From 675d3d18c94de6523c69bba2c21f3dd998596682 Mon Sep 17 00:00:00 2001
From: Sergey Urushkin <urushkin@telros.ru>
Date: Wed, 10 Oct 2018 11:24:51 +0000
Subject: [PATCH] provision: create valid named.conf.update for BIND9_FLATFILE
 backend

Provision and samba_upgradedns: create valid named.conf.update
for BIND9_FLATFILE backend, honoring installed BIND version and hostname.

Signed-off-by: Sergey Urushkin <urushkin@telros.ru>
---
 python/samba/provision/sambadns.py     | 25 ++++++++++++++++++++++---
 source4/scripting/bin/samba_upgradedns |  3 ++-
 source4/setup/named.conf.update        | 21 +++++++++++++++++----
 3 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 7fb42f65d4e..371637e94e5 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -918,7 +918,7 @@ def create_dns_update_list(lp, logger, paths):
     setup_file(setup_path("spn_update_list"), paths.spn_update_list, None)
 
 
-def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
+def create_named_conf(paths, realm, dnsdomain, dns_backend, hostname, logger):
     """Write out a file containing zone statements suitable for inclusion in a
     named.conf file (including GSS-TSIG configuration).
 
@@ -938,6 +938,11 @@ def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
     from samba.provision import ProvisioningError
 
     if dns_backend == "BIND9_FLATFILE":
+        bind_info = subprocess.Popen(['named -V'], shell=True,
+                                     stdout=subprocess.PIPE,
+                                     stderr=subprocess.STDOUT,
+                                     cwd='.').communicate()[0]
+
         setup_file(setup_path("named.conf"), paths.namedconf, {
                     "DNSDOMAIN": dnsdomain,
                     "REALM": realm,
@@ -947,7 +952,21 @@ def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
                     "NAMED_CONF_UPDATE": paths.namedconf_update
                     })
 
-        setup_file(setup_path("named.conf.update"), paths.namedconf_update)
+        bind9_msself_name = '.'
+        if bind_info.upper().find('BIND 9.7') != -1 or \
+                bind_info.upper().find('BIND 9.8') != -1 or \
+                bind_info.upper().find('BIND 9.9') != -1 or \
+                bind_info.upper().find('BIND 9.10') != -1 or \
+                bind_info.upper().find('BIND 9.11.0') != -1 or \
+                bind_info.upper().find('BIND 9.11.1') != -1 or \
+                bind_info.upper().find('BIND 9.11.2') != -1:
+            bind9_msself_name = '*'
+        setup_file(setup_path("named.conf.update"), paths.namedconf_update, {
+                    "REALM": realm,
+                    "HOSTNAME": hostname,
+                    "BIND9_MSSELF_NAME": bind9_msself_name,
+                    "NAMED_CONF_UPDATE": paths.namedconf_update
+                    })
 
     elif dns_backend == "BIND9_DLZ":
         bind_info = subprocess.Popen(['named -V'], shell=True,
@@ -1250,7 +1269,7 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
 
     create_named_conf(paths, realm=names.realm,
                       dnsdomain=names.dnsdomain, dns_backend=dns_backend,
-                      logger=logger)
+                      hostname=names.hostname, logger=logger)
 
     create_named_txt(paths.namedtxt,
                      realm=names.realm, dnsdomain=names.dnsdomain,
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index e29ba7092b5..bfa95de42c0 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -536,7 +536,8 @@ if __name__ == '__main__':
         create_samdb_copy(ldbs.sam, logger, paths, names, domainsid,
                           domainguid)
 
-        create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend, logger)
+        create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend,
+                          names.hostname, logger)
 
         create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname,
                          paths.binddns_dir, paths.dns_keytab)
diff --git a/source4/setup/named.conf.update b/source4/setup/named.conf.update
index 13cb29eafd0..6af9a4f8bd3 100644
--- a/source4/setup/named.conf.update
+++ b/source4/setup/named.conf.update
@@ -1,4 +1,17 @@
-/*
-	this file will be automatically replaced with the correct
-	'grant' rules by samba at runtime
-*/
+# This DNS configuration is for BIND 9.7.0 or later with tkey-gssapi support.
+#
+# This file should be included in your domain zone clause.
+#
+# For example with
+# include "${NAMED_CONF_UPDATE}";
+
+#
+# This configures update policy for zone using GSSAPI authentication.
+# Use 'ms-self .' for BIND 9.11.3 or later.
+# Use 'ms-self *' for BIND 9.7 - 9.11.2.
+#
+update-policy {
+    grant ${REALM} ms-self ${BIND9_MSSELF_NAME} A AAAA;
+    grant Administrator@${REALM} wildcard * A AAAA SRV CNAME;
+    grant ${HOSTNAME}$@${REALM} wildcard * A AAAA SRV CNAME;
+};
-- 
2.17.1