Merge ~ahasenack/ubuntu/+source/bind9:bind9-nsupdate-gssapi-1755439 into ubuntu/+source/bind9:ubuntu/devel
Status: | Merged |
---|---|
Merge reported by: | Christian Ehrhardt |
Merged at revision: | 4e030a0f8ffd6821db3421f218452d2be8778119 |
Proposed branch: | ~ahasenack/ubuntu/+source/bind9:bind9-nsupdate-gssapi-1755439 |
Merge into: | ubuntu/+source/bind9:ubuntu/devel |
Diff against target: |
52 lines (+30/-0) 3 files modified
debian/changelog (+8/-0) debian/patches/nsupdate-gssapi-fails-ad-45854.patch (+21/-0) debian/patches/series (+1/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+341410@code.launchpad.net |
Description of the change
Grabbed upstream fix for nsupdate when using kerberos/gssapi against a microsoft DNS server in an AD controller. This was first reported in the sssd mailing list (https://<email address hidden>
There is no new upstream bind release with the fix yet, it's just in their git.
Testing this against an actual AD server will be a bit time consuming. I prepared test packages and uploaded them to https:/
I did a simple kerberized nsupdate test with a local bind9 server and that worked:
ubuntu@
Password for ubuntu@LXD:
ubuntu@
> server 127.0.0.1
> update add xenial.lxd. 120 TXT "Goodbye from kerberos"
> send
ubuntu@
"Goodbye from kerberos"
ubuntu@
Ticket cache: FILE:/tmp/
Default principal: ubuntu@LXD
Valid starting Expires Service principal
03/14/18 15:02:21 03/15/18 01:02:21 krbtgt/LXD@LXD
renew until 03/15/18 15:02:20
03/14/18 15:02:45 03/15/18 01:02:21 DNS/lxd@LXD
renew until 03/15/18 15:02:20
As discussed testing is up to you and the reporter.
Packaging wise this looks good - and I didn't find issues doing some simple tests with it.
Also ran the qa regression suite on it and all were good (16 tests good, except 2 due to ipv6 not avail in my env).
Further ran the integrated unit tests against a rebuild from your source.
216 R:PASS
5 R:SKIPPED
1 R:UNTESTED
I also wanted to mention that this is not entirely new code.
As it is "Restore workaround for Microsoft Windows TSIG ...".
Which makes it slightly better than a random new change.
Presuming the reporter tests it ok from your ppa.
Approve (under the condition that it was tested for the reported issue before upload).