On to, 16 elo 2018, Dominik George via FreeIPA-users wrote:
Hi,
> idnsUpdatePolicy is the attribute in LDAP to store update-policy.
Ah, thanks! Seems to be missing in the documentation.
I see that the setting has an effect because I can useti to grant all
updates on the zone - however, I cannot get it to do the following:
I have a host authenticating as host/foo.example.com(a)EXAMPLE.COM. I want
this host to be able to update *.foo.example.com. Now there exist quite a
few different versions about the grant statement, and I tried the following;
grant
EXAMPLE.COM krb5-subdomain . ANY
grant
EXAMPLE.COM krb5-subdomain * ANY
grant
EXAMPLE.COM krb5-subdomain *.example.com. ANY
However, I cannot seem to get it to grant a subdomain update.
I can get this t owork, though:
grant
EXAMPLE.COM krb5-self * ANY
I am a bit confused, because I found some sources saying krb5-self and
krb5-subdomain both append the realm to the host name, which would result in
foo.example.com.example.com in the above example. However, this would mean
the krb5-self example above would also not have worked for me…
Any hints on how I really get BIND to accept updates on all subdomains of
the FQDN that authenticated?
Looking at bind's code, krb5-self and
krb5-subdomain only differ with:
case DNS_SSUMATCHTYPE_SELFKRB5:
if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
rule->identity))
continue;
break;
case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
if (!dns_name_issubdomain(name, rule->name))
continue;
if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
rule->identity))
continue;
break;
e.g. as name of the resource is checked to be a subdomain of the name in
the rule and then the requestor's kerberos identity is checked to
against the rule's realm.
Do you see any error in the named's log?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland