wrote:
>>> Hello John,
>>> Am 04.11.2015 um 22:13 schrieb John Gardeniers:
>>>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or was
>>>> this was a huge oversight and the internal DNS doesn't get logged at
>>>> all, as appears to be suggested by my utter failure to locate such logs.
>>> Samba doesn't log DNS queries.
>>> Patches are welcome. :-)
>>> Regards,
>>> Marc
> Just because you want to use samba with bind flat files doesn't make it
> the right thing to do. I have have been using bind9 dlz with samba4 for 3
> years now and it does what it is supposed to do, I know there are a few
> things that need sorting, but they are minor and I am sure they will get
> fixed eventually.
> I wouldn't bother rushing to create a patch to make flat files work again,
> I don't think it would be accepted.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list