Bug 562516

Summary: update-policy with nametype of subdomainms does not allow exact match to specified identity
Product: [Fedora] Fedora Reporter: Andrew Kroeger <mb6zcpv02>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: atkac, ovasik, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 15:39:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to enable exact match of identity in update-policy rule for subdomainms nametype none

Description Andrew Kroeger 2010-02-07 06:09:02 UTC 
Created attachment 389344 [details]
Patch to enable exact match of identity in update-policy rule for subdomainms nametype

Description of problem:
The comparison used for nametype subdomainms in version 9.6.1-9.P3 does not allow an exact match to the specified identity in the update-policy statement.

Version-Release number of selected component (if applicable):
bind-9.6.1-9.P3.fc11.x86_64.rpm

How reproducible:
Always.

Steps to Reproduce:
1. Download current Samba 4 code (either the alpha 11 tarball from http://ftp.samba.org/ftp/samba/samba4/samba-4.0.0alpha11.tar.gz or current git code as as detailed in http://wiki.samba.org/index.php/Samba4/HOWTO)
2. Build, install and provision an instance of Samba 4, ensuring the bind configuration is updated to include the new Samba 4 zone - as detailed in /usr/local/samba/private/named.txt)
3. Join a Windows 2008 DC to the new Samba 4 domain using Windows dcpromo
4. Add an entry to the Samba 4 zone in /etc/named.conf to allow the Windows DC (and only the Windows DC) to make dynamic updates to ALL records in the Samba 4 zone.  As an example: "grant <W2K8DC>$@<REALM-UC> ms-subdomain <REALM-LC> ANY;", substituting the machine name of the Windows 2008 DC for <W2K8DC>, the Windows domain name in uppercase for <REALM-UC> and the Windows domain name in lowercase for <REALM-LC>.
5. Note that when the Windows DC is restarted and attempts to update its dynamic DNS records, the updates fail
6. Apply the attached patch, rebuild and update BIND
7. Notice that the exact match specified above now works as expected

Actual results:
The updates attempted by the Windows 2008 DC fail.

Expected results:
Specifying an exact signer in the identity field of the update-policy statement should match and allow the update to succeed.

Additional info:
The current code calls dst_gssapi_identitymatchesrealmms(signer, NULL, rule->identity) from the DNS_SSUMATCHTYPE_SUBDOMAINMS case of the switch statement.  The dst_gssapi_identitymatchesrealmms() function parses the supplied parameters into their component parts to perform the comparisons, however as there is no name parameter passed to the function in this case, there is no way to have a complete, exact match to the supplied identity of the update-policy statement.

The attached patch attempts an exact match of the signer of the update request to the identity specified in the update-policy rule, and then falls back to the original dst_gssapi_identitymatchesrealmms() call.  This should not create any unexpected side effects as the exact match will either succeed or fail, and if it fails it will fall back to use the existing code.
Comment 1 Bug Zapper 2010-04-28 11:48:22 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Bug Zapper 2010-06-28 15:39:36 UTC 
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.