[PATCH] Create a 'binddns dir' for files used by the bind_dlz module and named

Andrew Bartlett abartlet at samba.org
Mon Sep 4 19:22:39 UTC 2017 

On Mon, 2017-09-04 at 21:15 +0200, Andreas Schneider wrote:
> On Friday, 1 September 2017 00:19:43 CEST Jeremy Allison wrote:
> > On Thu, Aug 31, 2017 at 10:15:00AM +0200, Andreas Schneider wrote:
> > > > which explicitly creates paths.private_dir as far as I can tell.
> > > > 
> > > > Python debugging in autobuild leaves a lot to be desired...
> > > 
> > > I've added a function directory_create_or_exists() which will not complain
> > > if the directory already exists. The function does not enforce directory
> > > permissions.
> > 
> > Sorry, Andreas, still failing:
> > 
> > [38(660)/2195 at 6m45s] samba4.blackbox.upgradeprovision.alpha13
> > UNEXPECTED(failure):
> > samba4.blackbox.upgradeprovision.alpha13.referenceprovision(none) REASON:
> > Exception: Exception: Administrator password will be set randomly! You are
> > not root or your system does not support xattr, using tdb backend for
> > attributes. not using extended attributes to store ACLs and other metadata.
> > If you intend to use this provision in production, rerun the script as root
> > on a system supporting xattrs. No IPv4 address will be assigned
> > ERROR(<type 'exceptions.NameError'>): uncaught exception - global name
> > 'errno' is not defined File "bin/python/samba/netcmd/__init__.py", line
> > 176, in _run
> >     return self.run(*args, **kwargs)
> >   File "bin/python/samba/netcmd/domain.py", line 474, in run
> >     nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
> >   File "bin/python/samba/provision/__init__.py", line 2081, in provision
> >     directory_create_or_exists(paths.binddns_dir, 0o770)
> >   File "bin/python/samba/provision/__init__.py", line 1940, in
> > directory_create_or_exists
> >     if e.errno in [errno.EEXIST]:
> > :-(.
> 
> This thing really haunts me. I've needed to create a hardlink for the 
> dns.keytab too. Because you're not able to specify a path. We really should 
> get rid of this hack one day.
> 
> FreeIPA uses a bind ldap module maybe we can use that one day.

How does that handle transactions?  I wanted to do this over ldapi when
it started, but I understood that oddities meant that we needed direct
LDB access and transactions. 

Now, that wouldn't help on the keytab, but that is much more within our
gift to fix.

> However here is patch8 and this one passed several private autobuilds for me.


Andreas,

I know this won't make you very happy, but I think this is a 4.8 patch
at this point.  You can of course patch Fedora packages, but I fear
further dragons, given the fight it has given so far, and while parts
of the DLZ mode are tested (thankfully!) the whole integration is not
verified in make test.  

Now that we have cwrap, that could and should change. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list