The branch, master has been updated via c983ea8 s4-join: Setup correct DNS configuration via 02cbc3f s4-samba_upgradedns: Do not set DNS account for internal server via 01f5223 s4-join: Import DNS zones in AD DC join via 0eab44c selftest: Test unix.whoami with kerberos on plugin_s4_dc via f199c5d s4-classicupgrade: Allow DNS backend to be specified via 73a33be s4-drepl: Ensure that the op->source does not get deallocated too early from 763f9e8 selftest: schema is not automatically reloaded now so if you modify it you have to reload it
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c983ea8e5dc30111f6b8407307c3212635593949 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Jun 24 21:10:34 2012 +1000 s4-join: Setup correct DNS configuration This means we do not need to run samba_upgradedns any more. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Sun Jun 24 18:10:10 CEST 2012 on sn-devel-104 commit 02cbc3fbb601cbbfc86a7048f6d5660d80f14df1 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Jun 24 20:52:06 2012 +1000 s4-samba_upgradedns: Do not set DNS account for internal server The internal DNS server does not need the samba-only NAME-dns account. Andrew Bartlett commit 01f52239dc8e13af6e5134667c55d8e0fb7b2f26 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 21 23:46:21 2012 +1000 s4-join: Import DNS zones in AD DC join commit 0eab44c2978553bda303c43875d626fddf32363d Author: Andrew Bartlett <abart...@samba.org> Date: Sun Jun 24 18:16:48 2012 +1000 selftest: Test unix.whoami with kerberos on plugin_s4_dc This also tests the comparison with LDAP on anonymous connections and marks this as knownfail, while we investigate the correct behaviour here. Andrew Bartlett commit f199c5dbc09912a185feda5aa87dc82e2800ad6a Author: Andrew Bartlett <abart...@samba.org> Date: Sun Jun 24 16:31:37 2012 +1000 s4-classicupgrade: Allow DNS backend to be specified commit 73a33be036fd7a903c9fecf077534cafe360e427 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Jun 22 09:42:02 2012 +1000 s4-drepl: Ensure that the op->source does not get deallocated too early We need to have the struct dreplsrv_partition_source_dsa around until the end of the async op, so we use talloc_reference after carefully checking the callers and making the modifications required. This prevents a crash when replicating partitions in the vampire_dc test after adding DNS replication at join time. Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: selftest/knownfail | 1 + source3/selftest/tests.py | 7 +- source4/dsdb/repl/drepl_extended.c | 14 ++-- source4/dsdb/repl/drepl_out_pull.c | 20 ++++- source4/dsdb/tests/python/acl.py | 2 + source4/scripting/bin/samba_upgradedns | 64 +++++++------- source4/scripting/python/samba/join.py | 74 +++++++++++++---- source4/scripting/python/samba/netcmd/domain.py | 30 +++++-- .../scripting/python/samba/provision/sambadns.py | 89 ++++++++++++++------ source4/scripting/python/samba/upgrade.py | 6 +- source4/torture/unix/whoami.c | 20 +---- 11 files changed, 214 insertions(+), 113 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 4206aa7..d7078d6 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -39,6 +39,7 @@ ^samba3.raw.samba3checkfsp.samba3checkfsp\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.samba3closeerr.samba3closeerr\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.acls.generic\(s3dc\) # This fails against smbd +^samba3.unix.whoami anonymous connection.whoami\(plugin_s4_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token # these show that we still have some differences between our system # with our internal iconv because it passes except when we bypass our # internal iconv modules diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 11056b9..4aedbf8 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -303,8 +303,11 @@ for t in tests: plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1') plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1') elif t == "unix.whoami": - plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD') - plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:addc=true') + plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') + plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U%', description='anonymous connection') + plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:addc=true') + plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD --option=torture:addc=true', description='kerberos connection') + plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U% --option=torture:addc=true', description='anonymous connection') elif t == "raw.samba3posixtimedlock": plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share') plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share') diff --git a/source4/dsdb/repl/drepl_extended.c b/source4/dsdb/repl/drepl_extended.c index 69cccb8..8735005 100644 --- a/source4/dsdb/repl/drepl_extended.c +++ b/source4/dsdb/repl/drepl_extended.c @@ -39,6 +39,7 @@ source_dsa_dn: the DN of the server that we are replicating from */ static WERROR drepl_create_extended_source_dsa(struct dreplsrv_service *service, + TALLOC_CTX *mem_ctx, struct ldb_dn *nc_dn, struct ldb_dn *source_dsa_dn, uint64_t min_usn, @@ -165,7 +166,7 @@ static void extended_op_callback(struct dreplsrv_service *service, void *cb_data) { struct extended_op_data *data = talloc_get_type_abort(cb_data, struct extended_op_data); - talloc_free(data->sdsa); + talloc_unlink(data, data->sdsa); data->callback(service, err, exop_error, data->callback_data); talloc_free(data); } @@ -184,23 +185,20 @@ WERROR drepl_request_extended_op(struct dreplsrv_service *service, { WERROR werr; struct extended_op_data *data; - struct dreplsrv_partition_source_dsa *sdsa; - - werr = drepl_create_extended_source_dsa(service, nc_dn, source_dsa_dn, min_usn, &sdsa); - W_ERROR_NOT_OK_RETURN(werr); data = talloc(service, struct extended_op_data); W_ERROR_HAVE_NO_MEMORY(data); + werr = drepl_create_extended_source_dsa(service, data, nc_dn, source_dsa_dn, min_usn, &data->sdsa); + W_ERROR_NOT_OK_RETURN(werr); + data->callback = callback; data->callback_data = callback_data; - data->sdsa = sdsa; - werr = dreplsrv_schedule_partition_pull_source(service, sdsa, + werr = dreplsrv_schedule_partition_pull_source(service, data->sdsa, 0, extended_op, fsmo_info, extended_op_callback, data); if (!W_ERROR_IS_OK(werr)) { - talloc_free(sdsa); talloc_free(data); } diff --git a/source4/dsdb/repl/drepl_out_pull.c b/source4/dsdb/repl/drepl_out_pull.c index 86b513d..58d8778 100644 --- a/source4/dsdb/repl/drepl_out_pull.c +++ b/source4/dsdb/repl/drepl_out_pull.c @@ -101,7 +101,25 @@ WERROR dreplsrv_schedule_partition_pull_source(struct dreplsrv_service *s, W_ERROR_HAVE_NO_MEMORY(op); op->service = s; - op->source_dsa = source; + /* + * source may either be the long-term list of partners, or + * from dreplsrv_partition_source_dsa_temporary(). Because it + * can be either, we can't talloc_steal() it here, so we + * instead we reference it. + * + * We never talloc_free() the p->sources pointers - indeed we + * never remove them - and the temp source will otherwise go + * away with the msg it is allocated on. + * + * Finally the pointer created in drepl_request_extended_op() + * is removed with talloc_unlink(). + * + */ + op->source_dsa = talloc_reference(op, source); + if (!op->source_dsa) { + return WERR_NOMEM; + } + op->options = options; op->extended_op = extended_op; op->fsmo_info = fsmo_info; diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index bbd4343..94bc504 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -1627,6 +1627,7 @@ class AclSPNTests(AclTests): # same as for join_RODC, but do not set any SPNs def create_rodc(self, ctx): + ctx.nc_list = [ ctx.base_dn, ctx.config_dn, ctx.schema_dn ] ctx.krbtgt_dn = "CN=krbtgt_%s,CN=Users,%s" % (ctx.myname, ctx.base_dn) ctx.never_reveal_sid = [ "<SID=%s-%s>" % (ctx.domsid, security.DOMAIN_RID_RODC_DENY), @@ -1656,6 +1657,7 @@ class AclSPNTests(AclTests): ctx.join_add_objects() def create_dc(self, ctx): + ctx.nc_list = [ ctx.base_dn, ctx.config_dn, ctx.schema_dn ] ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION ctx.secure_channel_type = misc.SEC_CHAN_BDC ctx.replica_flags = (drsuapi.DRSUAPI_DRS_WRIT_REP | diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index 831b81d..c1220bc 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -421,41 +421,41 @@ if __name__ == '__main__': except Exception: raise - # Check if dns-HOSTNAME account exists and create it if required - try: - dn = 'samAccountName=dns-%s,CN=Principals' % hostname - msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret']) - dnssecret = msg[0]['secret'][0] - except Exception: - logger.info("Adding dns-%s account" % hostname) - + # Special stuff for DLZ backend + if opts.dns_backend == "BIND9_DLZ": + # Check if dns-HOSTNAME account exists and create it if required try: - msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, - expression='(sAMAccountName=dns-%s)' % (hostname), - attrs=['clearTextPassword']) - dn = msg[0].dn - ldbs.sam.delete(dn) + dn = 'samAccountName=dns-%s,CN=Principals' % hostname + msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret']) + dnssecret = msg[0]['secret'][0] except Exception: - pass - - dnspass = samba.generate_random_password(128, 255) - setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { - "DNSDOMAIN": dnsdomain, - "DOMAINDN": domaindn, - "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')), - "HOSTNAME" : hostname, - "DNSNAME" : dnsname } - ) - - secretsdb_setup_dns(ldbs.secrets, names, - paths.private_dir, realm=names.realm, - dnsdomain=names.dnsdomain, - dns_keytab_path=paths.dns_keytab, dnspass=dnspass) - else: - logger.info("dns-%s account already exists" % hostname) + logger.info("Adding dns-%s account" % hostname) + + try: + msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=['clearTextPassword']) + dn = msg[0].dn + ldbs.sam.delete(dn) + except Exception: + pass + + dnspass = samba.generate_random_password(128, 255) + setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { + "DNSDOMAIN": dnsdomain, + "DOMAINDN": domaindn, + "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')), + "HOSTNAME" : hostname, + "DNSNAME" : dnsname } + ) + + secretsdb_setup_dns(ldbs.secrets, names, + paths.private_dir, realm=names.realm, + dnsdomain=names.dnsdomain, + dns_keytab_path=paths.dns_keytab, dnspass=dnspass) + else: + logger.info("dns-%s account already exists" % hostname) - # Special stuff for DLZ backend - if opts.dns_backend == "BIND9_DLZ": # This forces a re-creation of dns directory and all the files within # It's an overkill, but it's easier to re-create a samdb copy, rather # than trying to fix a broken copy. diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py index a683ee6..9ef7d3d 100644 --- a/source4/scripting/python/samba/join.py +++ b/source4/scripting/python/samba/join.py @@ -28,6 +28,7 @@ from samba.credentials import Credentials, DONT_USE_KERBEROS from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN from samba.schema import Schema from samba.net import Net +from samba.provision.sambadns import setup_bind9_dns import logging import talloc import random @@ -47,13 +48,20 @@ class dc_join(object): def __init__(ctx, server=None, creds=None, lp=None, site=None, netbios_name=None, targetdir=None, domain=None, - machinepass=None, use_ntvfs=False): + machinepass=None, use_ntvfs=False, dns_backend=None): ctx.creds = creds ctx.lp = lp ctx.site = site ctx.netbios_name = netbios_name ctx.targetdir = targetdir ctx.use_ntvfs = use_ntvfs + if dns_backend is None: + ctx.dns_backend = "NONE" + else: + ctx.dns_backend = dns_backend + + ctx.nc_list = [] + ctx.full_nc_list = [] ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) ctx.net = Net(creds=ctx.creds, lp=ctx.lp) @@ -402,14 +410,14 @@ class dc_join(object): if ctx.RODC: rec["objectCategory"] = "CN=NTDS-DSA-RO,%s" % ctx.schema_dn - rec["msDS-HasFullReplicaNCs"] = nc_list + rec["msDS-HasFullReplicaNCs"] = ctx.nc_list rec["options"] = "37" ctx.samdb.add(rec, ["rodc_join:1:1"]) else: rec["objectCategory"] = "CN=NTDS-DSA,%s" % ctx.schema_dn rec["HasMasterNCs"] = nc_list if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003: - rec["msDS-HasMasterNCs"] = nc_list + rec["msDS-HasMasterNCs"] = ctx.nc_list rec["options"] = "1" rec["invocationId"] = ndr_pack(ctx.invocation_id) ctx.DsAddEntry([rec]) @@ -555,7 +563,7 @@ class dc_join(object): rec2["objectCategory"] = "CN=NTDS-DSA,%s" % ctx.schema_dn rec2["HasMasterNCs"] = nc_list if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003: - rec2["msDS-HasMasterNCs"] = nc_list + rec2["msDS-HasMasterNCs"] = ctx.nc_list rec2["options"] = "1" rec2["invocationId"] = ndr_pack(ctx.invocation_id) @@ -596,7 +604,7 @@ class dc_join(object): hostname=ctx.myname, domainsid=ctx.domsid, machinepass=ctx.acct_pass, serverrole="domain controller", sitename=ctx.site, lp=ctx.lp, ntdsguid=ctx.ntds_guid, - use_ntvfs=ctx.use_ntvfs, dns_backend="NONE") + use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend) print "Provision OK for domain DN %s" % presult.domaindn ctx.local_samdb = presult.samdb ctx.lp = presult.lp @@ -635,7 +643,7 @@ class dc_join(object): targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN, machinepass=ctx.acct_pass, serverrole="domain controller", lp=ctx.lp, hostip=ctx.names.hostip, hostip6=ctx.names.hostip6, - dns_backend="BIND9_DLZ") + dns_backend=ctx.dns_backend) print("Provision OK for domain %s" % ctx.names.dnsdomain) def join_replicate(ctx): @@ -687,6 +695,17 @@ class dc_join(object): repl.replicate(ctx.base_dn, source_dsa_invocation_id, destination_dsa_guid, rodc=ctx.RODC, replica_flags=ctx.domain_replica_flags) + + if 'DC=DomainDnsZones,%s' % ctx.base_dn in ctx.nc_list: + repl.replicate('DC=DomainDnsZones,%s' % ctx.base_dn, source_dsa_invocation_id, + destination_dsa_guid, rodc=ctx.RODC, + replica_flags=ctx.replica_flags) + + if 'DC=ForestDnsZones,%s' % ctx.root_dn in ctx.nc_list: + repl.replicate('DC=ForestDnsZones,%s' % ctx.root_dn, source_dsa_invocation_id, + destination_dsa_guid, rodc=ctx.RODC, + replica_flags=ctx.replica_flags) + if ctx.RODC: repl.replicate(ctx.acct_dn, source_dsa_invocation_id, destination_dsa_guid, @@ -723,10 +742,12 @@ class dc_join(object): def join_finalise(ctx): '''finalise the join, mark us synchronised and setup secrets db''' + logger = logging.getLogger("provision") + logger.addHandler(logging.StreamHandler(sys.stdout)) + print "Sending DsReplicateUpdateRefs for all the partitions" - ctx.send_DsReplicaUpdateRefs(ctx.schema_dn) - ctx.send_DsReplicaUpdateRefs(ctx.config_dn) - ctx.send_DsReplicaUpdateRefs(ctx.base_dn) + for nc in ctx.full_nc_list: + ctx.send_DsReplicaUpdateRefs(nc) print "Setting isSynchronized and dsServiceName" m = ldb.Message() @@ -751,6 +772,15 @@ class dc_join(object): secure_channel_type=ctx.secure_channel_type, key_version_number=ctx.key_version_number) + if ctx.dns_backend.startswith("BIND9_"): + dnspass = samba.generate_random_password(128, 255) + + setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid), + ctx.names, ctx.paths, ctx.lp, logger, + dns_backend=ctx.dns_backend, + dnspass=dnspass, os_level=ctx.behavior_version, + targetdir=ctx.targetdir) + def join_setup_trusts(ctx): '''provision the local SAM''' @@ -865,6 +895,20 @@ class dc_join(object): def do_join(ctx): + ctx.nc_list = [ ctx.config_dn, ctx.schema_dn ] + ctx.full_nc_list = [ctx.base_dn, ctx.config_dn, ctx.schema_dn ] + + if not ctx.subdomain: + ctx.nc_list += [ctx.base_dn] + if ctx.dns_backend != "NONE": + ctx.nc_list += ['DC=DomainDnsZones,%s' % ctx.base_dn] + + if ctx.dns_backend != "NONE": + ctx.full_nc_list += ['DC=DomainDnsZones,%s' % ctx.base_dn] + ctx.full_nc_list += ['DC=ForestDnsZones,%s' % ctx.root_dn] + ctx.nc_list += ['DC=ForestDnsZones,%s' % ctx.root_dn] + + ctx.cleanup_old_join() try: ctx.join_add_objects() @@ -883,11 +927,11 @@ class dc_join(object): def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None, targetdir=None, domain=None, domain_critical_only=False, - machinepass=None, use_ntvfs=False): + machinepass=None, use_ntvfs=False, dns_backend=None): """join as a RODC""" ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, - machinepass, use_ntvfs) + machinepass, use_ntvfs, dns_backend) lp.set("workgroup", ctx.domain_name) print("workgroup is %s" % ctx.domain_name) @@ -937,10 +981,10 @@ def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None, def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None, targetdir=None, domain=None, domain_critical_only=False, - machinepass=None, use_ntvfs=False): + machinepass=None, use_ntvfs=False, dns_backend=None): """join as a DC""" ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, - machinepass, use_ntvfs) + machinepass, use_ntvfs, dns_backend) lp.set("workgroup", ctx.domain_name) print("workgroup is %s" % ctx.domain_name) @@ -967,10 +1011,10 @@ def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None, def join_subdomain(server=None, creds=None, lp=None, site=None, netbios_name=None, targetdir=None, parent_domain=None, dnsdomain=None, netbios_domain=None, - machinepass=None, use_ntvfs=False): + machinepass=None, use_ntvfs=False, dns_backend=None): """join as a DC""" ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, parent_domain, - machinepass, use_ntvfs) + machinepass, use_ntvfs, dns_backend) ctx.subdomain = True ctx.parent_domain_name = ctx.domain_name ctx.domain_name = netbios_domain diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index e4b1241..4e73a29 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -148,15 +148,21 @@ class cmd_domain_join(Command): Option("--machinepass", type=str, metavar="PASSWORD", help="choose machine password (otherwise random)"), Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)", - action="store_true") - ] + action="store_true"), + Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND", + choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"], + help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \ + "BIND9_DLZ uses samba4 AD to store zone information (default), " \ + "NONE skips the DNS setup entirely (this DC will not be a DNS server)", + default="BIND9_DLZ") + ] takes_args = ["domain", "role?"] def run(self, domain, role=None, sambaopts=None, credopts=None, versionopts=None, server=None, site=None, targetdir=None, domain_critical_only=False, parent_domain=None, machinepass=None, - use_ntvfs=False): + use_ntvfs=False, dns_backend=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) net = Net(creds, lp, server=credopts.ipaddress) @@ -181,13 +187,13 @@ class cmd_domain_join(Command): join_DC(server=server, creds=creds, lp=lp, domain=domain, site=site, netbios_name=netbios_name, targetdir=targetdir, domain_critical_only=domain_critical_only, - machinepass=machinepass, use_ntvfs=use_ntvfs) + machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) return elif role == "RODC": join_RODC(server=server, creds=creds, lp=lp, domain=domain, site=site, netbios_name=netbios_name, targetdir=targetdir, domain_critical_only=domain_critical_only, - machinepass=machinepass, use_ntvfs=use_ntvfs) + machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) return elif role == "SUBDOMAIN": netbios_domain = lp.get("workgroup") @@ -195,7 +201,7 @@ class cmd_domain_join(Command): parent_domain = ".".join(domain.split(".")[1:]) join_subdomain(server=server, creds=creds, lp=lp, dnsdomain=domain, parent_domain=parent_domain, site=site, netbios_name=netbios_name, netbios_domain=netbios_domain, targetdir=targetdir, - machinepass=machinepass, use_ntvfs=use_ntvfs) + machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) return else: raise CommandError("Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)" % role) @@ -839,12 +845,20 @@ class cmd_domain_classicupgrade(Command): Option("--verbose", help="Be verbose", action="store_true"), Option("--use-xattrs", type="choice", choices=["yes","no","auto"], metavar="[yes|no|auto]", help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"), + Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND", + choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"], + help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \ + "BIND9_FLATFILE uses bind9 text database to store zone information, " \ + "BIND9_DLZ uses samba4 AD to store zone information (default), " \ + "NONE skips the DNS setup entirely (this DC will not be a DNS server)", + default="BIND9_DLZ") ] takes_args = ["smbconf"] def run(self, smbconf=None, targetdir=None, dbdir=None, testparm=None, - quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None): + quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None, + dns_backend=None): if not os.path.exists(smbconf): raise CommandError("File %s does not exist" % smbconf) @@ -928,7 +942,7 @@ class cmd_domain_classicupgrade(Command): logger.info("Provisioning") upgrade_from_samba3(samba3, logger, targetdir, session_info=system_session(), - useeadb=eadb) + useeadb=eadb, dns_backend=dns_backend) class cmd_domain(SuperCommand): """Domain management""" diff --git a/source4/scripting/python/samba/provision/sambadns.py b/source4/scripting/python/samba/provision/sambadns.py index 5c3e6ba..257efd6 100644 --- a/source4/scripting/python/samba/provision/sambadns.py +++ b/source4/scripting/python/samba/provision/sambadns.py @@ -1011,30 +1011,65 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, dns_back domainguid, names.ntdsguid, dnsadmins_sid) if dns_backend.startswith("BIND9_"): - secretsdb_setup_dns(secretsdb, names, - paths.private_dir, realm=names.realm, - dnsdomain=names.dnsdomain, - dns_keytab_path=paths.dns_keytab, dnspass=dnspass) - - create_dns_dir(logger, paths) - - if dns_backend == "BIND9_FLATFILE": - create_zone_file(lp, logger, paths, targetdir, site=site, - dnsdomain=names.dnsdomain, hostip=hostip, hostip6=hostip6, -- Samba Shared Repository