[PATCH] fix for bug 10882
Andrew Bartlett
abartlet at samba.org
Thu Sep 8 19:07:35 UTC 2016
On Thu, 2016-09-08 at 18:33 +0100, Rowland Penny wrote:
> I am posting this at Jeremy's request, this Patch along with Garmin's
> Patch, fixes the inability to recreate a deleted Bind user 'dns-*'
> with
> samba_upgradedns.
>
> It is quite a simple patch, it move the deletion of the users from
> the
> bottom of the script (where they are only deleted if you are
> upgrading
> to the internal dns server and they exist) to midway in the script
> before the script portions for 'BIND9_DLZ' and 'SAMBA_INTERNAL'.
> It doesn't matter if they are deleted here, this is because if they
> are
> required, they will be created again.
>
> This has always worked for me since I wrote it two months ago, it
> just
> didn't work if your AD DC was created with an old version, Garmin's
> patch fixes this.
>
> Jeremy asked me to post Garmin's patch, but it is already posted
> here:
>
> https://lists.samba.org/archive/samba-technical/2016-September/116018
> .html
Thanks for posting this, and for your patience continuing to chase this
down for the benefit of our users. I certainly accept the attraction
of a clean slate: removing the account and starting again.
However, in the 'still need the account' case I think we should work
hard to keep the account, not only to avoid replication churn and using
a RID, but also so that outstanding Kerberos tickets are not
unnecessarily refused.
A client may hold tickets against the old account and old password for
10 hours.
For that reason, while I quite understand your reasoning, I don't
accept that it 'doesn't matter' about deleting/re-creating the account,
and we should avoid that if at all possible.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list