Bug 15063 - add OpenAclOnProxyUpdates flag support for DnsUpdateProxy permissions
Summary: add OpenAclOnProxyUpdates flag support for DnsUpdateProxy permissions
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server (internal) (show other bugs)
Version: 4.16.0
Hardware: All All
: P5 enhancement (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-10 11:37 UTC by Björn Jacke
Modified: 2022-08-25 11:48 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2022-05-10 11:37:51 UTC 
this windows command:

dnscmd dcname /config /OpenAclOnProxyUpdates 1

triggers setting the OpenACLOnProxyUpdates flag, this is not implemented in Samba though, the value is fixed to "0" currently:

[2022/05/10 09:33:25.513818,  0, pid=2752430, effective(0, 0), real(0, 0)] ../../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1230(dnsserver_operate_server)
  dnsserver: server operation 'ResetDwordProperty' not implemented     DnssrvOperation2: struct DnssrvOperation2
          in: struct DnssrvOperation2
              dwClientVersion          : DNS_CLIENT_VERSION_LONGHORN (458752)
              dwSettingFlags           : 0x00000000 (0)
              pwszServerName           : *
                  pwszServerName           : 'dc3'
              pszZone                  : NULL
              dwContext                : 0x00000000 (0)
              pszOperation             : *
                  pszOperation             : 'ResetDwordProperty'
              dwTypeId                 : DNSSRV_TYPEID_NAME_AND_PARAM (15)
              pData                    : union DNSSRV_RPC_UNION(case 15)
              NameAndParam             : *
                  NameAndParam: struct DNS_RPC_NAME_AND_PARAM
                      dwParam                  : 0x00000001 (1)
                      pszNodeName              : *
                          pszNodeName              : 'OpenACLOnProxyUpdates'
[2022/05/10 09:33:25.514925,  1, pid=2752430, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug)
       DnssrvOperation2: struct DnssrvOperation2
          out: struct DnssrvOperation2
              result                   : WERR_CALL_NOT_IMPLEMENTED

The flag is documented here:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/8903e50a-9183-4a7d-9640-53f6f5a91481#Appendix_A_Target_188

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd334715(v=ws.10)
Comment 1 Björn Jacke 2022-08-25 11:48:03 UTC 
after shedding some more thoughts on this, all this looks like a bad idea. If the DnsUpdateProxy group is allowed to modify all DNS entries, then client can request any name from the the DHCP server and this way modify the DNS indirectly. On the other hand it would be possible to add a inheritable ACE to the DNS zone for the DnsUpdateProxy group to achieve the same behavior.

That being said, I'm closing this as WONTFIX.