diff options
| -rw-r--r-- | python/samba/provision/sambadns.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index 9dbea4ef2a..29224c8cf6 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -801,6 +801,14 @@ def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid): logger.error( "Failed to setup database for BIND, AD based DNS cannot be used") raise + + # This line is critical to the security of the whole scheme. + # We assume there is no secret data in the (to be left out of + # date and essentially read-only) config, schema and metadata partitions. + # + # Only the stub of the domain partition is created above. + # + # That way, things like the krbtgt key do not leak. del partfile[domaindn] # Link dns partitions and metadata |