patches to make bind9 with TKEY/GSS updates easier to configure

tridge at samba.org tridge at samba.org
Tue Nov 30 05:05:02 UTC 2010


Hi Michael,

 > This doesn't mean we can't include some of the changes you propose, but
 > it does mean we would want to get them in place very, very quickly, with
 > good tests.

I'm working on the patches now, and as you suggest, I'll send you the
patches for each of the changes separately. I think getting them done
for mid December should be doable.

I've been having a bit of trouble with the per-zone config. I've added
a per-zone keytab option "tkey-gssapi-keytab", but the problem is I
can't see how to get the right dns_zone_t* pointer in
process_gsstkey().

The problem is that the tkey request doesn't actually have a zone name
within easy reach in the packet. I can see a few ways around this:

 1) we could use the name field from the QUERY section (or from the
    ADDITIONAL section). That would give me something like
    NNNNNN.sig-xxx.$ZONENAME and I could look for a configured zone
    that is a parent of that name. A bit messy, but might work.

 2) we could break open the ticket in the GSSAPI part of the request,
    and get the "realm" field from that. I'm not sure how easy it is
    to dig that out via gssapi. (maybe you could give me some hints
    Love?)

 3) I could forget about doing per-zone config

Apart from thinking that some sites really might want different
keytabs for different zones, another reaon I started looking at
per-zone config is that is makes it easier for us to give Samba users
a foolproof way of configuring bind9.

The Samba 'provision' script creates a named.conf include file that is
all setup with the right information for using bind9 with dynamic DNS
for Samba as an AD DC. The idea is that the administrator then just
adds one include line in /etc/bind/named.conf.local and they are all
setup.

The problem with this is that we also have to setup some things in the
named.conf options{}, but on most systems there is already an
options{} section in /etc/bind/named.conf.options (plus the
environment variables in /etc/default/bind). We've found that admins
setting up Samba often get that step wrong. Unfortunately bind9
doesn't allow multiple options{} sections.

So by allowing these options to be put in the zone, we can include
them in the named.conf include file and remove another source of
administrator error. 

Maybe you have a difference suggestion for achieving the same goal?

Cheers, Tridge



More information about the bind-workers mailing list