>From bfbe32e0efb0a4df1a46569d0dd33413ff08eeb9 Mon Sep 17 00:00:00 2001 From: Rowland Penny Date: Fri, 17 Jun 2016 12:57:34 +0100 Subject: [PATCH] samba_upgradedns: fix for bug 10882 Signed-off-by: Rowland Penny --- source4/scripting/bin/samba_upgradedns | 122 +++++++++++++++------------------ 1 file changed, 55 insertions(+), 67 deletions(-) diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index 5963712..94f94a6 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -286,11 +286,11 @@ if __name__ == '__main__': attrs=['objectSid']) dnsadmins_sid = ndr_unpack(security.dom_sid, msg[0]['objectSid'][0]) except IndexError: - logger.info("Adding DNS accounts") + logger.info("Adding DNS group 'DnsAdmins' account") add_dns_accounts(ldbs.sam, domaindn) dnsadmins_sid = get_dnsadmins_sid(ldbs.sam, domaindn) else: - logger.info("DNS accounts already exist") + logger.info("DNS group account 'DnsAdmins' already exists") # Import dns records from zone file if os.path.exists(paths.dns): @@ -409,46 +409,62 @@ if __name__ == '__main__': except Exception: raise + # Check if dns-HOSTNAME account exists in sam.ldb and secrets.ldb + # Delete it if found + try: + dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname + secrets_msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, + attrs=[]) + dn = secrets_msg[0].dn + except IndexError: + dn = None + + if dn is not None: + try: + ldbs.secrets.delete(dn) + except Exception: + logger.info("Failed to delete %s from secrets.ldb" % dn) + + try: + msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=[]) + dn = msg[0].dn + except IndexError: + dn = None + + if dn is not None: + try: + ldbs.sam.delete(dn) + except Exception: + logger.info("Failed to delete %s from sam.ldb" % dn) + # Special stuff for DLZ backend if opts.dns_backend == "BIND9_DLZ": - # Check if dns-HOSTNAME account exists and create it if required - secrets_msgs = ldbs.secrets.search(expression='(samAccountName=dns-%s)' % hostname, attrs=['secret']) - if len(secrets_msgs) == 0: - - logger.info("Adding dns-%s account" % hostname) - - msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, - expression='(sAMAccountName=dns-%s)' % (hostname), - attrs=[]) - if len(msg) == 1: - dn = msg[0].dn - ldbs.sam.delete(dn) - - dnspass = samba.generate_random_password(128, 255) - setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { - "DNSDOMAIN": dnsdomain, - "DOMAINDN": domaindn, - "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')), - "HOSTNAME" : hostname, - "DNSNAME" : dnsname } - ) - - res = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, - expression='(sAMAccountName=dns-%s)' % (hostname), - attrs=["msDS-KeyVersionNumber"]) - if "msDS-KeyVersionNumber" in res[0]: - dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) - else: - dns_key_version_number = None - - secretsdb_setup_dns(ldbs.secrets, names, - paths.private_dir, realm=names.realm, - dnsdomain=names.dnsdomain, - dns_keytab_path=paths.dns_keytab, dnspass=dnspass, - key_version_number=dns_key_version_number) - + logger.info("Adding dns-%s account" % hostname) + + dnspass = samba.generate_random_password(128, 255) + setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { + "DNSDOMAIN": dnsdomain, + "DOMAINDN": domaindn, + "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')), + "HOSTNAME" : hostname, + "DNSNAME" : dnsname } + ) + + res = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=["msDS-KeyVersionNumber"]) + if "msDS-KeyVersionNumber" in res[0]: + dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) else: - logger.info("dns-%s account already exists" % hostname) + dns_key_version_number = None + + secretsdb_setup_dns(ldbs.secrets, names, + paths.private_dir, realm=names.realm, + dnsdomain=names.dnsdomain, + dns_keytab_path=paths.dns_keytab, dnspass=dnspass, + key_version_number=dns_key_version_number) dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None: @@ -476,34 +492,6 @@ if __name__ == '__main__': logger.info("See %s for an example configuration include file for BIND", paths.namedconf) logger.info("and %s for further documentation required for secure DNS " "updates", paths.namedtxt) - elif opts.dns_backend == "SAMBA_INTERNAL": - # Check if dns-HOSTNAME account exists and delete it if required - try: - dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname - msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=[]) - dn = msg[0].dn - except IndexError: - dn = None - - if dn is not None: - try: - ldbs.secrets.delete(dn) - except Exception: - logger.info("Failed to delete %s from secrets.ldb" % dn) - - try: - msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, - expression='(sAMAccountName=dns-%s)' % (hostname), - attrs=[]) - dn = msg[0].dn - except IndexError: - dn = None - - if dn is not None: - try: - ldbs.sam.delete(dn) - except Exception: - logger.info("Failed to delete %s from sam.ldb" % dn) logger.info("Finished upgrading DNS") -- 2.1.4