[patch] bind9 dns update and windows clients

Larissa Shapiro larissas at isc.org
Tue Feb 16 22:13:11 UTC 2010 

Tridge,

We would very much like to discuss including your patches in an upcoming
release of BIND 9. We would also like to further discuss the other
issues you present here, including the best way to move forward with
support for mixed environments, etc. I'd be happy to discuss further
here or in person, via email or phone, and could arrange a call between
ourselves and other engineering staff as appropriate.

Best,

Larissa

Larissa Shapiro
BIND Product Manager
larissas at isc.org

On 11:59 AM, tridge at samba.org wrote:
> We've been working on improving the integration between Samba4 as an
> AD domain controller and bind9 as a DNS server. The aim is to get the
> TSIG-GSS dynamic DNS updates to work out of the box with a Samba4 DC.
>
> We hit a problem with Windows7 and Windows2008R2 clients. When they
> want to do a dynamic update they first send an unsigned update, then
> when that is refused they get the appropriate krb5 ticket and then
> send a TSIG-GSS signed update.
>
> The problem is that they only try the signed update if the response
> from the DNS server for the unsigned request includes fields from the
> request. Bind9 currently uses msgresetnames() in dns_message_reply()
> when building the response to remove all the sections from the
> request. When Windows gets empty sections in the response it does not
> try the signed update request.
>
> A simple fix is this:
>
> --- lib/dns/message.c.orig      2010-02-15 18:53:13.879770317 +1100
> +++ lib/dns/message.c   2010-02-15 19:46:48.419801802 +1100
> @@ -2474,7 +2474,8 @@ dns_message_reply(dns_message_t *msg, is
>         if (!msg->header_ok)
>                 return (DNS_R_FORMERR);
>         if (msg->opcode != dns_opcode_query &&
> -           msg->opcode != dns_opcode_notify)
> +           msg->opcode != dns_opcode_notify &&
> +           msg->opcode != dns_opcode_update)
>                 want_question_section = ISC_FALSE;
>         if (want_question_section) {
>                 if (!msg->question_ok)
>
> with this patch in place Windows7 and Win2k8r2 do try the TSIG-GSS
> signed request, and dynamic updates work as expected.
>
> The above patch doesn't make bind exactly match windows, because it
> means that bind only returns the 'zone' section from the update
> request, whereas a windows DNS server would return all sections from
> the request (windows sends 3 sections, a zone, a pre-requisite and an
> update). 
>
> So the above patch does work, but there is a risk that windows clients
> may fail again in future windows versions. A fix to make it match
> windows behaviour more exactly is:
>
> --- lib/dns/message.c.orig      2010-02-15 18:53:13.879770317 +1100
> +++ lib/dns/message.c   2010-02-15 19:55:27.259830348 +1100
> @@ -2482,6 +2482,8 @@ dns_message_reply(dns_message_t *msg, is
>                 first_section = DNS_SECTION_ANSWER;
>         } else
>                 first_section = DNS_SECTION_QUESTION;
> +       if (msg->opcode == dns_opcode_update)
> +               first_section = DNS_SECTION_ADDITIONAL;
>         msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
>         msgresetnames(msg, first_section);
>         msgresetopt(msg);
>
> Would you consider one of the above two patches for future versions of
> bind?
>
> The second part of the problem with integrating bind9 with Samba4 as a
> DC is that Samba needs some way to provide ACL control over what
> krb5 principals are allowed to do updates to what names. This needs to
> dynamically change when a DC joins or leaves the domain, and when a
> user gets approproate admin privileges.
>
> We're currently doing this by generating a bind9 config snippet at
> runtime, and running "rndc reload" from inside Samba when it
> changes. Here is a typical snippet we create:
>
>  /* this file is auto-generated - do not edit */
>  update-policy {
> 	grant BLUDOM.TRIDGELL.NET ms-self * A AAAA;
> 	grant administrator at BLUDOM.TRIDGELL.NET wildcard * A AAAA SRV CNAME TXT;
> 	grant BLU$@BLUDOM.TRIDGELL.NET wildcard * A AAAA SRV CNAME;
> 	grant W2K8R2B$@BLUDOM.TRIDGELL.NET wildcard * A AAAA SRV CNAME;
>  };
>
> we then include that file in the (generated) named.conf from the Samba
> install. You can see the named.conf template here:
>
>   http://samba.org/ftp/unpacked/samba_4_0_test/source4/setup/named.conf
>
> The 'include ${NAMED_CONF_UPDATE};' part is what includes the above
> runtime generated config snippet.
>
> This says (I hope!) that the two domain controllers (BLU and W2K8R2B)
> can do what they like, as can the domain administrator. Other users
> can update only their own records.
>
> Is this the best approach? Ideally we'd have some way to hook into
> bind so that bind asks Samba when someone wants to do an update on one
> of the zones Samba controls, and have Samba check the group
> memberships. Re-generating this config snippet all the time is hackish
> and racy, although it does work.
>
> Finally, we eventually want to allow Samba4 as a DC to be used in
> mixed environments, where organisations have a mixture of Windows DNS
> servers and bind9, and include a mixture of Samba4 DCs and Windows DCs
> for the same domain. We want updates to any of the DCs to propogate
> seamlessly between the DNS servers.
>
> We're currently thinking of using the ldap sdb backend for bind9 to
> achieve this, by pointing it at the Samba4 LDAP server. That LDAP
> server would then map between the Windows DRS/LDAP format for DNS
> zones and the format that the bind9 ldap sdb wants. If anyone has a
> better suggestion please let me know.
>
> Cheers, Tridge
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
>

More information about the bind-workers mailing list