[PATCH] fix for bug 10882

Rowland Penny repenny241155 at gmail.com
Fri Sep 9 11:55:21 UTC 2016 

On Fri, 09 Sep 2016 08:50:35 +1200
Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2016-09-09 at 07:07 +1200, Andrew Bartlett wrote:
> > On Thu, 2016-09-08 at 18:33 +0100, Rowland Penny wrote:
> > > I am posting this at Jeremy's request, this Patch along with
> > > Garmin's
> > > Patch, fixes the inability to recreate a deleted Bind user 'dns-*'
> > > with
> > > samba_upgradedns.
> > > 
> > > It is quite a simple patch, it move the deletion of the users from
> > > the
> > > bottom of the script (where they are only deleted if you are
> > > upgrading
> > > to the internal dns server and they exist) to midway in the script
> > > before the script portions for 'BIND9_DLZ' and 'SAMBA_INTERNAL'.
> > > It doesn't matter if they are deleted here, this is because if
> > > they are
> > > required, they will be created again.
> > > 
> > > This has always worked for me since I wrote it two months ago, it
> > > just
> > > didn't work if your AD DC was created with an old version,
> > > Garmin's patch fixes this.
> > > 
> > > Jeremy asked me to post Garmin's patch, but it is already posted
> > > here:
> > > 
> > > https://lists.samba.org/archive/samba-technical/2016-September/1160
> > > 18
> > > .html
> > 
> > Thanks for posting this, and for your patience continuing to chase
> > this
> > down for the benefit of our users.  I certainly accept the
> > attraction of a clean slate: removing the account and starting
> > again.
> > 
> > However, in the 'still need the account' case I think we should work
> > hard to keep the account, not only to avoid replication churn and
> > using
> > a RID, but also so that outstanding Kerberos tickets are not
> > unnecessarily refused.
> > 
> > A client may hold tickets against the old account and old password
> > for
> > 10 hours.
> > 
> > For that reason, while I quite understand your reasoning, I don't
> > accept that it 'doesn't matter' about deleting/re-creating the
> > account,
> > and we should avoid that if at all possible.
> > 
> > Sorry,
> 
> To be clear, I'm trying to cover the case where the account is already
> OK and in the databases correctly, so that if you already have the
> required accounts for 'samba_upgradedns --dns-backend=BIND9_DLZ' that
> nothing changes.
> 
> My view is that we should check, then correct, rather than just
> unconditionally correct, the accounts, and only if one side or other
> is missing then correct it and reset the password.  
> 
> Sorry,
> 
> Andrew Bartlett
> 

OK Andrew, how about this patch ?
It will only delete 'dns-*' users if you use
--dns-backend=SAMBA_INTERNAL. If you use --dns-backend=BIND9_DLZ the
users will only be created if they do not exist, also if the user
exists in secret.ldb and doesn't have a saltPrincipal attribute, this
will be added.

Rowland

More information about the samba-technical mailing list