On 10/16/2012 12:57 AM, Kai Blin wrote:
On 2012-10-16 05:40, Andrew Bartlett wrote:
Hi,
I'm having trouble parsing that, but yes, additional patches are
required to have the internal DNS server accept static keys. We would
need a key storage mechanism, and then code to implement that TSIG
method.
I've had patches to do this, but ditched them in favour for conflicting
patches to implement GSS-TSIG.
I think it would be a very valuable improvement.
The algorithm is pretty straightforward, but I couldn't get the
signature right the last time I tried. However, the logic on what parts
of the packet to use for the signature is a bit tricky, but I'm sure
I've now got that right for GSS-TSIG. Using a static key with md5
instead of gensec_sign should be straightforward, the interesting
question is how and where we store the keys.
Well you could have a dedicated account for it, and the secret just have
to be md4(real_secret) in dhcpd, in this case you can use the
unicodePwd, the other option is to use the supplementary credentials to
store the password in clear text (less straight forward).
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
