s4-provision: pre-create a named.conf.update file

The named.conf.update file will be filled in at runtime by Samba to 
contain the list of bind9 grant rules for granting DNS dynamic update
permissions on the domain.

source4/scripting/python/samba/provision.py

@@ -297,6 +297,7 @@ def provision_paths_from_lp(lp, dnsdomain):
     paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
     paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
     paths.namedconf = os.path.join(paths.private_dir, "named.conf")
+    paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
     paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
     paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
     paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
@@ -1563,9 +1564,12 @@ def create_named_conf(paths, setup_path, realm, dnsdomain,
             "REALM": realm,
             "ZONE_FILE": paths.dns,
             "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
-            "NAMED_CONF": paths.namedconf
+            "NAMED_CONF": paths.namedconf,
+            "NAMED_CONF_UPDATE": paths.namedconf_update
             })
 
+    setup_file(setup_path("named.conf.update"), paths.namedconf_update)
+
 def create_named_txt(path, setup_path, realm, dnsdomain,
                       private_dir, keytab_name):
     """Write out a file containing zone statements suitable for inclusion in a

source4/setup/named.conf

@@ -7,42 +7,11 @@ zone "${DNSDOMAIN}." IN {
 	type master;
 	file "${ZONE_FILE}";
 	/*
-	 * Attention: Not all BIND versions support "ms-self". The instead use
-	 * of allow-update { any; }; is another, but less secure possibility.
+	 * the list of principals and what they can change is created
+	 * dynamically by Samba, based on the membership of the domain controllers
+	 * group. The provision just creates this file as an empty file.
 	 */
-	update-policy {
-		/*
-		 * A rather long description here, as the "ms-self" option does
-		 * not appear in any docs yet (it can only be found in the
-		 * source code).
-		 *
-		 * The short of it is that each host is allowed to update its
-		 * own A and AAAA records, when the update request is properly
-		 * signed by the host itself.
-		 *
-		 * The long description is (look at the
-		 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
-		 * its definition in lib/dns/gssapictx.c for details):
-		 *
-		 * A GSS-TSIG update request will be signed by a given signer
-		 * (e.g. machine-name$@${REALM}).  The signer name is split into
-		 * the machine component (e.g. "machine-name") and the realm
-		 * component (e.g. "${REALM}").  The update is allowed if the
-		 * following conditions are met:
-		 *
-		 * 1) The machine component of the signer name matches the first
-		 * (host) component of the FQDN that is being updated.
-		 *
-		 * 2) The realm component of the signer name matches the realm
-		 * in the grant statement below (${REALM}).
-		 *
-		 * 3) The domain component of the FQDN that is being updated
-		 * matches the realm in the grant statement below.
-		 *
-		 * If the 3 conditions above are satisfied, the update succeeds.
-		 */
-		grant ${REALM} ms-self * A AAAA;
-	};
+	include "${NAMED_CONF_UPDATE}";
 
 	/* we need to use check-names ignore so _msdcs A records can be created */
 	check-names ignore;

source4/setup/named.conf.update

@@ -0,0 +1,4 @@
+/*
+	this file will be automatically replaced with the correct
+	'grant' rules by samba at runtime
+*/