Ignore:
Timestamp:
Nov 27, 2012, 4:43:17 PM (13 years ago)
Author:
Silvan Scherrer
Message:

Samba Server: updated trunk to 3.6.0

Location:
trunk/server
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/server

  • trunk/server/source4/setup/named.conf

    r414 r745  
    22#
    33# For example with
    4 # include "${PRIVATE_DIR}/named.conf";
     4# include "${NAMED_CONF}";
    55
    66zone "${DNSDOMAIN}." IN {
    77        type master;
    8         file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
     8        file "${ZONE_FILE}";
    99        /*
    10          * Attention: Not all BIND versions support "ms-self". The instead use
    11          * of allow-update { any; }; is another, but less secure possibility.
     10         * the list of principals and what they can change is created
     11         * dynamically by Samba, based on the membership of the domain controllers
     12         * group. The provision just creates this file as an empty file.
    1213         */
    13         update-policy {
    14                 /*
    15                  * A rather long description here, as the "ms-self" option does
    16                  * not appear in any docs yet (it can only be found in the
    17                  * source code).
    18                  *
    19                  * The short of it is that each host is allowed to update its
    20                  * own A and AAAA records, when the update request is properly
    21                  * signed by the host itself.
    22                  *
    23                  * The long description is (look at the
    24                  * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
    25                  * its definition in lib/dns/gssapictx.c for details):
    26                  *
    27                  * A GSS-TSIG update request will be signed by a given signer
    28                  * (e.g. machine-name$@${REALM}).  The signer name is split into
    29                  * the machine component (e.g. "machine-name") and the realm
    30                  * component (e.g. "${REALM}").  The update is allowed if the
    31                  * following conditions are met:
    32                  *
    33                  * 1) The machine component of the signer name matches the first
    34                  * (host) component of the FQDN that is being updated.
    35                  *
    36                  * 2) The realm component of the signer name matches the realm
    37                  * in the grant statement below (${REALM}).
    38                  *
    39                  * 3) The domain component of the FQDN that is being updated
    40                  * matches the realm in the grant statement below.
    41                  *
    42                  * If the 3 conditions above are satisfied, the update succeeds.
    43                  */
    44                 grant ${REALM} ms-self * A AAAA;
    45         };
     14        include "${NAMED_CONF_UPDATE}";
     15
     16        /* we need to use check-names ignore so _msdcs A records can be created */
     17        check-names ignore;
    4618};
    4719
     
    6133# Note that the reverse zone file is not created during the provision process.
    6234
    63 # The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
     35# The most recent BIND versions (9.7.2 or later) support secure GSS-TSIG
    6436# updates.  If you are running an earlier version of BIND, or if you do not wish
    6537# to use secure GSS-TSIG updates, you may remove the update-policy sections in
Note: See TracChangeset for help on using the changeset viewer.