summaryrefslogtreecommitdiff
path: root/source4/setup
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-02-11 15:25:13 +1100
committerAndrew Tridgell <tridge@samba.org>2010-02-11 21:04:12 +1100
commitc986bfb22ec6ee1bda8a7c4053770831f582cbb3 (patch)
tree7635df48c62623496d6c77bf14e9e7b1a640138d /source4/setup
parent5a72eca574f2cb330a0d62936ca901b8ebee4194 (diff)
downloadsamba-c986bfb22ec6ee1bda8a7c4053770831f582cbb3.tar.gz
samba-c986bfb22ec6ee1bda8a7c4053770831f582cbb3.tar.bz2
samba-c986bfb22ec6ee1bda8a7c4053770831f582cbb3.zip
s4-provision: pre-create a named.conf.update file
The named.conf.update file will be filled in at runtime by Samba to contain the list of bind9 grant rules for granting DNS dynamic update permissions on the domain.
Diffstat (limited to 'source4/setup')
-rw-r--r--source4/setup/named.conf39
-rw-r--r--source4/setup/named.conf.update4
2 files changed, 8 insertions, 35 deletions
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index dad1f1f2f9..e7f0684d5f 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -7,42 +7,11 @@ zone "${DNSDOMAIN}." IN {
type master;
file "${ZONE_FILE}";
/*
- * Attention: Not all BIND versions support "ms-self". The instead use
- * of allow-update { any; }; is another, but less secure possibility.
+ * the list of principals and what they can change is created
+ * dynamically by Samba, based on the membership of the domain controllers
+ * group. The provision just creates this file as an empty file.
*/
- update-policy {
- /*
- * A rather long description here, as the "ms-self" option does
- * not appear in any docs yet (it can only be found in the
- * source code).
- *
- * The short of it is that each host is allowed to update its
- * own A and AAAA records, when the update request is properly
- * signed by the host itself.
- *
- * The long description is (look at the
- * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
- * its definition in lib/dns/gssapictx.c for details):
- *
- * A GSS-TSIG update request will be signed by a given signer
- * (e.g. machine-name$@${REALM}). The signer name is split into
- * the machine component (e.g. "machine-name") and the realm
- * component (e.g. "${REALM}"). The update is allowed if the
- * following conditions are met:
- *
- * 1) The machine component of the signer name matches the first
- * (host) component of the FQDN that is being updated.
- *
- * 2) The realm component of the signer name matches the realm
- * in the grant statement below (${REALM}).
- *
- * 3) The domain component of the FQDN that is being updated
- * matches the realm in the grant statement below.
- *
- * If the 3 conditions above are satisfied, the update succeeds.
- */
- grant ${REALM} ms-self * A AAAA;
- };
+ include "${NAMED_CONF_UPDATE}";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
diff --git a/source4/setup/named.conf.update b/source4/setup/named.conf.update
new file mode 100644
index 0000000000..13cb29eafd
--- /dev/null
+++ b/source4/setup/named.conf.update
@@ -0,0 +1,4 @@
+/*
+ this file will be automatically replaced with the correct
+ 'grant' rules by samba at runtime
+*/