[SCM] Samba Shared Repository - branch master updated

Wed Sep 6 01:55:03 UTC 2017

The branch, master has been updated
       via  2d0e138 python:samba: Add code to remove obsolete files in the private dir
       via  8f2dee2 python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
       via  3fa7c43 s4:bind_dlz: Use the 'binddns dir' if possible
       via  4c9608f param: Add 'binddns dir' parameter
       via  3b1aa2c python:samba: Remove code to change group
       via  47c0397 dynconfig: Change permission of the private dir to 0700
      from  f8b491f cli_credentials: Fix a return value

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2d0e13837d8c6fab3fb296aafcabdf2a2973b96d
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Aug 23 15:36:23 2017 +0200

    python:samba: Add code to remove obsolete files in the private dir
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Sep  6 03:54:19 CEST 2017 on sn-devel-144

commit 8f2dee256e281c438105689b073f09685f161b16
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 10 15:37:54 2017 +0200

    python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
    
    This provisions the bind_dlz files in the 'binddns dir'. If you want to
    migrate to the new files strcuture you can run samba_upgradedns!
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>

commit 3fa7c43ef73b6582e8985bf6d82465ffded9e5db
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Aug 22 17:10:01 2017 +0200

    s4:bind_dlz: Use the 'binddns dir' if possible
    
    The code makes sure we are backwards compatible. It will first check if
    we still have files in the private directory, if yes it will use those.
    
    If the the file is not in the private directory it will try the binddns
    dir.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>

commit 4c9608fb27b0f1bef846b72291ecb515045d3507
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 10 15:04:08 2017 +0200

    param: Add 'binddns dir' parameter
    
    This allows to us to have restricted access to the directory by the group
    'named' which bind is a member of.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>

commit 3b1aa2ca5f9ae151cd64579ed05c8fb766b1ec5d
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 11 12:45:14 2017 +0200

    python:samba: Remove code to change group
    
    This is the wrong place, it will just prepare the ldif. The file is not
    created here.
    
    The code is corrently changing the group in:
        python/samba/provision/__init__.py
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>

commit 47c039792a8a00c0f2798ced162c393d4712f946
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 10 11:43:11 2017 +0200

    dynconfig: Change permission of the private dir to 0700
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 buildtools/wafsamba/samba_patterns.py              |  1 +
 docs-xml/smbdotconf/generate-file-list.sh          |  1 +
 docs-xml/smbdotconf/security/binddnsdir.xml        | 18 ++++++
 dynconfig/dynconfig.c                              |  1 +
 dynconfig/dynconfig.h                              |  1 +
 dynconfig/wscript                                  |  9 ++-
 lib/param/loadparm.c                               |  1 +
 lib/param/param.h                                  |  1 +
 python/samba/provision/__init__.py                 | 72 +++++++++++++++------
 python/samba/provision/sambadns.py                 | 29 ++++-----
 python/samba/tests/provision.py                    |  2 +
 selftest/selftest.pl                               |  7 +++
 selftest/target/Samba3.pm                          |  4 ++
 selftest/target/Samba4.pm                          |  4 ++
 source3/param/loadparm.c                           |  2 +
 source4/dns_server/dlz_bind9.c                     | 44 ++++++++++++-
 source4/dsdb/dns/dns_update.c                      | 46 +++++++++++++-
 source4/scripting/bin/samba_upgradedns             | 73 +++++++++++++++++++---
 source4/scripting/bin/samba_upgradeprovision       | 16 ++---
 .../provisions/alpha13/etc/smb.conf.template       |  1 +
 .../selftest/provisions/alpha13/private/named.txt  | 10 +--
 .../provisions/release-4-0-0/etc/smb.conf.template |  1 +
 .../release-4-1-0rc3/etc/smb.conf.template         |  1 +
 .../provisions/release-4-1-0rc3/private/named.txt  |  8 +--
 .../etc/smb.conf.template                          |  1 +
 source4/torture/dns/dlz_bind9.c                    | 26 +++++---
 wintest/wintest.py                                 |  6 +-
 27 files changed, 306 insertions(+), 80 deletions(-)
 create mode 100644 docs-xml/smbdotconf/security/binddnsdir.xml


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_patterns.py b/buildtools/wafsamba/samba_patterns.py
index e809f26..2b93937 100644
--- a/buildtools/wafsamba/samba_patterns.py
+++ b/buildtools/wafsamba/samba_patterns.py
@@ -108,6 +108,7 @@ def write_build_options_header(fp):
     fp.write("       output(screen,\"   PIDDIR: %s\\n\", get_dyn_PIDDIR());\n")
     fp.write("       output(screen,\"   SMB_PASSWD_FILE: %s\\n\",get_dyn_SMB_PASSWD_FILE());\n")
     fp.write("       output(screen,\"   PRIVATE_DIR: %s\\n\",get_dyn_PRIVATE_DIR());\n")
+    fp.write("       output(screen,\"   BINDDNS_DIR: %s\\n\",get_dyn_BINDDNS_DIR());\n")
     fp.write("\n")
 
 def write_build_options_footer(fp):
diff --git a/docs-xml/smbdotconf/generate-file-list.sh b/docs-xml/smbdotconf/generate-file-list.sh
index 4a25f1e..7ab1b7c 100755
--- a/docs-xml/smbdotconf/generate-file-list.sh
+++ b/docs-xml/smbdotconf/generate-file-list.sh
@@ -11,6 +11,7 @@ echo "<!DOCTYPE section [
 <!ENTITY pathconfig.PIDDIR               '\${prefix}/var/run'>
 <!ENTITY pathconfig.STATEDIR             '\${prefix}/var/locks'>
 <!ENTITY pathconfig.PRIVATE_DIR          '\${prefix}/private'>
+<!ENTITY pathconfig.BINDDNS_DIR          '\${prefix}/bind-dns'>
 <!ENTITY pathconfig.SMB_PASSWD_FILE      '\${prefix}/private/smbpasswd'>
 <!ENTITY pathconfig.WINBINDD_SOCKET_DIR  '\${prefix}/var/run/winbindd'>
 <!ENTITY pathconfig.CACHEDIR             '\${prefix}/var/cache'>
diff --git a/docs-xml/smbdotconf/security/binddnsdir.xml b/docs-xml/smbdotconf/security/binddnsdir.xml
new file mode 100644
index 0000000..c296a0e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/binddnsdir.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="binddns dir"
+                 context="G"
+                 type="string"
+                 constant="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>bind dns directory</synonym>
+<description>
+    <para>
+        This parameters defines the directory samba will use to store the configuration
+        files for bind, such as named.conf.
+
+        NOTE: The bind dns directory needs to be on the same mount point as the private
+        directory!
+    </para>
+</description>
+
+<value type="default">&pathconfig.BINDDNS_DIR;</value>
+</samba:parameter>
diff --git a/dynconfig/dynconfig.c b/dynconfig/dynconfig.c
index e75d7db..e70a10f 100644
--- a/dynconfig/dynconfig.c
+++ b/dynconfig/dynconfig.c
@@ -95,6 +95,7 @@ DEFINE_DYN_CONFIG_PARAM(PIDDIR)
 DEFINE_DYN_CONFIG_PARAM(NCALRPCDIR)
 DEFINE_DYN_CONFIG_PARAM(SMB_PASSWD_FILE)
 DEFINE_DYN_CONFIG_PARAM(PRIVATE_DIR)
+DEFINE_DYN_CONFIG_PARAM(BINDDNS_DIR)
 DEFINE_DYN_CONFIG_PARAM(LOCALEDIR)
 DEFINE_DYN_CONFIG_PARAM(NMBDSOCKETDIR)
 DEFINE_DYN_CONFIG_PARAM(DATADIR)
diff --git a/dynconfig/dynconfig.h b/dynconfig/dynconfig.h
index 4d07c10..bdab2e8 100644
--- a/dynconfig/dynconfig.h
+++ b/dynconfig/dynconfig.h
@@ -46,6 +46,7 @@ DEFINE_DYN_CONFIG_PROTO(PIDDIR)
 DEFINE_DYN_CONFIG_PROTO(NCALRPCDIR)
 DEFINE_DYN_CONFIG_PROTO(SMB_PASSWD_FILE)
 DEFINE_DYN_CONFIG_PROTO(PRIVATE_DIR)
+DEFINE_DYN_CONFIG_PROTO(BINDDNS_DIR)
 DEFINE_DYN_CONFIG_PROTO(LOCALEDIR)
 DEFINE_DYN_CONFIG_PROTO(NMBDSOCKETDIR)
 DEFINE_DYN_CONFIG_PROTO(DATADIR)
diff --git a/dynconfig/wscript b/dynconfig/wscript
index 7e9bde9..fee37ea 100644
--- a/dynconfig/wscript
+++ b/dynconfig/wscript
@@ -192,6 +192,12 @@ dynconfig = {
          'OPTION':    '--with-statedir',
          'HELPTEXT':  'Where to put persistent state files',
     },
+    'BINDDNS_DIR' : {
+         'STD-PATH':  '${LOCALSTATEDIR}/lib',
+         'FHS-PATH':  '${LOCALSTATEDIR}/lib/samba/bind-dns',
+         'OPTION':    '--with-bind-dns-dir',
+         'HELPTEXT':  'bind-dns config directory',
+    },
     'CACHEDIR' : {
          'STD-PATH':  '${LOCALSTATEDIR}/cache',
          'FHS-PATH':  '${LOCALSTATEDIR}/cache/samba',
@@ -418,7 +424,8 @@ def build(bld):
     bld.INSTALL_DIR("${CONFIGDIR}")
     bld.INSTALL_DIR("${LOGFILEBASE}")
     bld.INSTALL_DIR("${PRIVILEGED_SOCKET_DIR}")
-    bld.INSTALL_DIR("${PRIVATE_DIR}")
+    bld.INSTALL_DIR("${PRIVATE_DIR}", 0o700)
+    bld.INSTALL_DIR("${BINDDNS_DIR}", 0o770)
     bld.INSTALL_DIR("${STATEDIR}")
     bld.INSTALL_DIR("${CACHEDIR}")
 
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a221e87..b91f965 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2655,6 +2655,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	/* the winbind method for domain controllers is for both RODC
 	   auth forwarding and for trusted domains */
 	lpcfg_do_global_parameter(lp_ctx, "private dir", dyn_PRIVATE_DIR);
+	lpcfg_do_global_parameter(lp_ctx, "binddns dir", dyn_BINDDNS_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "registry:HKEY_LOCAL_MACHINE", "hklm.ldb");
 
 	/* This hive should be dynamically generated by Samba using
diff --git a/lib/param/param.h b/lib/param/param.h
index 589b890..680c053 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -56,6 +56,7 @@ const char **lpcfg_interfaces(struct loadparm_context *);
 const char *lpcfg_realm(struct loadparm_context *);
 const char *lpcfg_netbios_name(struct loadparm_context *);
 const char *lpcfg_private_dir(struct loadparm_context *);
+const char *lpcfg_binddns_dir(struct loadparm_context *);
 int lpcfg_server_role(struct loadparm_context *);
 int lpcfg_allow_dns_updates(struct loadparm_context *);
 
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 2387931..f820f6a 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -27,6 +27,7 @@
 __docformat__ = "restructuredText"
 
 from base64 import b64encode
+import errno
 import os
 import re
 import pwd
@@ -145,6 +146,7 @@ class ProvisionPaths(object):
         self.dns = None
         self.winsdb = None
         self.private_dir = None
+        self.binddns_dir = None
         self.state_dir = None
 
 
@@ -531,6 +533,7 @@ def provision_paths_from_lp(lp, dnsdomain):
     """
     paths = ProvisionPaths()
     paths.private_dir = lp.get("private dir")
+    paths.binddns_dir = lp.get("binddns dir")
     paths.state_dir = lp.get("state directory")
 
     # This is stored without path prefix for the "privateKeytab" attribute in
@@ -543,16 +546,18 @@ def provision_paths_from_lp(lp, dnsdomain):
     paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
     paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
     paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
-    paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
     paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
     paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
-    paths.namedconf = os.path.join(paths.private_dir, "named.conf")
-    paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
-    paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
     paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
     paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf")
     paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
     paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
+
+    paths.dns = os.path.join(paths.binddns_dir, "dns", dnsdomain + ".zone")
+    paths.namedconf = os.path.join(paths.binddns_dir, "named.conf")
+    paths.namedconf_update = os.path.join(paths.binddns_dir, "named.conf.update")
+    paths.namedtxt = os.path.join(paths.binddns_dir, "named.txt")
+
     paths.hklm = "hklm.ldb"
     paths.hkcr = "hkcr.ldb"
     paths.hkcu = "hkcu.ldb"
@@ -945,6 +950,10 @@ def setup_secretsdb(paths, session_info, backend_credentials, lp):
     if os.path.exists(keytab_path):
         os.unlink(keytab_path)
 
+    bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
+    if os.path.exists(bind_dns_keytab_path):
+        os.unlink(bind_dns_keytab_path)
+
     dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
     if os.path.exists(dns_keytab_path):
         os.unlink(dns_keytab_path)
@@ -1928,6 +1937,15 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
     else:
         samdb.transaction_commit()
 
+def directory_create_or_exists(path, mode=0o755):
+    if not os.path.exists(path):
+        try:
+            os.mkdir(path, mode)
+        except OSError as e:
+            if e.errno in [errno.EEXIST]:
+                pass
+            else:
+                raise ProvisioningError("Failed to create directory %s: %s" % (path, e.strerror))
 
 def provision(logger, session_info, smbconf=None,
         targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
@@ -2064,12 +2082,10 @@ def provision(logger, session_info, smbconf=None,
     if serverrole is None:
         serverrole = lp.get("server role")
 
-    if not os.path.exists(paths.private_dir):
-        os.mkdir(paths.private_dir)
-    if not os.path.exists(os.path.join(paths.private_dir, "tls")):
-        os.makedirs(os.path.join(paths.private_dir, "tls"), 0700)
-    if not os.path.exists(paths.state_dir):
-        os.mkdir(paths.state_dir)
+    directory_create_or_exists(paths.private_dir, 0o700)
+    directory_create_or_exists(paths.binddns_dir, 0o770)
+    directory_create_or_exists(os.path.join(paths.private_dir, "tls"))
+    directory_create_or_exists(paths.state_dir)
 
     if paths.sysvol and not os.path.exists(paths.sysvol):
         os.makedirs(paths.sysvol, 0775)
@@ -2198,16 +2214,34 @@ def provision(logger, session_info, smbconf=None,
     # Now commit the secrets.ldb to disk
     secrets_ldb.transaction_commit()
 
-    # the commit creates the dns.keytab, now chown it
-    dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
-    if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
+    # the commit creates the dns.keytab in the private directory
+    private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
+    bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
+
+    if os.path.isfile(private_dns_keytab_path):
+        if os.path.isfile(bind_dns_keytab_path):
+            try:
+                os.unlink(bind_dns_keytab_path)
+            except OSError as e:
+                logger.error("Failed to remove %s: %s" %
+                             (bind_dns_keytab_path, e.strerror))
+
+        # link the dns.keytab to the bind-dns directory
         try:
-            os.chmod(dns_keytab_path, 0640)
-            os.chown(dns_keytab_path, -1, paths.bind_gid)
-        except OSError:
-            if not os.environ.has_key('SAMBA_SELFTEST'):
-                logger.info("Failed to chown %s to bind gid %u",
-                            dns_keytab_path, paths.bind_gid)
+            os.link(private_dns_keytab_path, bind_dns_keytab_path)
+        except OSError as e:
+            logger.error("Failed to create link %s -> %s: %s" %
+                         (private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
+
+        # chown the dns.keytab in the bind-dns directory
+        if paths.bind_gid is not None:
+            try:
+                os.chmod(bind_dns_keytab_path, 0640)
+                os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
+            except OSError:
+                if not os.environ.has_key('SAMBA_SELFTEST'):
+                    logger.info("Failed to chown %s to bind gid %u",
+                                bind_dns_keytab_path, paths.bind_gid)
 
     result = ProvisionResult()
     result.server_role = serverrole
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 961f37e..d4cb93a 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -649,7 +649,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname,
             fqdn_hostname)
 
 
-def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
+def secretsdb_setup_dns(secretsdb, names, private_dir, binddns_dir, realm,
                         dnsdomain, dns_keytab_path, dnspass, key_version_number):
     """Add DNS specific bits to a secrets database.
 
@@ -659,12 +659,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
     """
     try:
         os.unlink(os.path.join(private_dir, dns_keytab_path))
+        os.unlink(os.path.join(binddns_dir, dns_keytab_path))
     except OSError:
         pass
 
     if key_version_number is None:
         key_version_number = 1
 
+    # This will create the dns.keytab file in the private_dir when it is
+    # commited!
     setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
             "REALM": realm,
             "DNSDOMAIN": dnsdomain,
@@ -954,7 +957,7 @@ def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
                     })
 
 
-def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
+def create_named_txt(path, realm, dnsdomain, dnsname, binddns_dir,
     keytab_name):
     """Write out a file containing zone statements suitable for inclusion in a
     named.conf file (including GSS-TSIG configuration).
@@ -962,7 +965,7 @@ def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
     :param path: Path of the new named.conf file.
     :param realm: Realm name
     :param dnsdomain: DNS Domain name
-    :param private_dir: Path to private directory
+    :param binddns_dir: Path to bind dns directory
     :param keytab_name: File name of DNS keytab file
     """
     setup_file(setup_path("named.txt"), path, {
@@ -970,8 +973,8 @@ def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
             "DNSNAME" : dnsname,
             "REALM": realm,
             "DNS_KEYTAB": keytab_name,
-            "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
-            "PRIVATE_DIR": private_dir
+            "DNS_KEYTAB_ABS": os.path.join(binddns_dir, keytab_name),
+            "PRIVATE_DIR": binddns_dir
         })
 
 
@@ -1194,21 +1197,13 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
     domainguid = get_domainguid(samdb, domaindn)
 
     secretsdb_setup_dns(secretsdb, names,
-                        paths.private_dir, realm=names.realm,
+                        paths.private_dir,
+                        paths.binddns_dir,
+                        realm=names.realm,
                         dnsdomain=names.dnsdomain,
                         dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
                         key_version_number=key_version_number)
 
-    dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
-    if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
-        try:
-            os.chmod(dns_keytab_path, 0640)
-            os.chown(dns_keytab_path, -1, paths.bind_gid)
-        except OSError:
-            if not os.environ.has_key('SAMBA_SELFTEST'):
-                logger.info("Failed to chown %s to bind gid %u",
-                            dns_keytab_path, paths.bind_gid)
-
     create_dns_dir(logger, paths)
 
     if dns_backend == "BIND9_FLATFILE":
@@ -1228,7 +1223,7 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
     create_named_txt(paths.namedtxt,
                      realm=names.realm, dnsdomain=names.dnsdomain,
                      dnsname = "%s.%s" % (names.hostname, names.dnsdomain),
-                     private_dir=paths.private_dir,
+                     binddns_dir=paths.binddns_dir,
                      keytab_name=paths.dns_keytab)
     logger.info("See %s for an example configuration include file for BIND",
                 paths.namedconf)
diff --git a/python/samba/tests/provision.py b/python/samba/tests/provision.py
index 11b0135..bada14f 100644
--- a/python/samba/tests/provision.py
+++ b/python/samba/tests/provision.py
@@ -42,6 +42,7 @@ def create_dummy_secretsdb(path, lp=None):
     paths = ProvisionPaths()
     paths.secrets = path
     paths.private_dir = os.path.dirname(path)
+    paths.binddns_dir = os.path.dirname(path)
     paths.keytab = "no.keytab"
     paths.dns_keytab = "no.dns.keytab"
     secrets_ldb = setup_secretsdb(paths, None, None, lp=lp)
@@ -59,6 +60,7 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
         secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
         paths.secrets = path
         paths.private_dir = os.path.dirname(path)
+        paths.binddns_dir = os.path.dirname(path)
         paths.keytab = "no.keytab"
         paths.dns_keytab = "no.dns.keytab"
         ldb = setup_secretsdb(paths, None, None, lp=env_loadparm())
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index b3ef658..e16696a 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -512,6 +512,12 @@ sub write_clientconf($$$)
 	        mkdir("$clientdir/private", 0777);
 	}
 
+	if ( -d "$clientdir/bind-dns" ) {
+	        unlink <$clientdir/bind-dns/*>;
+	} else {
+	        mkdir("$clientdir/bind-dns", 0777);
+	}
+
 	if ( -d "$clientdir/lockdir" ) {
 	        unlink <$clientdir/lockdir/*>;
 	} else {
@@ -595,6 +601,7 @@ sub write_clientconf($$$)
 	}
 	print CF "
 	private dir = $clientdir/private
+	binddns dir = $clientdir/bind-dns
 	lock dir = $clientdir/lockdir
 	state directory = $clientdir/statedir
 	cache directory = $clientdir/cachedir
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 45c00ba..f4d033d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1425,6 +1425,9 @@ sub provision($$$$$$$$$)
 	my $privatedir="$prefix_abs/private";
 	push(@dirs,$privatedir);
 
+	my $binddnsdir = "$prefix_abs/bind-dns";
+	push(@dirs, $binddnsdir);
+
 	my $lockdir="$prefix_abs/lockdir";
 	push(@dirs,$lockdir);
 
@@ -1674,6 +1677,7 @@ sub provision($$$$$$$$$)
 	workgroup = $domain
 
 	private dir = $privatedir
+	binddns dir = $binddnsdir
 	pid directory = $piddir
 	lock directory = $lockdir
 	log file = $logdir/log.\%m
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 205e281..39a64ae 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -467,6 +467,7 @@ sub provision_raw_prepare($$$$$$$$$$$)
 	$ctx->{krb5_ccache} = "$prefix_abs/krb5_ccache";
 	$ctx->{mitkdc_conf} = "$ctx->{etcdir}/mitkdc.conf";
 	$ctx->{privatedir} = "$prefix_abs/private";
+	$ctx->{binddnsdir} = "$prefix_abs/bind-dns";
 	$ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
 	$ctx->{lockdir} = "$prefix_abs/lockdir";
 	$ctx->{logdir} = "$prefix_abs/logs";
@@ -494,6 +495,7 @@ sub provision_raw_prepare($$$$$$$$$$$)
 	$ctx->{interfaces} = "$ctx->{ipv4}/8 $ctx->{ipv6}/64";
 
 	push(@{$ctx->{directories}}, $ctx->{privatedir});
+	push(@{$ctx->{directories}}, $ctx->{binddnsdir});
 	push(@{$ctx->{directories}}, $ctx->{etcdir});
 	push(@{$ctx->{directories}}, $ctx->{piddir});
 	push(@{$ctx->{directories}}, $ctx->{lockdir});
@@ -584,6 +586,7 @@ sub provision_raw_step1($$)
 	workgroup = $ctx->{domain}
 	realm = $ctx->{realm}
 	private dir = $ctx->{privatedir}
+	binddns dir = $ctx->{binddnsdir}
 	pid directory = $ctx->{piddir}
 	ncalrpc dir = $ctx->{ncalrpcdir}
 	lock dir = $ctx->{lockdir}
@@ -725,6 +728,7 @@ nogroup:x:65534:nobody
 		STATEDIR => $ctx->{statedir},
 		CACHEDIR => $ctx->{cachedir},
 		PRIVATEDIR => $ctx->{privatedir},
+		BINDDNSDIR => $ctx->{binddnsdir},
 		SERVERCONFFILE => $ctx->{smb_conf},
 		CONFIGURATION => $configuration,
 		SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d5b1c56..42e579e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -550,6 +550,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 			 get_dyn_SMB_PASSWD_FILE());
 	lpcfg_string_set(Globals.ctx, &Globals.private_dir,
 			 get_dyn_PRIVATE_DIR());
+	lpcfg_string_set(Globals.ctx, &Globals.binddns_dir,
+			 get_dyn_BINDDNS_DIR());
 
 	/* use the new 'hash2' method by default, with a prefix of 1 */
 	lpcfg_string_set(Globals.ctx, &Globals.mangling_method, "hash2");
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 6ef378c..8e0820d 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -682,11 +682,23 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
 	}
 
 	if (state->options.url == NULL) {
-		state->options.url = lpcfg_private_path(state, state->lp, "dns/sam.ldb");
+		state->options.url = lpcfg_private_path(state,
+							state->lp,
+							"dns/sam.ldb");
 		if (state->options.url == NULL) {
 			result = ISC_R_NOMEMORY;
 			goto failed;
 		}
+
+		if (!file_exist(state->options.url)) {
+			state->options.url = talloc_asprintf(state,
+							     "%s/dns/sam.ldb",
+							     lpcfg_binddns_dir(state->lp));
+			if (state->options.url == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto failed;
+			}
+		}
 	}
 
 	state->samdb = samdb_connect_url(state, state->ev_ctx, state->lp,
@@ -1266,6 +1278,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const


-- 
Samba Shared Repository

