[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Sep 12 10:31:02 MDT 2012
The branch, master has been updated
via a11e45f selftest: let provision_plugin_s4_dc use SMB3
via 72720d6 wintest: Fix --use-ntvfs handling
via ee4d1c4 wintest: Rework support for the internal DNS server
via fee7575 s4 provision: Ask for the dns forwarder IP address during interactive provision
via 1627fcd dns_server: Remove parameter 'dns recursive queries' and base this on 'dns forwarder'
via 5cac79a wintest: try to fix settings for the internal dns server
via 1b848ec lib/param: change the default for 'allow dns updates' to 'secure only'
via ea1841e lib/param: add some more alias for 'allow dns updates' options.
via 2df6142 WHATSNEW.txt: Update DNS server description
via 9583366 s4:dns_server: remove wrong and unused dsdb_check_access_on_dn() check
via 61a07df dns_server: Attempt to SET and UNSET the sessionInfo to match the incoming user
via c4aef88 s4:samba_upgradedns: delete dns-HOSTNAME account if using the internal dns server
via 1e00c0d selftest:Samba4: don't provision with BIND9_DLZ
via 0c55510 s4:upgradehelpers.py: don't require a dns-$HOSTNAME account
via 50084e5 s4:provision: don't add the dns-HOSTNAME account if we use the internal dns server
via 6ff5884 loadparm: dns is now a default server service
via 56058ea s4 dns: use the internal DNS server per default
via 2af8129 s4 dns: Add libaddns-based simple tests
via 76801b5 s4 dns: Run python tests in fl2003dc env
via cf3aab6 s4 dns: Improve logging of delegated dns updates
via aa1e84a s4:selftest: run thet dlz_bind9. tests in the chgdcpass env
from 51a4094 s3: remove unneeded noquota.c file
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a11e45f1c5268e798124fe9e0716b7b9d0557014
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 14:10:55 2012 +0200
selftest: let provision_plugin_s4_dc use SMB3
metze
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Sep 12 18:30:48 CEST 2012 on sn-devel-104
commit 72720d6ea0ec9b340e217986a3e136ef0635bd1f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 12 19:40:16 2012 +1000
wintest: Fix --use-ntvfs handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ee4d1c406208d67aaa949934da78cd350e69ccf0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 12 18:34:41 2012 +1000
wintest: Rework support for the internal DNS server
We still have to run BIND, the change is if BIND is run to support our own
zone, or if we forward to as well as to windows.
This also adapts to the new defaults.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit fee75752fb9f0926bc9d7ea5731ef72d2197b9e3
Author: Kai Blin <kai at samba.org>
Date: Wed Sep 12 12:31:38 2012 +0200
s4 provision: Ask for the dns forwarder IP address during interactive provision
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 1627fcda3eff6e636438c90d07ffcfd497ea68e2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 12 18:07:58 2012 +1000
dns_server: Remove parameter 'dns recursive queries' and base this on 'dns forwarder'
This simplifies a very common configuration.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 5cac79abce9f7d30e28cbf15a94c7e92818a91ca
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 09:49:59 2012 +0200
wintest: try to fix settings for the internal dns server
metze
commit 1b848ecbffe5761ba8c6368a3eae24c3ee10cfce
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 09:31:17 2012 +0200
lib/param: change the default for 'allow dns updates' to 'secure only'
metze
commit ea1841ee10a25e654ff1f7dde6518707c9d1581a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 09:39:06 2012 +0200
lib/param: add some more alias for 'allow dns updates' options.
metze
commit 2df614243928bcd47983e0b0368cd6de49567209
Author: Kai Blin <kai at samba.org>
Date: Wed Sep 12 01:59:03 2012 +0200
WHATSNEW.txt: Update DNS server description
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9583366d1eba609e902b885244735b9c981cec9c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 14:42:18 2012 +0200
s4:dns_server: remove wrong and unused dsdb_check_access_on_dn() check
metze
commit 61a07df824f2231609b2b3bd157e995f623425a3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 11 20:59:51 2012 +1000
dns_server: Attempt to SET and UNSET the sessionInfo to match the incoming user
This avoids re-opening the DB as the correct user, but applies all the right ACLs
and resulting owner.
This needs a bit more testing...
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Kai Blin <kai at samba.org>
commit c4aef88b32de105527c895c5d5e1b9ed68a06601
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 08:53:18 2012 +0200
s4:samba_upgradedns: delete dns-HOSTNAME account if using the internal dns server
metze
commit 1e00c0dcec702c1759879d0243507ed92b2cd758
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 08:52:15 2012 +0200
selftest:Samba4: don't provision with BIND9_DLZ
metze
commit 0c55510a0d9aedcadacc76a8593cb378aa751da3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 16:31:38 2012 +0200
s4:upgradehelpers.py: don't require a dns-$HOSTNAME account
metze
commit 50084e573218ffc06d6be59adda62083404405aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 08:46:35 2012 +0200
s4:provision: don't add the dns-HOSTNAME account if we use the internal dns server
metze
commit 6ff58847133f9a70746e6b6d64237e2816e8572c
Author: Kai Blin <kai at samba.org>
Date: Wed Sep 12 01:44:30 2012 +0200
loadparm: dns is now a default server service
commit 56058ea597836ed61a8abcd3c26732f2829ee641
Author: Kai Blin <kai at samba.org>
Date: Tue Sep 11 09:07:47 2012 +0200
s4 dns: use the internal DNS server per default
commit 2af8129085042b51ac052653942116ad5998f701
Author: Kai Blin <kai at samba.org>
Date: Mon Sep 10 22:22:43 2012 +0200
s4 dns: Add libaddns-based simple tests
commit 76801b502dd06d13e384ff495c82d0924aa0b6f8
Author: Kai Blin <kai at samba.org>
Date: Tue Sep 11 00:14:39 2012 +0200
s4 dns: Run python tests in fl2003dc env
commit cf3aab61fa5f0f95b8a34ef6d6d1131d154a39a3
Author: Kai Blin <kai at samba.org>
Date: Mon Sep 10 22:16:54 2012 +0200
s4 dns: Improve logging of delegated dns updates
commit aa1e84ae60badf032ac8d3980c9e45d0188ed4b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 14:15:21 2012 +0200
s4:selftest: run thet dlz_bind9. tests in the chgdcpass env
metze
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 25 ++-
lib/param/loadparm.c | 5 +-
lib/param/param_functions.c | 1 -
lib/param/param_table.c | 20 ++-
selftest/target/Samba4.pm | 60 ++++---
source4/dns_server/dns_server.c | 5 +-
source4/dns_server/dns_update.c | 44 +++--
source4/scripting/bin/samba_upgradedns | 34 ++++-
source4/scripting/python/samba/netcmd/domain.py | 81 ++++++---
.../scripting/python/samba/provision/__init__.py | 25 ++-
source4/scripting/python/samba/tests/dns.py | 38 ++--
source4/scripting/python/samba/upgradehelpers.py | 3 -
source4/selftest/tests.py | 7 +-
source4/torture/dns/dlz_bind9.c | 2 +-
source4/torture/dns/internal_dns.c | 190 ++++++++++++++++++++
source4/torture/dns/wscript_build | 12 +-
wintest/conf/abartlet.conf | 12 +-
wintest/test-s4-howto.py | 28 ++--
wintest/wintest.py | 62 ++++---
19 files changed, 487 insertions(+), 167 deletions(-)
create mode 100644 source4/torture/dns/internal_dns.c
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 07ece29..e8e2613 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -49,6 +49,10 @@ with those matching the GPOs in LDAP and the defaults from an initial
provision. This will set an underlying POSIX ACL if required (eg not
using the NTVFS file server).
+If you used the BIND9_FLATFILE or BIND9_DLZ features,
+you'll have to add '-dns' to the 'server services' option,
+as the internal dns server (SAMBA_INTERNAL) is the default now.
+
NEW FEATURES
============
@@ -80,13 +84,14 @@ running an AD DC, you only need to run 'samba' (not
nmbd/smbd/winbind), as the required services are co-coordinated by this
master binary.
-As DNS is an integral part of Active Directory, we also provide a DNS
-solution, using the BIND DLZ mechanism in versions 9.8 and 9.9.
-During the provision, a configuration file will be generated for bind
-to make it use this plugin. We also have a project to provide a
-minimal internal DNS server from within the Samba process, for easier
-'out of the box' configuration. Note however that this is not yet
-complete (pending addition of secure DNS update support).
+As DNS is an integral part of Active Directory, we also provide two DNS
+solutions, a simple internal DNS server for 'out of the box' configurations
+and a more elaborate BIND plugin using the BIND DLZ mechanism in versions
+9.8 and 9.9. During the provision, you can select which backend to use.
+With the internal backend, your DNS server is good to go.
+If you chose the BIND_DLZ backend, a configuration file will be generated
+for bind to make it use this plugin, as well as a file explaining how to
+set up bind.
To provide accurate timestamps to Windows clients, we integrate with
the NTP project to provide secured NTP replies. To use you need to
@@ -131,6 +136,12 @@ the same.
The 'updateprovision' script was renamed to 'samba_upgradeprovision'.
+We changed the default dns implementation to the internal dns server
+(SAMBA_INTERNAL). BIND9_FLATFILE and BIND9_DLZ are still available,
+but you'll have to add '-dns' to the 'server services' option
+to disable the internal dns server.
+The default for 'allow dns updates' has changed to 'secure only'.
+
CHANGES SINCE beta7
=====================
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d4318a4..990dd29 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2103,7 +2103,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "max connections", "-1");
lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
- lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate");
+ lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns");
/* the winbind method for domain controllers is for both RODC
auth forwarding and for trusted domains */
lpcfg_do_global_parameter(lp_ctx, "private dir", dyn_PRIVATE_DIR);
@@ -2214,8 +2214,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
- lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "False");
- lpcfg_do_global_parameter(lp_ctx, "dns recursive queries", "False");
+ lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "secure only");
lpcfg_do_global_parameter(lp_ctx, "dns forwarder", "");
for (i = 0; parm_table[i].label; i++) {
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index bf6863e..ce2f671 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -179,7 +179,6 @@ FN_GLOBAL_BOOL(defer_sharing_violations, bDeferSharingViolations)
FN_GLOBAL_BOOL(disable_netbios, bDisableNetbios)
FN_GLOBAL_BOOL(_disable_spoolss, bDisableSpoolss)
FN_GLOBAL_BOOL(_domain_logons, bDomainLogons)
-FN_GLOBAL_BOOL(dns_recursive_queries, dns_recursive_queries)
FN_GLOBAL_BOOL(enable_asu_support, bASUSupport)
FN_GLOBAL_BOOL(enable_core_files, bEnableCoreFiles)
FN_GLOBAL_BOOL(enable_privileges, bEnablePrivileges)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 060608a..325f295 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -113,8 +113,20 @@ static const struct enum_list enum_smb_signing_vals[] = {
/* DNS update options. */
static const struct enum_list enum_dns_update_settings[] = {
+ {DNS_UPDATE_OFF, "disabled"},
+ {DNS_UPDATE_OFF, "No"},
{DNS_UPDATE_OFF, "False"},
+ {DNS_UPDATE_OFF, "0"},
+ {DNS_UPDATE_OFF, "Off"},
+ {DNS_UPDATE_ON, "nonsecure and secure"},
+ {DNS_UPDATE_ON, "nonsecure"},
+ {DNS_UPDATE_ON, "Yes"},
{DNS_UPDATE_ON, "True"},
+ {DNS_UPDATE_ON, "1"},
+ {DNS_UPDATE_ON, "On"},
+ {DNS_UPDATE_ON, "enabled"},
+ {DNS_UPDATE_SIGNED, "secure only"},
+ {DNS_UPDATE_SIGNED, "secure"},
{DNS_UPDATE_SIGNED, "signed"},
{-1, NULL}
};
@@ -4249,14 +4261,6 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
- .label = "dns recursive queries",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
- .offset = GLOBAL_VAR(dns_recursive_queries),
- .special = NULL,
- .enum_list = NULL
- },
- {
.label = "dns update command",
.type = P_CMDLIST,
.p_class = P_GLOBAL,
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index f1f2e17..003f03d 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -424,7 +424,7 @@ sub provision_raw_prepare($$$$$$$$$$)
{
my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
- $password, $kdc_ipv4, $use_ntvfs) = @_;
+ $password, $kdc_ipv4) = @_;
my $ctx;
my $netbiosname = uc($hostname);
@@ -540,11 +540,6 @@ sub provision_raw_prepare($$$$$$$$$$)
push (@provision_options, "--root=$ctx->{unix_name}");
push (@provision_options, "--server-role=\"$ctx->{server_role}\"");
push (@provision_options, "--function-level=\"$ctx->{functional_level}\"");
- push (@provision_options, "--dns-backend=BIND9_DLZ");
-
- if ($use_ntvfs) {
- push (@provision_options, "--use-ntvfs");
- }
@{$ctx->{provision_options}} = @provision_options;
@@ -589,7 +584,7 @@ sub provision_raw_step1($$)
panic action = $RealBin/gdb_backtrace \%d
wins support = yes
server role = $ctx->{server_role}
- server services = +echo +dns +smb -s3fs
+ server services = +echo +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc
notify:inotify = false
ldb:nosync = true
@@ -714,12 +709,19 @@ sub provision($$$$$$$$$)
{
my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
- $password, $kdc_ipv4, $extra_smbconf_options, $extra_smbconf_shares, $use_ntvfs) = @_;
+ $password, $kdc_ipv4, $extra_smbconf_options, $extra_smbconf_shares,
+ $extra_provision_options) = @_;
my $ctx = $self->provision_raw_prepare($prefix, $server_role,
$hostname,
$domain, $realm, $functional_level,
- $password, $kdc_ipv4, $use_ntvfs);
+ $password, $kdc_ipv4);
+
+ if (defined($extra_provision_options)) {
+ push (@{$ctx->{provision_options}}, @{$extra_provision_options});
+ } else {
+ push (@{$ctx->{provision_options}}, "--use-ntvfs");
+ }
$ctx->{share} = "$ctx->{prefix_abs}/share";
push(@{$ctx->{directories}}, "$ctx->{share}");
@@ -859,7 +861,7 @@ sub provision_member($$$)
"2008",
"locMEMpass3",
$dcvars->{SERVER_IP},
- "", "", 1);
+ "", "", undef);
unless ($ret) {
return undef;
}
@@ -924,7 +926,7 @@ sub provision_rpc_proxy($$$)
"2008",
"locRPCproxypass4",
$dcvars->{SERVER_IP},
- $extra_smbconf_options, "", 1);
+ $extra_smbconf_options, "", undef);
unless ($ret) {
return undef;
@@ -996,7 +998,9 @@ sub provision_promoted_vampire_dc($$$)
"samba.example.com",
"2008",
$dcvars->{PASSWORD},
- $dcvars->{SERVER_IP}, 1);
+ $dcvars->{SERVER_IP});
+
+ push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
@@ -1068,7 +1072,9 @@ sub provision_vampire_dc($$$)
"samba.example.com",
"2008",
$dcvars->{PASSWORD},
- $dcvars->{SERVER_IP}, 1);
+ $dcvars->{SERVER_IP});
+
+ push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
@@ -1127,7 +1133,9 @@ sub provision_subdom_dc($$$)
"sub.samba.example.com",
"2008",
$dcvars->{PASSWORD},
- undef, 1);
+ undef);
+
+ push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
@@ -1183,8 +1191,7 @@ sub provision_dc($$)
my ($self, $prefix) = @_;
print "PROVISIONING DC...";
- my $extra_conf_options = "netbios aliases = localDC1-a
-allow dns updates = True";
+ my $extra_conf_options = "netbios aliases = localDC1-a";
my $ret = $self->provision($prefix,
"domain controller",
"localdc",
@@ -1192,7 +1199,7 @@ allow dns updates = True";
"samba.example.com",
"2008",
"locDCpass1",
- undef, $extra_conf_options, "", 1);
+ undef, $extra_conf_options, "", undef);
return undef unless(defined $ret);
unless($self->add_wins_config("$prefix/private")) {
@@ -1221,7 +1228,7 @@ sub provision_fl2000dc($$)
"samba2000.example.com",
"2000",
"locDCpass5",
- undef, "", "", 1);
+ undef, "", "", undef);
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
@@ -1243,7 +1250,7 @@ sub provision_fl2003dc($$)
"samba2003.example.com",
"2003",
"locDCpass6",
- undef, "", "", 1);
+ undef, "allow dns updates = nonsecure and secure", "", undef);
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
@@ -1265,7 +1272,7 @@ sub provision_fl2008r2dc($$)
"samba2008R2.example.com",
"2008_R2",
"locDCpass7",
- undef, "", "", 1);
+ undef, "", "", undef);
unless ($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
@@ -1288,11 +1295,13 @@ sub provision_rodc($$$)
"samba.example.com",
"2008",
$dcvars->{PASSWORD},
- $dcvars->{SERVER_IP}, 1);
+ $dcvars->{SERVER_IP});
unless ($ctx) {
return undef;
}
+ push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
$ctx->{share} = "$ctx->{prefix_abs}/share";
push(@{$ctx->{directories}}, "$ctx->{share}");
@@ -1375,7 +1384,7 @@ sub provision_plugin_s4_dc($$)
printing = bsd
printcap name = /dev/null
- max protocol = SMB2
+ max protocol = SMB3
read only = no
server signing = auto
@@ -1451,7 +1460,7 @@ sub provision_plugin_s4_dc($$)
"2008",
"locDCpass1",
undef, $extra_smbconf_options,
- $extra_smbconf_shares, 0);
+ $extra_smbconf_shares, undef);
return undef unless(defined $ret);
unless($self->add_wins_config("$prefix/private")) {
@@ -1473,6 +1482,8 @@ sub provision_chgdcpass($$)
my ($self, $prefix) = @_;
print "PROVISIONING CHGDCPASS...";
+ my $extra_provision_options = undef;
+ push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
my $ret = $self->provision($prefix,
"domain controller",
"chgdcpass",
@@ -1480,7 +1491,8 @@ sub provision_chgdcpass($$)
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
- undef, "", "", 1);
+ undef, "server services = -dns", "",
+ $extra_provision_options);
return undef unless(defined $ret);
unless($self->add_wins_config("$prefix/private")) {
diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index be1fecc..c88ea83 100644
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -117,7 +117,7 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
struct dns_process_state *state;
enum ndr_err_code ndr_err;
WERROR ret;
-
+ const char *forwarder = lpcfg_dns_forwarder(dns->task->lp_ctx);
req = tevent_req_create(mem_ctx, &state, struct dns_process_state);
if (req == NULL) {
return NULL;
@@ -156,7 +156,8 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
state->state.flags = state->in_packet.operation;
state->state.flags |= DNS_FLAG_REPLY;
- if (lpcfg_dns_recursive_queries(dns->task->lp_ctx)) {
+
+ if (forwarder && *forwarder) {
state->state.flags |= DNS_FLAG_RECURSION_AVAIL;
}
diff --git a/source4/dns_server/dns_update.c b/source4/dns_server/dns_update.c
index 2df0b58..8be3564 100644
--- a/source4/dns_server/dns_update.c
+++ b/source4/dns_server/dns_update.c
@@ -391,7 +391,6 @@ static WERROR handle_one_update(struct dns_server *dns,
uint16_t i;
WERROR werror;
bool needs_add = false;
- uint32_t access_mask = 0;
DEBUG(2, ("Looking at record: \n"));
if (DEBUGLVL(2)) {
@@ -424,24 +423,9 @@ static WERROR handle_one_update(struct dns_server *dns,
rcount = 0;
needs_add = true;
werror = WERR_OK;
- access_mask = SEC_ADS_CREATE_CHILD;
}
W_ERROR_NOT_OK_RETURN(werror);
- access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE;
-
- if (tkey != NULL) {
- int ldb_ret;
- ldb_ret = dsdb_check_access_on_dn(dns->samdb, mem_ctx, dn,
- tkey->session_info->security_token,
- access_mask, NULL);
- if (ldb_ret != LDB_SUCCESS) {
- DEBUG(5, ("Disallowing update: %s\n", ldb_strerror(ldb_ret)));
- return DNS_ERR(REFUSED);
- }
- DEBUG(5, ("Allowing signed update\n"));
- }
-
if (update->rr_class == zone->question_class) {
if (update->rr_type == DNS_QTYPE_CNAME) {
/*
@@ -664,12 +648,22 @@ static WERROR handle_updates(struct dns_server *dns,
uint16_t ri;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (tkey != NULL) {
+ ret = ldb_set_opaque(dns->samdb, "sessionInfo", tkey->session_info);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("unable to set session info\n"));
+ werror = DNS_ERR(SERVER_FAILURE);
+ goto failed;
+ }
+ }
+
werror = dns_name2dn(dns, tmp_ctx, zone->name, &zone_dn);
- W_ERROR_NOT_OK_RETURN(werror);
+ W_ERROR_NOT_OK_GOTO(werror, failed);
ret = ldb_transaction_start(dns->samdb);
if (ret != LDB_SUCCESS) {
- return DNS_ERR(SERVER_FAILURE);
+ werror = DNS_ERR(SERVER_FAILURE);
+ goto failed;
}
werror = check_prerequisites(dns, tmp_ctx, zone, prereqs, pcount);
@@ -685,10 +679,22 @@ static WERROR handle_updates(struct dns_server *dns,
ldb_transaction_commit(dns->samdb);
TALLOC_FREE(tmp_ctx);
+
+ if (tkey != NULL) {
+ ldb_set_opaque(dns->samdb, "sessionInfo",
+ system_session(dns->task->lp_ctx));
+ }
+
return WERR_OK;
failed:
ldb_transaction_cancel(dns->samdb);
+
+ if (tkey != NULL) {
+ ldb_set_opaque(dns->samdb, "sessionInfo",
+ system_session(dns->task->lp_ctx));
+ }
+
TALLOC_FREE(tmp_ctx);
return werror;
@@ -770,7 +776,7 @@ WERROR dns_server_process_update(struct dns_server *dns,
if (host_part_len != 0) {
/* TODO: We need to delegate this one */
- DEBUG(1, ("Would have to delegate zones.\n"));
+ DEBUG(1, ("Would have to delegate zone '%s'.\n", zone->name));
return DNS_ERR(NOT_IMPLEMENTED);
}
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index c1220bc..8304134 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -238,8 +238,8 @@ if __name__ == '__main__':
parser.add_option_group(credopts)
parser.add_option("--dns-backend", type="choice", metavar="<BIND9_DLZ|SAMBA_INTERNAL>",
- choices=["SAMBA_INTERNAL", "BIND9_DLZ"], default="BIND9_DLZ",
- help="The DNS server backend, default BIND9_DLZ")
+ choices=["SAMBA_INTERNAL", "BIND9_DLZ"], default="SAMBA_INTERNAL",
+ help="The DNS server backend, default SAMBA_INTERNAL")
parser.add_option("--migrate", type="choice", metavar="<yes|no>",
choices=["yes","no"], default="yes",
help="Migrate existing zone data, default yes")
@@ -248,7 +248,7 @@ if __name__ == '__main__':
opts = parser.parse_args()[0]
if opts.dns_backend is None:
- opts.dns_backend = 'DLZ_BIND9'
+ opts.dns_backend = 'SAMBA_INTERNAL'
if opts.migrate:
autofill = False
@@ -472,5 +472,33 @@ if __name__ == '__main__':
logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
logger.info("and %s for further documentation required for secure DNS "
"updates", paths.namedtxt)
+ elif opts.dns_backend == "SAMBA_INTERNAL":
+ # Check if dns-HOSTNAME account exists and delete it if required
+ try:
+ dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname
+ msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=['secret'])
+ dn = msg[0].dn
+ except Exception:
+ dn = None
+
+ if dn is not None:
+ try:
+ ldbs.secrets.delete(dn)
+ except Exception:
+ logger.info("Failed to delete %s from secrets.ldb" % dn)
+
+ try:
+ msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
+ expression='(sAMAccountName=dns-%s)' % (hostname),
+ attrs=['clearTextPassword'])
+ dn = msg[0].dn
+ except Exception:
+ dn = None
+
+ if dn is not None:
+ try:
--
Samba Shared Repository
More information about the samba-cvs
mailing list