[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Jun 11 00:05:05 UTC 2017
The branch, master has been updated
via 75eb2e3 join.py Add DNS records at domain join time
via dfe739a selftest: Add test confirming join-created DNS entries can be modified as the DC
via e36d908 selftest: Test join.py and confirm that the DNS record is created
via d0c2116 provision: Allow removing an existing account when force=True is set
via db475ed provision: Move default handler for site=None down into dc_join object creation
via b36d4e9 selftest: Use TestCaseInTempDir as base class in dns tests
via 9229809 selftest: Create new common base class for dns.py and dns_tkey.py
via 11ba6f8 selftest: merge DNSTest boilerplate
via 589a662 selftest: move make_txt_record() onto self in samba.tests.dns
via 3d313f7 samba_dnsupdate: fix "samba-tool" fallback error handling
via 2f42f55 samba_dnsupdate: Extend possible server list to all NS servers for the zone
via c1bf6d2 dns_server: clobber MNAME in the SOA
via 21e76e2 selftest: run dns tests in multiple envs
via 46380ad selftest: confirm we clobber the MNAME in the SOA query in the DNS server
via 96ce51a samba_dnsupate: Try to get ticket to the SOA, not the NS servers
via 5f7b7c2 samba_dnsupdate: Make nsupdate use the server given by the SOA record
via 00de59a join.py: Do not expose the old machine password over NTLM if -k yes was set
via 970fdfa pydsdb_dns: Allow the partition DN to be specified into py_dsdb_dns_lookup
via f5e945c pydsdb_dns: Use TypeError not LdbError for mismatched types
via fa3c026 python: Allow sd_utils to take a Dn object, not just a string DN
via e7bc974 pydns: Also return the DN of the LDB object when finding a DNS record
via 9186cc7 pydns: Fix leak of talloc_stackframe() in python bindings
via 4a437eb samba_dnsupdate: Ensure we only force "server" under resolv_wrapper
via ef59a7c dsdb: Improve error messages when dsdb_set_schema_from_ldif() fails
from 21b2710 ctdbd_conn: Fix ctdbd_connection_destructor
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 75eb2e3a09ed7ab5beac4593d93e6ea0e506f857
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 17 18:23:23 2017 +1300
join.py Add DNS records at domain join time
This avoids issues getting replication going after the DC first starts
as the rest of the domain does not have to wait for samba_dnsupdate to
run successfully
We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined:
- We do not want to query another DNS server
- We do not want to obtain a Kerberos ticket for the new DC
(as the KDC we select may not be the DC we just joined,
and so may not be in sync with the password we just set)
- We do not wish to set the _ldap records until we have started
- We do not wish to use NTLM (the --use-samba-tool mode forces
NTLM)
The downside to using DCE/RPC rather than DNS is that these will
be regarded as static entries, and (against windows) have a the ACL
assigned for static entries. However this is still better than no
DNS at all.
Because some tests want a DNS record matching their own name
this fixes some tests and removes entires from knownfail
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Jun 11 02:04:52 CEST 2017 on sn-devel-144
commit dfe739a252e994c6091aea0c6220134ed6fa2f72
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 8 15:25:23 2017 +1200
selftest: Add test confirming join-created DNS entries can be modified as the DC
This ensures that samba_dnsupdate can run in the long term against the new DNS entries
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e36d90810654b69094662ab9e49f417bc8951496
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 1 17:11:57 2017 +1200
selftest: Test join.py and confirm that the DNS record is created
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit d0c211691e64af1b569529c5b8523676eaf454ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 6 15:22:35 2017 +1200
provision: Allow removing an existing account when force=True is set
This allows a practical override for use in test scripts
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit db475ed6b4cdf59252a072d4af6fefeb32a50b87
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 6 15:21:50 2017 +1200
provision: Move default handler for site=None down into dc_join object creation
This makes this code easier to call from a test script
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit b36d4e9ca4f506f70f2c7461f51271e888c65a7e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 1 15:15:25 2017 +1200
selftest: Use TestCaseInTempDir as base class in dns tests
This will help when we add a new join test based on this code
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 9229809f75fbc5750679ebb238876a9825552619
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 1 13:26:37 2017 +1200
selftest: Create new common base class for dns.py and dns_tkey.py
This will allow more DNS tests to be written in the future with less
code duplication.
commit 11ba6f8cde2928a20969acb20e779db3ad4a9cce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 9 10:00:09 2017 +1200
selftest: merge DNSTest boilerplate
This will help unifying dns.py and dns_tkey.py to use common subclasses
The code was originally copied, but has since divereged. This handles
that divergence.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 589a6621ee4bc4ba69c436b1c304f7de3efda627
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 31 13:57:25 2017 +1200
selftest: move make_txt_record() onto self in samba.tests.dns
This will help unifying dns.py and dns_tkey.py to use common subclasses
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 3d313f7da5e576f6947672368971484e20c4134c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 11 14:23:49 2017 +1200
samba_dnsupdate: fix "samba-tool" fallback error handling
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 2f42f55ad4a6f27489240de2c67b57b59a5e6c5c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 11 14:14:15 2017 +1200
samba_dnsupdate: Extend possible server list to all NS servers for the zone
This should eventually be removed, but for now this unblocks samba_dnsupdate operation
in existing domains that have lost the original Samba DC
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit c1bf6d24936b5255b9a714f8f252e281b7f82c9f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 11 12:43:22 2017 +1200
dns_server: clobber MNAME in the SOA
Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour. AD is multi-master so all RW servers are a master.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 21e76e2379934e55a4e9fc3b9cbea890a8fb535f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 8 16:20:42 2017 +1200
selftest: run dns tests in multiple envs
This will let us check the negative behaviour: that updates against RODCs fail
and un-authenticated updates fail.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 46380ad97dee00cc481166a0d3b68365d8c146ce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 8 15:54:22 2017 +1200
selftest: confirm we clobber the MNAME in the SOA query in the DNS server
All RW DCs should be their own master DNS server.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 96ce51a1895b97632ccfbacc40ce0fbb639e0432
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 10 17:13:46 2017 +1200
samba_dnsupate: Try to get ticket to the SOA, not the NS servers
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 5f7b7c226329849e0151e0e67f446e63779d9391
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 10 17:10:27 2017 +1200
samba_dnsupdate: Make nsupdate use the server given by the SOA record
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 00de59a478301a00a33b420524cd52caf481854f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 10 16:10:00 2017 +1200
join.py: Do not expose the old machine password over NTLM if -k yes was set
This makes the test for a valid machine account stricter (as a kerberos error could
cause this to fail and so skip the validation), but we never wish to use NTLM
if the administrator disabled it on the command line
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 970fdfae6a18bf11d423a72973c0f7b589e6f92a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 9 16:05:31 2017 +1200
pydsdb_dns: Allow the partition DN to be specified into py_dsdb_dns_lookup
This allows lookups to be confined to one partition, which in turn avoids issues
when running this against MS Windows, which does not match Samba behaviour
for dns_common_zones()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit f5e945c810b5e453b699d4e796cfb6790c442a17
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 10 16:06:13 2017 +1200
pydsdb_dns: Use TypeError not LdbError for mismatched types
This avoids the samba-tool command handling code blowing up when trying to parse an LdbError
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit fa3c026983d597769f600e50b7e2b0e8772f3fd6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 28 14:15:12 2017 +1300
python: Allow sd_utils to take a Dn object, not just a string DN
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e7bc97433377daaf9cb8fde7fdea79f5848ec535
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 27 17:09:56 2017 +1300
pydns: Also return the DN of the LDB object when finding a DNS record
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 9186cc7143cdeec2233df1b3322297a6974d9d2a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 27 16:51:45 2017 +1300
pydns: Fix leak of talloc_stackframe() in python bindings
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 4a437eb4beca6e52ab1e3dfda6427b40af1b06fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 17 18:24:27 2017 +1300
samba_dnsupdate: Ensure we only force "server" under resolv_wrapper
This ensures that nsupdate can use a namserver in /etc/resolv.conf that is a
cache or forwarder, rather than the AD DC directly.
This avoids a regression from forcing the nameservers to the
/etc/resolv.conf nameservers in
e85ef1dbfef4b16c35cac80c0efc563d8cd1ba3e
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ef59a7cc1d9d2a8be120369478394981f127d378
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 23 15:56:55 2017 +1200
dsdb: Improve error messages when dsdb_set_schema_from_ldif() fails
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
python/samba/join.py | 247 +++++++++++--
python/samba/netcmd/domain.py | 3 -
python/samba/remove_dc.py | 4 +-
python/samba/samdb.py | 10 +-
python/samba/sd_utils.py | 6 +-
python/samba/tests/dns.py | 455 +++++++++++-------------
python/samba/tests/{dns_tkey.py => dns_base.py} | 274 ++++----------
python/samba/tests/dns_tkey.py | 355 +-----------------
python/samba/tests/join.py | 175 +++++++++
selftest/knownfail.d/dns | 47 +++
source4/dns_server/dlz_bind9.c | 2 +-
source4/dns_server/dns_server.c | 2 +-
source4/dns_server/dnsserver_common.c | 70 +++-
source4/dns_server/dnsserver_common.h | 10 +-
source4/dns_server/pydns.c | 75 ++--
source4/dsdb/schema/schema_set.c | 2 +
source4/scripting/bin/samba_dnsupdate | 126 +++++--
source4/selftest/tests.py | 5 +
18 files changed, 964 insertions(+), 904 deletions(-)
copy python/samba/tests/{dns_tkey.py => dns_base.py} (67%)
create mode 100644 python/samba/tests/join.py
create mode 100644 selftest/knownfail.d/dns
Changeset truncated at 500 lines:
diff --git a/python/samba/join.py b/python/samba/join.py
index 6a92435..fa87f0b 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -22,8 +22,8 @@ from samba.auth import system_session
from samba.samdb import SamDB
from samba import gensec, Ldb, drs_utils, arcfour_encrypt, string_to_byte_array
import ldb, samba, sys, uuid
-from samba.ndr import ndr_pack
-from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs, dnsserver, dnsp
from samba.dsdb import DS_DOMAIN_FUNCTION_2003
from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
@@ -35,6 +35,9 @@ from samba.provision.sambadns import setup_bind9_dns
from samba import read_and_sub_file
from samba import werror
from base64 import b64encode
+from samba import WERRORError
+from samba.dnsserver import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SOARecord, SRVRecord, TXTRecord
+from samba import sd_utils
import logging
import talloc
import random
@@ -53,6 +56,9 @@ class dc_join(object):
netbios_name=None, targetdir=None, domain=None,
machinepass=None, use_ntvfs=False, dns_backend=None,
promote_existing=False, clone_only=False):
+ if site is None:
+ site = "Default-First-Site-Name"
+
ctx.clone_only=clone_only
ctx.logger = logger
@@ -184,6 +190,12 @@ class dc_join(object):
ctx.adminpass = None
ctx.partition_dn = None
+ ctx.dns_a_dn = None
+ ctx.dns_cname_dn = None
+
+ # Do not normally register 127. addresses but allow override for selftest
+ ctx.force_all_ips = False
+
def del_noerror(ctx, dn, recursive=False):
if recursive:
try:
@@ -198,31 +210,33 @@ class dc_join(object):
except Exception:
pass
- def cleanup_old_accounts(ctx):
+ def cleanup_old_accounts(ctx, force=False):
res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
attrs=["msDS-krbTgtLink", "objectSID"])
if len(res) == 0:
return
- creds = Credentials()
- creds.guess(ctx.lp)
- try:
- creds.set_machine_account(ctx.lp)
- machine_samdb = SamDB(url="ldap://%s" % ctx.server,
- session_info=system_session(),
- credentials=creds, lp=ctx.lp)
- except:
- pass
- else:
- token_res = machine_samdb.search(scope=ldb.SCOPE_BASE, base="", attrs=["tokenGroups"])
- if token_res[0]["tokenGroups"][0] \
- == res[0]["objectSID"][0]:
- raise DCJoinException("Not removing account %s which "
- "looks like a Samba DC account "
- "maching the password we already have. "
- "To override, remove secrets.ldb and secrets.tdb"
- % ctx.samname)
+ if not force:
+ creds = Credentials()
+ creds.guess(ctx.lp)
+ try:
+ creds.set_machine_account(ctx.lp)
+ creds.set_kerberos_state(ctx.creds.get_kerberos_state())
+ machine_samdb = SamDB(url="ldap://%s" % ctx.server,
+ session_info=system_session(),
+ credentials=creds, lp=ctx.lp)
+ except:
+ pass
+ else:
+ token_res = machine_samdb.search(scope=ldb.SCOPE_BASE, base="", attrs=["tokenGroups"])
+ if token_res[0]["tokenGroups"][0] \
+ == res[0]["objectSID"][0]:
+ raise DCJoinException("Not removing account %s which "
+ "looks like a Samba DC account "
+ "maching the password we already have. "
+ "To override, remove secrets.ldb and secrets.tdb"
+ % ctx.samname)
ctx.del_noerror(res[0].dn, recursive=True)
@@ -249,11 +263,11 @@ class dc_join(object):
ldb.binary_encode("dns/%s" % ctx.dnshostname)))
- def cleanup_old_join(ctx):
+ def cleanup_old_join(ctx, force=False):
"""Remove any DNs from a previous join."""
# find the krbtgt link
if not ctx.subdomain:
- ctx.cleanup_old_accounts()
+ ctx.cleanup_old_accounts(force=force)
if ctx.connection_dn is not None:
ctx.del_noerror(ctx.connection_dn)
@@ -289,6 +303,13 @@ class dc_join(object):
lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+ if ctx.dns_a_dn:
+ ctx.del_noerror(ctx.dns_a_dn)
+
+ if ctx.dns_cname_dn:
+ ctx.del_noerror(ctx.dns_cname_dn)
+
+
def promote_possible(ctx):
"""confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted"""
@@ -687,12 +708,16 @@ class dc_join(object):
newpassword=ctx.acct_pass.encode('utf-8'))
res = ctx.samdb.search(base=ctx.acct_dn, scope=ldb.SCOPE_BASE,
- attrs=["msDS-KeyVersionNumber"])
+ attrs=["msDS-KeyVersionNumber",
+ "objectSID"])
if "msDS-KeyVersionNumber" in res[0]:
ctx.key_version_number = int(res[0]["msDS-KeyVersionNumber"][0])
else:
ctx.key_version_number = None
+ ctx.new_dc_account_sid = ndr_unpack(security.dom_sid,
+ res[0]["objectSid"][0])
+
print("Enabling account")
m = ldb.Message()
m.dn = ldb.Dn(ctx.samdb, ctx.acct_dn)
@@ -969,6 +994,175 @@ class dc_join(object):
ctx.drsuapi.DsReplicaUpdateRefs(ctx.drsuapi_handle, 1, r)
+ def join_add_dns_records(ctx):
+ """Remotely Add a DNS record to the target DC. We assume that if we
+ replicate DNS that the server holds the DNS roles and can accept
+ updates.
+
+ This avoids issues getting replication going after the DC
+ first starts as the rest of the domain does not have to
+ wait for samba_dnsupdate to run successfully.
+
+ Specifically, we add the records implied by the DsReplicaUpdateRefs
+ call above.
+
+ We do not just run samba_dnsupdate as we want to strictly
+ operate against the DC we just joined:
+ - We do not want to query another DNS server
+ - We do not want to obtain a Kerberos ticket
+ (as the KDC we select may not be the DC we just joined,
+ and so may not be in sync with the password we just set)
+ - We do not wish to set the _ldap records until we have started
+ - We do not wish to use NTLM (the --use-samba-tool mode forces
+ NTLM)
+
+ """
+
+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+ record_type = dnsp.DNS_TYPE_A
+ select_flags = dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA |\
+ dnsserver.DNS_RPC_VIEW_NO_CHILDREN
+
+ zone = ctx.dnsdomain
+ msdcs_zone = "_msdcs.%s" % ctx.dnsforest
+ name = ctx.myname
+ msdcs_cname = str(ctx.ntds_guid)
+ cname_target = "%s.%s" % (name, zone)
+ IPs = samba.interface_ips(ctx.lp, ctx.force_all_ips)
+
+ ctx.logger.info("Adding %d remote DNS records for %s.%s" % \
+ (len(IPs), name, zone))
+
+ binding_options = "sign"
+ dns_conn = dnsserver.dnsserver("ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options),
+ ctx.lp, ctx.creds)
+
+
+ name_found = True
+
+ sd_helper = samba.sd_utils.SDUtils(ctx.samdb)
+
+ change_owner_sd = security.descriptor()
+ change_owner_sd.owner_sid = ctx.new_dc_account_sid
+ change_owner_sd.group_sid = security.dom_sid("%s-%d" %
+ (str(ctx.domsid),
+ security.DOMAIN_RID_DCS))
+
+ # TODO: Remove any old records from the primary DNS name
+ try:
+ (buflen, res) \
+ = dns_conn.DnssrvEnumRecords2(client_version,
+ 0,
+ ctx.server,
+ zone,
+ name,
+ None,
+ dnsp.DNS_TYPE_ALL,
+ select_flags,
+ None,
+ None)
+ except WERRORError as e:
+ if e.args[0] == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
+ name_found = False
+ pass
+
+ if name_found:
+ for rec in res.rec:
+ for record in rec.records:
+ if record.wType == dnsp.DNS_TYPE_A or \
+ record.wType == dnsp.DNS_TYPE_AAAA:
+ # delete record
+ del_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
+ del_rec_buf.rec = record
+ try:
+ dns_conn.DnssrvUpdateRecord2(client_version,
+ 0,
+ ctx.server,
+ zone,
+ name,
+ None,
+ del_rec_buf)
+ except WERRORError as e:
+ if e.args[0] == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
+ pass
+ else:
+ raise
+
+ for IP in IPs:
+ if IP.find(':') != -1:
+ ctx.logger.info("Adding DNS AAAA record %s.%s for IPv6 IP: %s"
+ % (name, zone, IP))
+ rec = AAAARecord(IP)
+ else:
+ ctx.logger.info("Adding DNS A record %s.%s for IPv4 IP: %s"
+ % (name, zone, IP))
+ rec = ARecord(IP)
+
+ # Add record
+ add_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
+ add_rec_buf.rec = rec
+ dns_conn.DnssrvUpdateRecord2(client_version,
+ 0,
+ ctx.server,
+ zone,
+ name,
+ add_rec_buf,
+ None)
+
+ if (len(IPs) > 0):
+ domaindns_zone_dn = ldb.Dn(ctx.samdb, ctx.domaindns_zone)
+ (ctx.dns_a_dn, ldap_record) \
+ = ctx.samdb.dns_lookup("%s.%s" % (name, zone),
+ dns_partition=domaindns_zone_dn)
+
+ # Make the DC own the DNS record, not the administrator
+ sd_helper.modify_sd_on_dn(ctx.dns_a_dn, change_owner_sd,
+ controls=["sd_flags:1:%d"
+ % (security.SECINFO_OWNER
+ | security.SECINFO_GROUP)])
+
+
+ # Add record
+ ctx.logger.info("Adding DNS CNAME record %s.%s for %s"
+ % (msdcs_cname, msdcs_zone, cname_target))
+
+ add_rec_buf = dnsserver.DNS_RPC_RECORD_BUF()
+ rec = CNameRecord(cname_target)
+ add_rec_buf.rec = rec
+ dns_conn.DnssrvUpdateRecord2(client_version,
+ 0,
+ ctx.server,
+ msdcs_zone,
+ msdcs_cname,
+ add_rec_buf,
+ None)
+
+ forestdns_zone_dn = ldb.Dn(ctx.samdb, ctx.forestdns_zone)
+ (ctx.dns_cname_dn, ldap_record) \
+ = ctx.samdb.dns_lookup("%s.%s" % (msdcs_cname, msdcs_zone),
+ dns_partition=forestdns_zone_dn)
+
+ # Make the DC own the DNS record, not the administrator
+ sd_helper.modify_sd_on_dn(ctx.dns_cname_dn, change_owner_sd,
+ controls=["sd_flags:1:%d"
+ % (security.SECINFO_OWNER
+ | security.SECINFO_GROUP)])
+
+ ctx.logger.info("All other DNS records (like _ldap SRV records) " +
+ "will be created samba_dnsupdate on first startup")
+
+
+ def join_replicate_new_dns_records(ctx):
+ for nc in (ctx.domaindns_zone, ctx.forestdns_zone):
+ if nc in ctx.nc_list:
+ ctx.logger.info("Replicating new DNS records in %s" % (str(nc)))
+ ctx.repl.replicate(nc, ctx.source_dsa_invocation_id,
+ ctx.ntds_guid, rodc=ctx.RODC,
+ replica_flags=ctx.replica_flags,
+ full_sync=False)
+
+
+
def join_finalise(ctx):
"""Finalise the join, mark us synchronised and setup secrets db."""
@@ -1185,6 +1379,11 @@ class dc_join(object):
ctx.join_add_objects2()
ctx.join_provision_own_domain()
ctx.join_setup_trusts()
+
+ if not ctx.clone_only and ctx.dns_backend != "NONE":
+ ctx.join_add_dns_records()
+ ctx.join_replicate_new_dns_records()
+
ctx.join_finalise()
except:
try:
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 4bd99ba..e3a0e49 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -551,9 +551,6 @@ class cmd_domain_dcpromo(Command):
creds = credopts.get_credentials(lp)
net = Net(creds, lp, server=credopts.ipaddress)
- if site is None:
- site = "Default-First-Site-Name"
-
logger = self.get_logger()
if verbose:
logger.setLevel(logging.DEBUG)
diff --git a/python/samba/remove_dc.py b/python/samba/remove_dc.py
index 61b5937..4c8ee89 100644
--- a/python/samba/remove_dc.py
+++ b/python/samba/remove_dc.py
@@ -97,7 +97,7 @@ def remove_dns_references(samdb, logger, dnsHostName):
dnsHostNameUpper = dnsHostName.upper()
try:
- primary_recs = samdb.dns_lookup(dnsHostName)
+ (dn, primary_recs) = samdb.dns_lookup(dnsHostName)
except RuntimeError as (enum, estr):
if enum == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
return
@@ -140,7 +140,7 @@ def remove_dns_references(samdb, logger, dnsHostName):
for a_name in a_names_to_remove_from:
try:
logger.debug("checking for DNS records to remove on %s" % a_name)
- a_recs = samdb.dns_lookup(a_name)
+ (a_rec_dn, a_recs) = samdb.dns_lookup(a_name)
except RuntimeError as (enum, estr):
if enum == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
return
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 719bb8b..6fe680d 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -930,13 +930,17 @@ accountExpires: %u
res = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["serverName"])
return res[0]["serverName"][0]
- def dns_lookup(self, dns_name):
+ def dns_lookup(self, dns_name, dns_partition=None):
'''Do a DNS lookup in the database, returns the NDR database structures'''
- return dsdb_dns.lookup(self, dns_name)
+ if dns_partition is None:
+ return dsdb_dns.lookup(self, dns_name)
+ else:
+ return dsdb_dns.lookup(self, dns_name,
+ dns_partition=dns_partition)
def dns_extract(self, el):
'''Return the NDR database structures from a dnsRecord element'''
- return dsdb_dns.extract(el)
+ return dsdb_dns.extract(self, el)
def dns_replace(self, dns_name, new_records):
'''Do a DNS modification on the database, sets the NDR database
diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py
index 7592a29..568829f 100644
--- a/python/samba/sd_utils.py
+++ b/python/samba/sd_utils.py
@@ -37,7 +37,11 @@ class SDUtils(object):
or security.descriptor object
"""
m = Message()
- m.dn = Dn(self.ldb, object_dn)
+ if isinstance(object_dn, Dn):
+ m.dn = object_dn
+ else:
+ m.dn = Dn(self.ldb, object_dn)
+
assert(isinstance(sd, str) or isinstance(sd, security.descriptor))
if isinstance(sd, str):
tmp_desc = security.descriptor.from_sddl(sd, self.domain_sid)
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index b8a2481..1b5b64d 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -22,11 +22,11 @@ import random
import socket
import samba.ndr as ndr
from samba import credentials, param
-from samba.tests import TestCase
from samba.dcerpc import dns, dnsp, dnsserver
from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record
from samba.tests.subunitrun import SubunitOptions, TestProgram
-from samba import werror
+from samba import werror, WERRORError
+from samba.tests.dns_base import DNSTest
import samba.getopt as options
import optparse
@@ -60,180 +60,51 @@ server_name = args[0]
server_ip = args[1]
creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
-def make_txt_record(records):
- rdata_txt = dns.txt_record()
- s_list = dnsp.string_list()
- s_list.count = len(records)
- s_list.str = records
- rdata_txt.txt = s_list
- return rdata_txt
-
-class DNSTest(TestCase):
-
+class TestSimpleQueries(DNSTest):
def setUp(self):
- global server, server_ip, lp, creds
- super(DNSTest, self).setUp()
+ super(TestSimpleQueries, self).setUp()
+ global server, server_ip, lp, creds, timeout
self.server = server_name
self.server_ip = server_ip
self.lp = lp
self.creds = creds
+ self.timeout = timeout
- def errstr(self, errcode):
- "Return a readable error code"
- string_codes = [
- "OK",
- "FORMERR",
- "SERVFAIL",
- "NXDOMAIN",
- "NOTIMP",
- "REFUSED",
- "YXDOMAIN",
- "YXRRSET",
- "NXRRSET",
- "NOTAUTH",
- "NOTZONE",
- ]
-
- return string_codes[errcode]
-
-
- def assert_dns_rcode_equals(self, packet, rcode):
- "Helper function to check return code"
- p_errcode = packet.operation & 0x000F
- self.assertEquals(p_errcode, rcode, "Expected RCODE %s, got %s" %
- (self.errstr(rcode), self.errstr(p_errcode)))
-
- def assert_dns_opcode_equals(self, packet, opcode):
- "Helper function to check opcode"
- p_opcode = packet.operation & 0x7800
- self.assertEquals(p_opcode, opcode, "Expected OPCODE %s, got %s" %
- (opcode, p_opcode))
-
- def make_name_packet(self, opcode, qid=None):
- "Helper creating a dns.name_packet"
- p = dns.name_packet()
- if qid is None:
- p.id = random.randint(0x0, 0xffff)
- p.operation = opcode
- p.questions = []
- return p
-
- def finish_name_packet(self, packet, questions):
- "Helper to finalize a dns.name_packet"
- packet.qdcount = len(questions)
--
Samba Shared Repository
More information about the samba-cvs
mailing list