s4-provision: pre-create a named.conf.update file

The named.conf.update file will be filled in at runtime by Samba to 
contain the list of bind9 grant rules for granting DNS dynamic update
permissions on the domain.

3 files changed, 13 insertions, 36 deletions

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index fb4e9b71f5..d0bc323403 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -297,6 +297,7 @@ def provision_paths_from_lp(lp, dnsdomain):
     paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
     paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
     paths.namedconf = os.path.join(paths.private_dir, "named.conf")
+    paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
     paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
     paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
     paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
@@ -1563,9 +1564,12 @@ def create_named_conf(paths, setup_path, realm, dnsdomain,
             "REALM": realm,
             "ZONE_FILE": paths.dns,
             "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
-            "NAMED_CONF": paths.namedconf
+            "NAMED_CONF": paths.namedconf,
+            "NAMED_CONF_UPDATE": paths.namedconf_update
             })
 
+    setup_file(setup_path("named.conf.update"), paths.namedconf_update)
+
 def create_named_txt(path, setup_path, realm, dnsdomain,
                       private_dir, keytab_name):
     """Write out a file containing zone statements suitable for inclusion in a
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index dad1f1f2f9..e7f0684d5f 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -7,42 +7,11 @@ zone "${DNSDOMAIN}." IN {
 	type master;
 	file "${ZONE_FILE}";
 	/*
-	 * Attention: Not all BIND versions support "ms-self". The instead use
-	 * of allow-update { any; }; is another, but less secure possibility.
+	 * the list of principals and what they can change is created
+	 * dynamically by Samba, based on the membership of the domain controllers
+	 * group. The provision just creates this file as an empty file.
 	 */
-	update-policy {
-		/*
-		 * A rather long description here, as the "ms-self" option does
-		 * not appear in any docs yet (it can only be found in the
-		 * source code).
-		 *
-		 * The short of it is that each host is allowed to update its
-		 * own A and AAAA records, when the update request is properly
-		 * signed by the host itself.
-		 *
-		 * The long description is (look at the
-		 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
-		 * its definition in lib/dns/gssapictx.c for details):
-		 *
-		 * A GSS-TSIG update request will be signed by a given signer
-		 * (e.g. machine-name$@${REALM}).  The signer name is split into
-		 * the machine component (e.g. "machine-name") and the realm
-		 * component (e.g. "${REALM}").  The update is allowed if the
-		 * following conditions are met:
-		 *
-		 * 1) The machine component of the signer name matches the first
-		 * (host) component of the FQDN that is being updated.
-		 *
-		 * 2) The realm component of the signer name matches the realm
-		 * in the grant statement below (${REALM}).
-		 *
-		 * 3) The domain component of the FQDN that is being updated
-		 * matches the realm in the grant statement below.
-		 *
-		 * If the 3 conditions above are satisfied, the update succeeds.
-		 */
-		grant ${REALM} ms-self * A AAAA;
-	};
+	include "${NAMED_CONF_UPDATE}";
 
 	/* we need to use check-names ignore so _msdcs A records can be created */
 	check-names ignore;
diff --git a/source4/setup/named.conf.update b/source4/setup/named.conf.update
new file mode 100644
index 0000000000..13cb29eafd
--- /dev/null
+++ b/source4/setup/named.conf.update
@@ -0,0 +1,4 @@
+/*
+	this file will be automatically replaced with the correct
+	'grant' rules by samba at runtime
+*/