paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
+ paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
"REALM": realm,
"ZONE_FILE": paths.dns,
"REALM_WC": "*." + ".".join(realm.split(".")[1:]),
- "NAMED_CONF": paths.namedconf
+ "NAMED_CONF": paths.namedconf,
+ "NAMED_CONF_UPDATE": paths.namedconf_update
})
+ setup_file(setup_path("named.conf.update"), paths.namedconf_update)
+
def create_named_txt(path, setup_path, realm, dnsdomain,
private_dir, keytab_name):
"""Write out a file containing zone statements suitable for inclusion in a
type master;
file "${ZONE_FILE}";
/*
- * Attention: Not all BIND versions support "ms-self". The instead use
- * of allow-update { any; }; is another, but less secure possibility.
+ * the list of principals and what they can change is created
+ * dynamically by Samba, based on the membership of the domain controllers
+ * group. The provision just creates this file as an empty file.
*/
- update-policy {
- /*
- * A rather long description here, as the "ms-self" option does
- * not appear in any docs yet (it can only be found in the
- * source code).
- *
- * The short of it is that each host is allowed to update its
- * own A and AAAA records, when the update request is properly
- * signed by the host itself.
- *
- * The long description is (look at the
- * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
- * its definition in lib/dns/gssapictx.c for details):
- *
- * A GSS-TSIG update request will be signed by a given signer
- * (e.g. machine-name$@${REALM}). The signer name is split into
- * the machine component (e.g. "machine-name") and the realm
- * component (e.g. "${REALM}"). The update is allowed if the
- * following conditions are met:
- *
- * 1) The machine component of the signer name matches the first
- * (host) component of the FQDN that is being updated.
- *
- * 2) The realm component of the signer name matches the realm
- * in the grant statement below (${REALM}).
- *
- * 3) The domain component of the FQDN that is being updated
- * matches the realm in the grant statement below.
- *
- * If the 3 conditions above are satisfied, the update succeeds.
- */
- grant ${REALM} ms-self * A AAAA;
- };
+ include "${NAMED_CONF_UPDATE}";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
git.samba.org / abartlet / samba.git / .git / commitdiff