On 04/11/15 22:02, John Gardeniers wrote:> Thanks Marc, > > That's a nice unambiguous answer, so I'll stop looking. > > I really doubt I'll be doing any coding on Samba, so it's kind of > unlikely I'll be supplying a patch. If I did create a patch it would > be to return to BIND flat files, so that the DNS can be made fully > functional again. > > regards, > John > > > On 05/11/15 08:25, Marc Muehlfeld wrote: >> Hello John, >> >> Am 04.11.2015 um 22:13 schrieb John Gardeniers: >>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or >>> was >>> this was a huge oversight and the internal DNS doesn't get logged at >>> all, as appears to be suggested by my utter failure to locate such >>> logs. >> Samba doesn't log DNS queries. >> >> Patches are welcome. :-) >> >> >> Regards, >> Marc >> > >Just because you want to use samba with bind flat files doesn't make it the right thing to do. I have have been using bind9 dlz with samba4 for 3 years now and it does what it is supposed to do, I know there are a few things that need sorting, but they are minor and I am sure they will get fixed eventually. I wouldn't bother rushing to create a patch to make flat files work again, I don't think it would be accepted. Rowland
Code is like books, or art (painting...). Some guy produce something, as he likes, some others use/watch/listen it, as they like. Most of the time these two ways are different. What I mean is it is not because something was not developed to be used in some way that way of usage is not a good way of usage. Perhaps for most of us this is not the right way the OP want to do. Anyway it is his way. Who are we to tell what he's doing should not be? I thought opensource was more open than the other world. Same thing but about SSSD: I was thinking providing to my client same behaviour for Linux systems as on Windows systems about local administrators of computers (clients). On Windows you can define groups and using GPO put some group(s) in client's local "administrators" group. There you have people able to manage clients systems without any rights on AD. This can be done using LDAP tree and user accounts with UID = 0. SSSD comes also with filters to avoid peoples with UID=0 which have no right to connect on some systems can connect on these refused systems. So I had all I wanted to give my client same way of managing all their systems with nominative accounts, to be able to trace a little bit what admins do. This is not possible because SSSD refuses (hardcoded...) users with UID=0 to connect on SSSD systems. I was told this is for security reason: SSSD through LDAP can, under certain configuration, grant man in the middle attack (or something like that). The fact is using AD servers are also authenticated, this security reason disappear. Not the refusal because devs think what they thought is the only to think. I don't. 2015-11-04 23:21 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 04/11/15 22:02, John Gardeniers wrote: > >> Thanks Marc, >> >> That's a nice unambiguous answer, so I'll stop looking. >> >> I really doubt I'll be doing any coding on Samba, so it's kind of >> unlikely I'll be supplying a patch. If I did create a patch it would be to >> return to BIND flat files, so that the DNS can be made fully functional >> again. >> >> regards, >> John >> >> >> On 05/11/15 08:25, Marc Muehlfeld wrote: >> >>> Hello John, >>> >>> Am 04.11.2015 um 22:13 schrieb John Gardeniers: >>> >>>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or was >>>> this was a huge oversight and the internal DNS doesn't get logged at >>>> all, as appears to be suggested by my utter failure to locate such logs. >>>> >>> Samba doesn't log DNS queries. >>> >>> Patches are welcome. :-) >>> >>> >>> Regards, >>> Marc >>> >>> >> >> > Just because you want to use samba with bind flat files doesn't make it > the right thing to do. I have have been using bind9 dlz with samba4 for 3 > years now and it does what it is supposed to do, I know there are a few > things that need sorting, but they are minor and I am sure they will get > fixed eventually. > > I wouldn't bother rushing to create a patch to make flat files work again, > I don't think it would be accepted. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 05/11/15 09:55, mathias dufresne wrote:> Code is like books, or art (painting...). Some guy produce something, as he > likes, some others use/watch/listen it, as they like. Most of the time > these two ways are different. > > What I mean is it is not because something was not developed to be used in > some way that way of usage is not a good way of usage. > > Perhaps for most of us this is not the right way the OP want to do. Anyway > it is his way. Who are we to tell what he's doing should not be? I thought > opensource was more open than the other world.Samba4 initially used the bind9 flat files way of running, but it didn't and couldn't be made to work as an AD DC expects. This is why Samba4 moved to dlz, a lot needed to be done to get this to work, but it does work as expected, ok there are a few minor problems, but I am sure these will be fixed in time. I am not saying that the OP cannot use flat-files, just that he is on his own there.> > Same thing but about SSSD: I was thinking providing to my client same > behaviour for Linux systems as on Windows systems about local > administrators of computers (clients). On Windows you can define groups and > using GPO put some group(s) in client's local "administrators" group. There > you have people able to manage clients systems without any rights on AD. > This can be done using LDAP tree and user accounts with UID = 0. SSSD comes > also with filters to avoid peoples with UID=0 which have no right to > connect on some systems can connect on these refused systems. > So I had all I wanted to give my client same way of managing all their > systems with nominative accounts, to be able to trace a little bit what > admins do. > This is not possible because SSSD refuses (hardcoded...) users with UID=0 > to connect on SSSD systems. I was told this is for security reason: SSSD > through LDAP can, under certain configuration, grant man in the middle > attack (or something like that). > The fact is using AD servers are also authenticated, this security reason > disappear. Not the refusal because devs think what they thought is the only > to think. I don't.That is (in my opinion) a stupid way of doing things, every user with the UID of 0 raises the potential for an attack, if you want to do this, use sudo instead and yes sssd, AD and sudo will play nicely together. Just because you think something is a good idea doesn't mean it is, but nobody is stopping *you* doing things your way, just don't expect sympathy if things go wrong. Rowland> >