[PATCH] Use samba-tool to add DNS entries with samba_dnsupdate

Andrew Bartlett abartlet at samba.org
Tue Sep 1 05:26:22 UTC 2015 

On Mon, 2015-08-31 at 14:03 +1200, Andrew Bartlett wrote:
> On Fri, 2015-08-28 at 16:50 +1200, Andrew Bartlett wrote:
> > On Fri, 2015-08-28 at 15:52 +1200, Andrew Bartlett wrote:
> > > On Tue, 2015-08-25 at 18:16 +0200, Andreas Schneider wrote:
> > > > On Tuesday 11 August 2015 16:40:58 Andrew Bartlett wrote:
> > > > > Can you look at my current samba_dnsupdate branch?  I would 
> > > > > like 
> > > > > to 
> > > > > see
> > > > > this merged into master as soon as I have tests for it.  It 
> > > > > may 
> > > > > 
> > > > > not 
> > > > > be
> > > > > perfect, but it is a massive improvement on the current 
> > > > > state, 
> > > > > and
> > > > > combined with your dns_update_cache work allows the name and 
> > > > > IP 
> > > > > 
> > > > > of 
> > > > > a
> > > > > Samba AD DC to be changed and for us to still recover into a 
> > > > > working
> > > > > state.
> > > > > 
> > > > > This will in turn help a lot of our administrators who 
> > > > > currently 
> > > > > have a
> > > > > lot of trouble in this situation.
> > > > > 
> > > > > (The tests are pending the resolv_wrapper and socket_wrapper 
> > > > > work 
> > > > > 
> > > > > I'm
> > > > > sorting out with Andreas).
> > > > 
> > > > Hi Andrew,
> > > > 
> > > > I've released resolv_wrapper 1.1.3 and socket_wrapper 1.1.4 to 
> > > > use 
> > > > our 
> > > > internal DNS server for testing. It works fine for the standard 
> > > > 
> > > > AD_DC 
> > > > but it 
> > > > fails setting up the fl2003dc:local environment. I don't know 
> > > > why 
> > > > 
> > > > it 
> > > > doesn't 
> > > > work there yet. I will look into this next week, if you want to 
> > > > 
> > > > investigate 
> > > > earlier, you need the changes from here:
> > > > 
> > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/
> > > > ma
> > > > st
> > > > er
> > > > -selftest
> > > > 
> > > > 
> > > > Then run:
> > > > 
> > > > make -j testenv SELFTEST_TESTENV="fl2003dc:local"
> > > > 
> > > > 
> > > > It might be another bug in our DNS server ...
> > > 
> > > It is, but not in the way you think.  The issue is that we need 
> > > it 
> > > to
> > > forward DNS queries between the two forests, for the trust to be 
> > > set 
> > > up
> > > correctly.  While I've currently set up a hack (attached) to make 
> > > 
> > > it
> > > forward between the two servers, this may break other things.  
> > > 
> > > The autobuild got as far as a smb2.notify test failing, that may 
> > > or 
> > > 
> > > may
> > > not be related:
> > >  
> > > [432(1779)/1870 at 50m34s] samba3.smb2.notify(nt4_dc)
> > > TESTING CHANGE NOTIFY BASEDIR EVENTS
> > > maximum runtime exceeded for smbtorture - terminating
> > > UNEXPECTED(error): samba3.smb2.notify.basedir
> > > (samba.subunit.RemotedTestCase)(nt4_dc)
> > > REASON: Exception: Exception: was started but never finished!
> > > UNEXPECTED(error): samba3.smb2.notify.basedir(nt4_dc)
> > > (samba.subunit.RemotedTestCase)
> > > REASON: was started but never finished!
> > 
> > The attached patches help ensure we really use resolv_wrapper, and 
> > not
> > nss_wrapper, and that the 127. addresses used actually get written 
> > into
> > DNS.
> 
> This exposes an interesting thing that we need.  Adding this exposes 
> a
> missing feature in resolv_wrapper, because it now can no longer find
> short names, as it needs to implement the 'search' keyword.
> 
> https://bugzilla.samba.org/show_bug.cgi?id=11478
> 
> I looked into why another improbable case worked (looking for a
> workaround), and noticed this bug:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=11477
> 
> Once we fix that, we will need to fix
> torture/rpc/lsa.c:check_pw_with_krb5(), as it relies on this bug (or
> run that test against $SERVER_IP).
> 
> In the meantime, I'm running another autobuild to see how far we get
> when using nss_wrapper and resolv_wrapper.

I've updated my samba_dnsupdate-and-tests-base with an initial test,
that uses this framework, so I'm keen to see if we can get this in.

Sorting out the forwarding required for the new trusts tests will be
key for that, but in the meantime, how do we get these samba_dnsupdate
improvements to our users?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150901/07571a74/signature.sig>

More information about the samba-technical mailing list