Bug 9331 - dns server should use the settings of the dnszone to decide wether or not allow secure updates
Summary: dns server should use the settings of the dnszone to decide wether or not all...
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: DNS server (show other bugs)
Version: 4.0.0rc3
Hardware: All All
: P5 enhancement (vote)
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-28 06:55 UTC by Matthieu Patou
Modified: 2013-06-01 08:15 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2012-10-28 06:55:07 UTC 
When dealing with AD integrated zone there is a property on each zone that define which kind of update are allowed iE.

dn: DC=w2k3.home.matws.net,CN=MicrosoftDNS,CN=System,DC=w2k3,DC=home,DC=matws,DC=net
dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x00005038 (20536)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_NS_SERVERS_DA (146)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00000040 (64)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x00005048 (20552)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_SCAVENGING_SERVERS (17)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00000000 (0)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000004 (4)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_AGING_ENABLED_TIME (18)
        data                     : union dnsPropertyData(case 18)
        next_scavenging_cycle_hours: 0x00000000 (0)
        name                     : 0x00000000 (0)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000004 (4)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_AGING_STATE (64)
        data                     : union dnsPropertyData(case 64)
        aging_enabled            : 0x00000000 (0)
        name                     : 0x00bde158 (12443992)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000000 (0)
        namelength               : 0x773ecdd3 (2000604627)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_AUTO_NS_SERVERS (130)
        data                     : union dnsPropertyData(case 0)
        name                     : 0x00bde578 (12445048)

dNSProperty:     NDR: struct dnsp_DnsProperty
        wDataLength              : 0x00000001 (1)
        namelength               : 0x00000000 (0)
        flag                     : 0x00000000 (0)
        version                  : 0x00000001 (1)
        id                       : DSPROPERTY_ZONE_ALLOW_UPDATE (2)
        data                     : union dnsPropertyData(case 2)
        allow_update_flag        : DNS_ZONE_UPDATE_SECURE (2)
        name                     : 0x0000bde0 (48608)
Comment 1 Kai Blin 2013-05-25 10:25:24 UTC 
Damn, I was told this wasn't the case when I set up the initial smb.conf options for this. I wonder if we can fix this for 4.1, and how to migrate this.
Comment 2 Andrew Bartlett 2013-05-27 06:07:01 UTC 
I think we should just remove the smb.conf option, and use this in-directory data.

Given the default is for secure updates only, this shouldn't expose anyone, and we just mention it in WHATSNEW.

If we must keep the smb.conf option while deprecating it over a release, we change the default to 'directory', so folks who have not changed the option just work.
Comment 3 Kai Blin 2013-05-27 06:15:20 UTC 
Sounds good to me. :)