On Thu, 2012-10-11 at 21:23 +0200, Stefan (metze) Metzmacher wrote: > Hi Jelmer, > > > - Log ----------------------------------------------------------------- > > commit c2d14747d608d406de6410556807d467cd0b85ef > > Author: Jelmer Vernooij <jel...@samba.org> > > Date: Thu Oct 11 14:45:10 2012 +0200 > > > > provision: Always create DNS user. > > > > The DNS user is currently only used by the bind9 plugin. This makes it > > easier to later on switch between the builtin DNS server and bind > > backend. > > > > In addition, ideally the internal DNS server would use that (separate) > > user too. > > Why? Isn't that the job of samba_upgradedns? > I removed this behavior because I want us to match windows as much as > possible.
Jelmer, We discussed this, but I think you misunderstood me. Certainly we can't do this unless we first change the internal DNS server to know about the possibility of a dns-SERVER user. Otherwise it won't use the right key on the kerberos acceptor. I was more thinking that we would keep the previous behaviour (which is more like windows), but allow the internal DNS server to work if a dns-SERVER user exists (rather than strictly requiring it to be removed). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org