The branch, master has been updated via 4807577 Fix bug 10881 Wrong keytab permissions when joining additional DC with BIND backend via dc20c30 samba_upgradedns: Set correct permissions on secrets.keytab for BIND9 via 308d645 samba_upgradedns: Improve search for existing accounts in secrets.ldb via d38e221 samba_dnsupdate: Simplify logic and add more verbose debugging via 9bbb468 samba_dnsupdate: Expand output when --verbose is set via 67b6346 python: Give a more helpful error message when we do not have an smb.conf from ab1ebb1 password_lockout: test creds.get_kerberos_state()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 4807577d30133bcd5150f3c9c1c7a576acbd93ce Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 13:59:33 2015 +1300 Fix bug 10881 Wrong keytab permissions when joining additional DC with BIND backend BUG: https://bugzilla.samba.org/show_bug.cgi?id=10881 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Dec 15 11:47:21 CET 2015 on sn-devel-104 commit dc20c307cc1f0a5f245ff47757e8f0afe3ab8353 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 13:57:36 2015 +1300 samba_upgradedns: Set correct permissions on secrets.keytab for BIND9 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit 308d645f3428660b0466dbe273b995a887af68da Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 13:50:21 2015 +1300 samba_upgradedns: Improve search for existing accounts in secrets.ldb We should actually check for the combination of both an account in secrets.ldb and sam.ldb, but this is at least an improvement. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit d38e22184ea036dfcbe851352729c469a494cb29 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 10 12:15:04 2015 +1200 samba_dnsupdate: Simplify logic and add more verbose debugging By reducing the intendation this code is a little clearer Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit 9bbb468dcb2dfec965076eadfac905e5e65a5d30 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 10 12:05:19 2015 +1200 samba_dnsupdate: Expand output when --verbose is set Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit 67b6346e736fc04f66affa3025afe34ff1e4cd71 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 4 17:49:36 2015 +1300 python: Give a more helpful error message when we do not have an smb.conf Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: python/samba/provision/sambadns.py | 10 ++++++++++ python/samba/upgradehelpers.py | 2 +- source4/scripting/bin/samba_dnsupdate | 34 ++++++++++++++++++++++++++++++---- source4/scripting/bin/samba_upgradedns | 27 +++++++++++++++++---------- 4 files changed, 58 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index f3cdb32..a393181 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -1179,6 +1179,16 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger, dns_keytab_path=paths.dns_keytab, dnspass=dnspass, key_version_number=key_version_number) + dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) + if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None: + try: + os.chmod(dns_keytab_path, 0640) + os.chown(dns_keytab_path, -1, paths.bind_gid) + except OSError: + if not os.environ.has_key('SAMBA_SELFTEST'): + logger.info("Failed to chown %s to bind gid %u", + dns_keytab_path, paths.bind_gid) + create_dns_dir(logger, paths) if dns_backend == "BIND9_FLATFILE": diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py index 3b664fe..9b2c1c2 100644 --- a/python/samba/upgradehelpers.py +++ b/python/samba/upgradehelpers.py @@ -197,7 +197,7 @@ def get_paths(param, targetdir=None, smbconf=None): smbconf = param.default_path() if not os.path.exists(smbconf): - raise ProvisioningError("Unable to find smb.conf") + raise ProvisioningError("Unable to find smb.conf at %s" % smbconf) lp = param.LoadParm() lp.load(smbconf) diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate index 7f94067..e34d148 100755 --- a/source4/scripting/bin/samba_dnsupdate +++ b/source4/scripting/bin/samba_dnsupdate @@ -110,9 +110,7 @@ if opts.verbose: def get_credentials(lp): """# get credentials if we haven't got them already.""" from samba import credentials - global ccachename, creds - if creds is not None: - return + global ccachename creds = credentials.Credentials() creds.guess(lp) creds.set_machine_account(lp) @@ -594,8 +592,15 @@ for d in dns_list: break if not found: rebuild_cache = True - if opts.all_names or not check_dns_name(d): + if opts.all_names: + update_list.append(d) + if opts.verbose: + print "force update: %s" % d + elif not check_dns_name(d): update_list.append(d) + if opts.verbose: + print "need update: %s" % d + for c in cache_list: found = False @@ -609,11 +614,16 @@ for c in cache_list: if not opts.all_names and not check_dns_name(c): continue delete_list.append(c) + if opts.verbose: + print "need delete: %s" % c if len(delete_list) == 0 and len(update_list) == 0 and not rebuild_cache: if opts.verbose: print "No DNS updates needed" sys.exit(0) +else: + if opts.verbose: + print "%d DNS updates and %d DNS deletes needed" % (len(update_list), len(delete_list)) # get our krb5 creds if len(delete_list) != 0 or len(update_list) != 0: @@ -624,24 +634,40 @@ if len(delete_list) != 0 or len(update_list) != 0: for d in delete_list: if am_rodc: if d.name.lower() == domain.lower(): + if opts.verbose: + print "skip delete (rodc): %s" % d continue if not d.type in [ 'A', 'AAAA' ]: + if opts.verbose: + print "delete (rodc): %s" % d call_rodc_update(d, op="delete") else: + if opts.verbose: + print "delete (nsupdate): %s" % d call_nsupdate(d, op="delete") else: + if opts.verbose: + print "delete (nsupdate): %s" % d call_nsupdate(d, op="delete") # ask nsupdate to add entries as needed for d in update_list: if am_rodc: if d.name.lower() == domain.lower(): + if opts.verbose: + print "skip (rodc): %s" % d continue if not d.type in [ 'A', 'AAAA' ]: + if opts.verbose: + print "update (rodc): %s" % d call_rodc_update(d) else: + if opts.verbose: + print "update (nsupdate): %s" % d call_nsupdate(d) else: + if opts.verbose: + print "update(nsupdate): %s" % d call_nsupdate(d) if rebuild_cache: diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index 53e05a6..5963712 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -412,21 +412,17 @@ if __name__ == '__main__': # Special stuff for DLZ backend if opts.dns_backend == "BIND9_DLZ": # Check if dns-HOSTNAME account exists and create it if required - try: - dn = 'samAccountName=dns-%s,CN=Principals' % hostname - msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret']) - except IndexError: + secrets_msgs = ldbs.secrets.search(expression='(samAccountName=dns-%s)' % hostname, attrs=['secret']) + if len(secrets_msgs) == 0: logger.info("Adding dns-%s account" % hostname) - try: - msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, - expression='(sAMAccountName=dns-%s)' % (hostname), - attrs=[]) + msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=[]) + if len(msg) == 1: dn = msg[0].dn ldbs.sam.delete(dn) - except IndexError: - pass dnspass = samba.generate_random_password(128, 255) setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { @@ -450,9 +446,20 @@ if __name__ == '__main__': dnsdomain=names.dnsdomain, dns_keytab_path=paths.dns_keytab, dnspass=dnspass, key_version_number=dns_key_version_number) + else: logger.info("dns-%s account already exists" % hostname) + dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) + if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None: + try: + os.chmod(dns_keytab_path, 0640) + os.chown(dns_keytab_path, -1, paths.bind_gid) + except OSError: + if not os.environ.has_key('SAMBA_SELFTEST'): + logger.info("Failed to chown %s to bind gid %u", + dns_keytab_path, paths.bind_gid) + # This forces a re-creation of dns directory and all the files within # It's an overkill, but it's easier to re-create a samdb copy, rather # than trying to fix a broken copy. -- Samba Shared Repository