[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Sat Sep 16 02:48:02 UTC 2017
The branch, master has been updated
via e5a2e62 wafsamba: We need to honor DESTDIR in INSTALL_DIR
via 05169a6 samba_upgradedns: When we setup the internal dns cleanup bind-dns dir
via 8cf5c5f samba_upgradedns: Print better hints after we migrated the config
via aef2b91 samba_upgradedns: Change the group of the 'binddns dir' too
via ffb7d6b python:provision: Do not change the owner of the sam.ldb.d dir
via 591b086 python:provision: Change the group of the 'binddns dir' too
via bf64939 s4:bind_dlz: Try the 'binddns dir' first
via 1c29a8b dynconfig: Fix location of the default 'binddns dir'
via 4880e8a samba:provision: Give a hint to copy the krb5.conf and not symlink it
via 2bf9b5e wafsamba: Do not chmod already existing dirs on install
from e115a42 getncchanges.c: Send linked attributes in each chunk
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e5a2e6291a88757eae7a9e7ad58d8465c0509896
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 12 15:56:44 2017 +0200
wafsamba: We need to honor DESTDIR in INSTALL_DIR
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 16 04:47:29 CEST 2017 on sn-devel-144
commit 05169a6047e6e3271949c96652a667f624e9a62d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 5 11:47:27 2017 +0200
samba_upgradedns: When we setup the internal dns cleanup bind-dns dir
Make sure to remove everything from the bind-dns directory to avoid
possible security issues with the named group having write access to all
AD partions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8cf5c5f0fae97c7215eb09070049cdb29377dc97
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 6 07:25:40 2017 +0200
samba_upgradedns: Print better hints after we migrated the config
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit aef2b915a2020786f79650078b318d471a6f0381
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 6 10:06:40 2017 +0200
samba_upgradedns: Change the group of the 'binddns dir' too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ffb7d6b50e0c079f10f881148c584da1c9681310
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 6 07:25:04 2017 +0200
python:provision: Do not change the owner of the sam.ldb.d dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 591b086bf18d771c1b34526431aea82a93d5d7a0
Author: Andreas Schneider <asn at samba.org>
Date: Wed Sep 6 07:23:57 2017 +0200
python:provision: Change the group of the 'binddns dir' too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit bf64939d22d33e26e11e73f41ee2db09a48c8d3c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 22 17:10:01 2017 +0200
s4:bind_dlz: Try the 'binddns dir' first
The directory is normally empty if you did not provision or call
samba_upgradedns for the bind_dlz module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1c29a8b3477cd2c030ee21465e0d4a9ec943b590
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 10 15:04:08 2017 +0200
dynconfig: Fix location of the default 'binddns dir'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4880e8a7e695663e820376d6c4e3933821dcb8fb
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 5 20:36:47 2017 +0200
samba:provision: Give a hint to copy the krb5.conf and not symlink it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2bf9b5e166f8440a09db937e2936a43d1dcd2ae3
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 5 14:18:44 2017 +0200
wafsamba: Do not chmod already existing dirs on install
This might break backward compatibility.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/wafsamba.py | 19 ++++++++-------
dynconfig/wscript | 12 +++++-----
python/samba/provision/__init__.py | 11 +++++++++
python/samba/provision/sambadns.py | 3 ---
source4/dns_server/dlz_bind9.c | 12 +++++-----
source4/scripting/bin/samba_upgradedns | 42 +++++++++++++++++++++++++++++++---
6 files changed, 71 insertions(+), 28 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 57913af..23fd3c4 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -885,31 +885,30 @@ def INSTALL_WILDCARD(bld, destdir, pattern, chmod=MODE_644, flat=False,
python_fixup=python_fixup, base_name=trim_path)
Build.BuildContext.INSTALL_WILDCARD = INSTALL_WILDCARD
-def INSTALL_DIR(bld, path, chmod=0o755):
+def INSTALL_DIR(bld, path, chmod=0o755, env=None):
"""Install a directory if it doesn't exist, always set permissions."""
if not path:
return []
+ destpath = bld.get_install_path(path, env)
+
if bld.is_install > 0:
- path = bld.EXPAND_VARIABLES(path)
- if not os.path.isdir(path):
+ if not os.path.isdir(destpath):
try:
- os.makedirs(path)
- os.chmod(path, chmod)
+ os.makedirs(destpath)
+ os.chmod(destpath, chmod)
except OSError, e:
- if not os.path.isdir(path):
+ if not os.path.isdir(destpath):
raise Utils.WafError("Cannot create the folder '%s' (error: %s)" % (path, e))
- else:
- os.chmod(path, chmod)
Build.BuildContext.INSTALL_DIR = INSTALL_DIR
-def INSTALL_DIRS(bld, destdir, dirs, chmod=0o755):
+def INSTALL_DIRS(bld, destdir, dirs, chmod=0o755, env=None):
'''install a set of directories'''
destdir = bld.EXPAND_VARIABLES(destdir)
dirs = bld.EXPAND_VARIABLES(dirs)
for d in TO_LIST(dirs):
- INSTALL_DIR(bld, os.path.join(destdir, d), chmod)
+ INSTALL_DIR(bld, os.path.join(destdir, d), chmod, env)
Build.BuildContext.INSTALL_DIRS = INSTALL_DIRS
diff --git a/dynconfig/wscript b/dynconfig/wscript
index fee37ea..54977e4 100644
--- a/dynconfig/wscript
+++ b/dynconfig/wscript
@@ -174,6 +174,12 @@ dynconfig = {
'OPTION': '--with-privatedir',
'HELPTEXT': 'Where to put sam.ldb and other private files',
},
+ 'BINDDNS_DIR' : {
+ 'STD-PATH': '${PREFIX}/bind-dns',
+ 'FHS-PATH': '${LOCALSTATEDIR}/lib/samba/bind-dns',
+ 'OPTION': '--with-bind-dns-dir',
+ 'HELPTEXT': 'bind-dns config directory',
+ },
'LOCKDIR' : {
'STD-PATH': '${LOCALSTATEDIR}/lock',
'FHS-PATH': '${LOCALSTATEDIR}/lock/samba',
@@ -192,12 +198,6 @@ dynconfig = {
'OPTION': '--with-statedir',
'HELPTEXT': 'Where to put persistent state files',
},
- 'BINDDNS_DIR' : {
- 'STD-PATH': '${LOCALSTATEDIR}/lib',
- 'FHS-PATH': '${LOCALSTATEDIR}/lib/samba/bind-dns',
- 'OPTION': '--with-bind-dns-dir',
- 'HELPTEXT': 'bind-dns config directory',
- },
'CACHEDIR' : {
'STD-PATH': '${LOCALSTATEDIR}/cache',
'FHS-PATH': '${LOCALSTATEDIR}/cache/samba',
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index f820f6a..07c2479 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -2200,6 +2200,9 @@ def provision(logger, session_info, smbconf=None,
realm=names.realm)
logger.info("A Kerberos configuration suitable for Samba AD has been "
"generated at %s", paths.krb5conf)
+ logger.info("Merge the contents of this file with your system "
+ "krb5.conf or replace it with this one. Do not create a "
+ "symlink!")
if serverrole == "active directory domain controller":
create_dns_update_list(lp, logger, paths)
@@ -2236,6 +2239,14 @@ def provision(logger, session_info, smbconf=None,
# chown the dns.keytab in the bind-dns directory
if paths.bind_gid is not None:
try:
+ os.chmod(paths.binddns_dir, 0770)
+ os.chown(paths.binddns_dir, -1, paths.bind_gid)
+ except OSError:
+ if not os.environ.has_key('SAMBA_SELFTEST'):
+ logger.info("Failed to chown %s to bind gid %u",
+ paths.binddns_dir, paths.bind_gid)
+
+ try:
os.chmod(bind_dns_keytab_path, 0640)
os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
except OSError:
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index fce72ad..a405065 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -868,9 +868,6 @@ def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid):
# Give bind read/write permissions dns partitions
if paths.bind_gid is not None:
try:
- os.chown(samldb_dir, -1, paths.bind_gid)
- os.chmod(samldb_dir, 0750)
-
for dirname, dirs, files in os.walk(dns_dir):
for d in dirs:
dpath = os.path.join(dirname, d)
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 8e0820d..9bf1b61 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -682,9 +682,9 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
}
if (state->options.url == NULL) {
- state->options.url = lpcfg_private_path(state,
- state->lp,
- "dns/sam.ldb");
+ state->options.url = talloc_asprintf(state,
+ "%s/dns/sam.ldb",
+ lpcfg_binddns_dir(state->lp));
if (state->options.url == NULL) {
result = ISC_R_NOMEMORY;
goto failed;
@@ -693,7 +693,7 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
if (!file_exist(state->options.url)) {
state->options.url = talloc_asprintf(state,
"%s/dns/sam.ldb",
- lpcfg_binddns_dir(state->lp));
+ lpcfg_private_dir(state->lp));
if (state->options.url == NULL) {
result = ISC_R_NOMEMORY;
goto failed;
@@ -1322,7 +1322,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
keytab_file = talloc_asprintf(tmp_ctx,
"%s/dns.keytab",
- lpcfg_private_dir(state->lp));
+ lpcfg_binddns_dir(state->lp));
if (keytab_file == NULL) {
state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
talloc_free(tmp_ctx);
@@ -1332,7 +1332,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
if (!file_exist(keytab_file)) {
keytab_file = talloc_asprintf(tmp_ctx,
"%s/dns.keytab",
- lpcfg_binddns_dir(state->lp));
+ lpcfg_private_dir(state->lp));
if (keytab_file == NULL) {
state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
talloc_free(tmp_ctx);
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index 2582da0..261d8a1 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -442,6 +442,12 @@ if __name__ == '__main__':
# Special stuff for DLZ backend
if opts.dns_backend == "BIND9_DLZ":
+ config_migration = False
+
+ if (paths.private_dir != paths.binddns_dir and
+ os.path.isfile(os.path.join(paths.private_dir, "named.conf"))):
+ config_migration = True
+
# Check if dns-HOSTNAME account exists and create it if required
secrets_msgs = ldbs.secrets.search(expression='(samAccountName=dns-%s)' % hostname, attrs=['secret'])
msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
@@ -506,6 +512,13 @@ if __name__ == '__main__':
# chown the dns.keytab in the bind-dns directory
if paths.bind_gid is not None:
try:
+ os.chmod(paths.binddns_dir, 0o770)
+ os.chown(paths.binddns_dir, -1, paths.bind_gid)
+ except OSError:
+ if not os.environ.has_key('SAMBA_SELFTEST'):
+ logger.info("Failed to chown %s to bind gid %u",
+ paths.binddns_dir, paths.bind_gid)
+ try:
os.chmod(bind_dns_keytab_path, 0640)
os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
except OSError:
@@ -530,10 +543,33 @@ if __name__ == '__main__':
cleanup_obsolete_dns_files(paths)
- logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
- logger.info("and %s for further documentation required for secure DNS "
- "updates", paths.namedtxt)
+ if config_migration:
+ logger.info("ATTENTION: The BIND configuration and keytab has been moved to: %s",
+ paths.binddns_dir)
+ logger.info(" Please update your BIND configuration accordingly.")
+ else:
+ logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
+ logger.info("and %s for further documentation required for secure DNS "
+ "updates", paths.namedtxt)
+
elif opts.dns_backend == "SAMBA_INTERNAL":
+ # Make sure to remove everything from the bind-dns directory to avoid
+ # possible security issues with the named group having write access
+ # to all AD partions
+ cleanup_remove_file(os.path.join(paths.binddns_dir, "dns.keytab"))
+ cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf"))
+ cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf.update"))
+ cleanup_remove_file(os.path.join(paths.binddns_dir, "named.txt"))
+
+ cleanup_remove_dir(os.path.dirname(paths.dns))
+
+ try:
+ os.chmod(paths.private_dir, 0o700)
+ os.chown(paths.private_dir, -1, 0)
+ except:
+ logger.warn("Failed to restore owner and permissions for %s",
+ (paths.private_dir))
+
# Check if dns-HOSTNAME account exists and delete it if required
try:
dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname
--
Samba Shared Repository
More information about the samba-cvs
mailing list