On su, 08 maalis 2020, Dario Lesca wrote:
Hi, I have post this request on samba ml:
https://lists.samba.org/archive/samba/2020-March/228791.html
someone here have some suggest to resolve this issue?
I'm looking for the best way to register into DNS bind the windows
clients joined to domain into DNS zone
In a test environment, when the client is joined to domain, the
associated record A it's not added into DNS zone, and after few minutes
or if I run on Windows "ipconfig/updatedns" I get this error:
mar 05 14:45:43 addc1.fedora.loc dhcpd[773]: DHCPREQUEST for 192.168.122.102 from 52:54:00:7e:c7:bb (win10b) via ens3
mar 05 14:45:43 addc1.fedora.loc dhcpd[773]: DHCPACK on 192.168.122.102 to 52:54:00:7e:c7:bb (win10b) via ens3
mar 05 14:45:43 addc1.fedora.loc named[718]: samba_dlz: starting transaction on zone fedora.loc
mar 05 14:45:43 addc1.fedora.loc named[718]: client @0x7f5ef03e5ed0 192.168.122.102#56448: update 'fedora.loc/IN' denied
Another method is use the samba team proposal script run from dhcp.
But I think this operation should be execute by samba, the zone DNS
(bind_dlz) in which these records are to be recorded is managed
directly by samba
Someone can help me?
I think it is a missing feature in samba_dlz -- it has to provide SSU
table for the zone before SSU match callback could even be considered
called. However, samba_dlz does not provide one. Since it doesn't
provide one, you have to use native Bind ACL features.
Technical details:
In bin/named/update.c, update_action() code starts with:
CHECK(dns_zone_getdb(zone, &db));
zonename = dns_db_origin(db);
zoneclass = dns_db_class(db);
dns_zone_getssutable(zone, &ssutable);
/*
* Update message processing can leak record existance information
* so check that we are allowed to query this zone. Additionally
* if we would refuse all updates for this zone we bail out here.
*/
CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
dns_zone_getupdateacl(zone), ssutable));
The message you see 'client ...: update ... denied' comes from
checkqueryacl()'s call:
...
} else if (updateacl == NULL && ssutable == NULL) {
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
result = DNS_R_REFUSED;
ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
"update '%s/%s' denied", namebuf, classbuf);
}
...
So, both updateacl (result of call to dns_zone_getupdateacl(zone) above)
and ssutable are not there.
Since Samba's samba_dlz does not provide any dynamic handling of the
ACL, you need to add it manually in named.conf for your zone. See
https://www.zytrax.com/books/dns/ch7/xfer.html for examples.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
