DNS TSIG updates need to check ACLs

Andriy Syrovenko andriys at gmail.com
Thu Sep 6 04:41:53 MDT 2012 

Well, resending the 4th time...

The following patch (tested against Samba 3.6.5 - 3.6.7) fixes the very
same issue for me. I.e. without this patch DDNS updates against S4 (tested
with a14, a20 and several betas) always fail, while Windows clients (XP,
Vista, 7 both x32 and x64) do update their DNS records without problem.

diff -urN samba-3.6.5/lib/addns/dnsgss.c
samba-3.6.5.fixed/lib/addns/dnsgss.c
--- samba-3.6.5/lib/addns/dnsgss.c    2012-04-27 21:25:33.000000000 +0300
+++ samba-3.6.5.fixed/lib/addns/dnsgss.c    2012-05-12 23:47:50.000000000
+0300
@@ -175,7 +175,7 @@
              * TODO: Compare id and keyname
              */

-            if ((resp->num_additionals != 1) ||
+            if (/*(resp->num_additionals != 1) ||*/
                 (resp->num_answers == 0) ||
                 (resp->answers[0]->type != QTYPE_TKEY)) {
                 err = ERROR_DNS_INVALID_MESSAGE;

2012/9/6 Rowland Penny <repenny at f2s.com>

> On 06/09/12 09:59, Kai Blin wrote:
>
>> On 2012-09-06 10:44, Rowland Penny wrote:
>>
>>> On 06/09/12 03:13, Andrew Bartlett wrote:
>>>
>>>> Fortunately DNS updates are still denied by default,
>>>>
>>> Hi, is this why you get the following message whenever you join a client
>>> to a samba4 server? and if so, how do you turn on DNS updates?
>>>
>>> DNS Update for server1.home.lan failed: ERROR_DNS_INVALID_MESSAGE
>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>
>>  From this error message I gather you are joining the client via net ads
>> join. How did you provision on the server side? Did you specify
>> --dns-backend?
>>
>> Cheers,
>> Kai
>>
>>  Hi Kai,
> Yes I am using 'net ads join' and no, I provisioned as per the samba 4
> howto
>
>  /usr/local/samba/sbin/**provision \
>    --realm=samdom.example.com --domain=SAMDOM \
>    --adminpass=SOMEPASSWORD --server-role=dc
>
>
>
> Should I be specifying the DNS backend? there is no mention of it in the
> howto, or if there is I missed it.
>
>
> Rowland
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.6.x-addns.patch
Type: application/octet-stream
Size: 502 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120906/e840e99c/attachment.obj>

More information about the samba-technical mailing list