[PATCH] Use samba-tool to add DNS entries with samba_dnsupdate

Wed Sep 2 14:35:20 UTC 2015

Hi Andrew,

>> This exposes an interesting thing that we need.  Adding this exposes 
>> a
>> missing feature in resolv_wrapper, because it now can no longer find
>> short names, as it needs to implement the 'search' keyword.
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=11478
>>
>> I looked into why another improbable case worked (looking for a
>> workaround), and noticed this bug:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=11477
>>
>> Once we fix that, we will need to fix
>> torture/rpc/lsa.c:check_pw_with_krb5(), as it relies on this bug (or
>> run that test against $SERVER_IP).
>>
>> In the meantime, I'm running another autobuild to see how far we get
>> when using nss_wrapper and resolv_wrapper.
> 
> I've updated my samba_dnsupdate-and-tests-base with an initial test,
> that uses this framework, so I'm keen to see if we can get this in.

Please remove
https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=60c55dba36a5be8acbc6a6b9956007b213b2a57d
it doesn't belong there.

I think the dns_update_list is not really correct, it means we
would try to update NS records via dns and only some of them also
via RPC. See
https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=0289fc83ac23a01fda68f8fbc84ab80f2e48407c
https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=640e3d568a91ebb93f9bae2ecda5d051698895a5

We should only do it via RPC and all domains, see
https://git.samba.org/?p=metze/samba/wip.git;a=commit;h=c57c578539e65ce4fa9c4bc2c61b08ad9900a40a

Can we squash
https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=6067c9156da3162c51b77ea3883baad198364399
into
https://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=d1de5add159aedf1f8f9f22c3f0093472ee2e53a
?

> Sorting out the forwarding required for the new trusts tests will be
> key for that,

We should implement the conditional dns forwarder logic and also read
the configured forwarders for the ldb file instead of smb.conf.

> but in the meantime, how do we get these samba_dnsupdate
> improvements to our users?

One problem is that 'dns_update_list' is a config file, it would be
good to have a way to update it as part of an samba update.

A possible solution might be, not copying 'dns_update_list' as part of
the provision/dc join, and use the one from
/usr/share/samba/setup/dns_update_list.

So we could use a logic like this:

a) if /var/lib/samba/private/dns_update_list does not exist we use
  /usr/share/samba/setup/dns_update_list. This will be the case for all
  new installations.

b) if /var/lib/samba/private/dns_update_list.extra exist internally
   append its content to the content of a)

This way we can update existing installations in future more easily
(similar to what we did with the 'samba_dsdb' ldb module).

If we do this we should also use such a logic for spn_update_list.

If wanted packagers can add some rpm of dpkg magic to delete
/var/lib/samba/private/dns_update_list if it wasn't modified by the admin.

Otherwise an admin can remove /var/lib/samba/private/dns_update_list on
his own.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150902/16ca1f7f/signature.sig>