[PATCH] fix for bug 10882

Andrew Bartlett abartlet at samba.org
Thu Sep 8 20:50:35 UTC 2016 

On Fri, 2016-09-09 at 07:07 +1200, Andrew Bartlett wrote:
> On Thu, 2016-09-08 at 18:33 +0100, Rowland Penny wrote:
> > I am posting this at Jeremy's request, this Patch along with
> > Garmin's
> > Patch, fixes the inability to recreate a deleted Bind user 'dns-*'
> > with
> > samba_upgradedns.
> > 
> > It is quite a simple patch, it move the deletion of the users from
> > the
> > bottom of the script (where they are only deleted if you are
> > upgrading
> > to the internal dns server and they exist) to midway in the script
> > before the script portions for 'BIND9_DLZ' and 'SAMBA_INTERNAL'.
> > It doesn't matter if they are deleted here, this is because if they
> > are
> > required, they will be created again.
> > 
> > This has always worked for me since I wrote it two months ago, it
> > just
> > didn't work if your AD DC was created with an old version, Garmin's
> > patch fixes this.
> > 
> > Jeremy asked me to post Garmin's patch, but it is already posted
> > here:
> > 
> > https://lists.samba.org/archive/samba-technical/2016-September/1160
> > 18
> > .html
> 
> Thanks for posting this, and for your patience continuing to chase
> this
> down for the benefit of our users.  I certainly accept the attraction
> of a clean slate: removing the account and starting again.
> 
> However, in the 'still need the account' case I think we should work
> hard to keep the account, not only to avoid replication churn and
> using
> a RID, but also so that outstanding Kerberos tickets are not
> unnecessarily refused.
> 
> A client may hold tickets against the old account and old password
> for
> 10 hours.
> 
> For that reason, while I quite understand your reasoning, I don't
> accept that it 'doesn't matter' about deleting/re-creating the
> account,
> and we should avoid that if at all possible.
> 
> Sorry,

To be clear, I'm trying to cover the case where the account is already
OK and in the databases correctly, so that if you already have the
required accounts for 'samba_upgradedns --dns-backend=BIND9_DLZ' that
nothing changes.

My view is that we should check, then correct, rather than just
unconditionally correct, the accounts, and only if one side or other is
missing then correct it and reset the password.  

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list