Red Hat Bugzilla – Bug 562516
update-policy with nametype of subdomainms does not allow exact match to specified identity
Last modified: 2013-04-30 19:45:31 EDT
Created attachment 389344 [details]
Patch to enable exact match of identity in update-policy rule for subdomainms nametype
Description of problem:
The comparison used for nametype subdomainms in version 9.6.1-9.P3 does not allow an exact match to the specified identity in the update-policy statement.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Download current Samba 4 code (either the alpha 11 tarball from http://ftp.samba.org/ftp/samba/samba4/samba-4.0.0alpha11.tar.gz or current git code as as detailed in http://wiki.samba.org/index.php/Samba4/HOWTO)
2. Build, install and provision an instance of Samba 4, ensuring the bind configuration is updated to include the new Samba 4 zone - as detailed in /usr/local/samba/private/named.txt)
3. Join a Windows 2008 DC to the new Samba 4 domain using Windows dcpromo
4. Add an entry to the Samba 4 zone in /etc/named.conf to allow the Windows DC (and only the Windows DC) to make dynamic updates to ALL records in the Samba 4 zone. As an example: "grant <W2K8DC>$@<REALM-UC> ms-subdomain <REALM-LC> ANY;", substituting the machine name of the Windows 2008 DC for <W2K8DC>, the Windows domain name in uppercase for <REALM-UC> and the Windows domain name in lowercase for <REALM-LC>.
5. Note that when the Windows DC is restarted and attempts to update its dynamic DNS records, the updates fail
6. Apply the attached patch, rebuild and update BIND
7. Notice that the exact match specified above now works as expected
The updates attempted by the Windows 2008 DC fail.
Specifying an exact signer in the identity field of the update-policy statement should match and allow the update to succeed.
The current code calls dst_gssapi_identitymatchesrealmms(signer, NULL, rule->identity) from the DNS_SSUMATCHTYPE_SUBDOMAINMS case of the switch statement. The dst_gssapi_identitymatchesrealmms() function parses the supplied parameters into their component parts to perform the comparisons, however as there is no name parameter passed to the function in this case, there is no way to have a complete, exact match to the supplied identity of the update-policy statement.
The attached patch attempts an exact match of the signer of the update request to the identity specified in the update-policy rule, and then falls back to the original dst_gssapi_identitymatchesrealmms() call. This should not create any unexpected side effects as the exact match will either succeed or fail, and if it fails it will fall back to use the existing code.
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '11'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 11's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 11 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.