The branch, master has been updated via e5a2e62 wafsamba: We need to honor DESTDIR in INSTALL_DIR via 05169a6 samba_upgradedns: When we setup the internal dns cleanup bind-dns dir via 8cf5c5f samba_upgradedns: Print better hints after we migrated the config via aef2b91 samba_upgradedns: Change the group of the 'binddns dir' too via ffb7d6b python:provision: Do not change the owner of the sam.ldb.d dir via 591b086 python:provision: Change the group of the 'binddns dir' too via bf64939 s4:bind_dlz: Try the 'binddns dir' first via 1c29a8b dynconfig: Fix location of the default 'binddns dir' via 4880e8a samba:provision: Give a hint to copy the krb5.conf and not symlink it via 2bf9b5e wafsamba: Do not chmod already existing dirs on install from e115a42 getncchanges.c: Send linked attributes in each chunk
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e5a2e6291a88757eae7a9e7ad58d8465c0509896 Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 12 15:56:44 2017 +0200 wafsamba: We need to honor DESTDIR in INSTALL_DIR BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Sat Sep 16 04:47:29 CEST 2017 on sn-devel-144 commit 05169a6047e6e3271949c96652a667f624e9a62d Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 5 11:47:27 2017 +0200 samba_upgradedns: When we setup the internal dns cleanup bind-dns dir Make sure to remove everything from the bind-dns directory to avoid possible security issues with the named group having write access to all AD partions BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 8cf5c5f0fae97c7215eb09070049cdb29377dc97 Author: Andreas Schneider <a...@samba.org> Date: Wed Sep 6 07:25:40 2017 +0200 samba_upgradedns: Print better hints after we migrated the config BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit aef2b915a2020786f79650078b318d471a6f0381 Author: Andreas Schneider <a...@samba.org> Date: Wed Sep 6 10:06:40 2017 +0200 samba_upgradedns: Change the group of the 'binddns dir' too BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit ffb7d6b50e0c079f10f881148c584da1c9681310 Author: Andreas Schneider <a...@samba.org> Date: Wed Sep 6 07:25:04 2017 +0200 python:provision: Do not change the owner of the sam.ldb.d dir BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 591b086bf18d771c1b34526431aea82a93d5d7a0 Author: Andreas Schneider <a...@samba.org> Date: Wed Sep 6 07:23:57 2017 +0200 python:provision: Change the group of the 'binddns dir' too BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit bf64939d22d33e26e11e73f41ee2db09a48c8d3c Author: Andreas Schneider <a...@samba.org> Date: Tue Aug 22 17:10:01 2017 +0200 s4:bind_dlz: Try the 'binddns dir' first The directory is normally empty if you did not provision or call samba_upgradedns for the bind_dlz module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 1c29a8b3477cd2c030ee21465e0d4a9ec943b590 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 10 15:04:08 2017 +0200 dynconfig: Fix location of the default 'binddns dir' BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 4880e8a7e695663e820376d6c4e3933821dcb8fb Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 5 20:36:47 2017 +0200 samba:provision: Give a hint to copy the krb5.conf and not symlink it BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 2bf9b5e166f8440a09db937e2936a43d1dcd2ae3 Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 5 14:18:44 2017 +0200 wafsamba: Do not chmod already existing dirs on install This might break backward compatibility. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/wafsamba.py | 19 ++++++++------- dynconfig/wscript | 12 +++++----- python/samba/provision/__init__.py | 11 +++++++++ python/samba/provision/sambadns.py | 3 --- source4/dns_server/dlz_bind9.c | 12 +++++----- source4/scripting/bin/samba_upgradedns | 42 +++++++++++++++++++++++++++++++--- 6 files changed, 71 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index 57913af..23fd3c4 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -885,31 +885,30 @@ def INSTALL_WILDCARD(bld, destdir, pattern, chmod=MODE_644, flat=False, python_fixup=python_fixup, base_name=trim_path) Build.BuildContext.INSTALL_WILDCARD = INSTALL_WILDCARD -def INSTALL_DIR(bld, path, chmod=0o755): +def INSTALL_DIR(bld, path, chmod=0o755, env=None): """Install a directory if it doesn't exist, always set permissions.""" if not path: return [] + destpath = bld.get_install_path(path, env) + if bld.is_install > 0: - path = bld.EXPAND_VARIABLES(path) - if not os.path.isdir(path): + if not os.path.isdir(destpath): try: - os.makedirs(path) - os.chmod(path, chmod) + os.makedirs(destpath) + os.chmod(destpath, chmod) except OSError, e: - if not os.path.isdir(path): + if not os.path.isdir(destpath): raise Utils.WafError("Cannot create the folder '%s' (error: %s)" % (path, e)) - else: - os.chmod(path, chmod) Build.BuildContext.INSTALL_DIR = INSTALL_DIR -def INSTALL_DIRS(bld, destdir, dirs, chmod=0o755): +def INSTALL_DIRS(bld, destdir, dirs, chmod=0o755, env=None): '''install a set of directories''' destdir = bld.EXPAND_VARIABLES(destdir) dirs = bld.EXPAND_VARIABLES(dirs) for d in TO_LIST(dirs): - INSTALL_DIR(bld, os.path.join(destdir, d), chmod) + INSTALL_DIR(bld, os.path.join(destdir, d), chmod, env) Build.BuildContext.INSTALL_DIRS = INSTALL_DIRS diff --git a/dynconfig/wscript b/dynconfig/wscript index fee37ea..54977e4 100644 --- a/dynconfig/wscript +++ b/dynconfig/wscript @@ -174,6 +174,12 @@ dynconfig = { 'OPTION': '--with-privatedir', 'HELPTEXT': 'Where to put sam.ldb and other private files', }, + 'BINDDNS_DIR' : { + 'STD-PATH': '${PREFIX}/bind-dns', + 'FHS-PATH': '${LOCALSTATEDIR}/lib/samba/bind-dns', + 'OPTION': '--with-bind-dns-dir', + 'HELPTEXT': 'bind-dns config directory', + }, 'LOCKDIR' : { 'STD-PATH': '${LOCALSTATEDIR}/lock', 'FHS-PATH': '${LOCALSTATEDIR}/lock/samba', @@ -192,12 +198,6 @@ dynconfig = { 'OPTION': '--with-statedir', 'HELPTEXT': 'Where to put persistent state files', }, - 'BINDDNS_DIR' : { - 'STD-PATH': '${LOCALSTATEDIR}/lib', - 'FHS-PATH': '${LOCALSTATEDIR}/lib/samba/bind-dns', - 'OPTION': '--with-bind-dns-dir', - 'HELPTEXT': 'bind-dns config directory', - }, 'CACHEDIR' : { 'STD-PATH': '${LOCALSTATEDIR}/cache', 'FHS-PATH': '${LOCALSTATEDIR}/cache/samba', diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index f820f6a..07c2479 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -2200,6 +2200,9 @@ def provision(logger, session_info, smbconf=None, realm=names.realm) logger.info("A Kerberos configuration suitable for Samba AD has been " "generated at %s", paths.krb5conf) + logger.info("Merge the contents of this file with your system " + "krb5.conf or replace it with this one. Do not create a " + "symlink!") if serverrole == "active directory domain controller": create_dns_update_list(lp, logger, paths) @@ -2236,6 +2239,14 @@ def provision(logger, session_info, smbconf=None, # chown the dns.keytab in the bind-dns directory if paths.bind_gid is not None: try: + os.chmod(paths.binddns_dir, 0770) + os.chown(paths.binddns_dir, -1, paths.bind_gid) + except OSError: + if not os.environ.has_key('SAMBA_SELFTEST'): + logger.info("Failed to chown %s to bind gid %u", + paths.binddns_dir, paths.bind_gid) + + try: os.chmod(bind_dns_keytab_path, 0640) os.chown(bind_dns_keytab_path, -1, paths.bind_gid) except OSError: diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index fce72ad..a405065 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -868,9 +868,6 @@ def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid): # Give bind read/write permissions dns partitions if paths.bind_gid is not None: try: - os.chown(samldb_dir, -1, paths.bind_gid) - os.chmod(samldb_dir, 0750) - for dirname, dirs, files in os.walk(dns_dir): for d in dirs: dpath = os.path.join(dirname, d) diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 8e0820d..9bf1b61 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -682,9 +682,9 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, } if (state->options.url == NULL) { - state->options.url = lpcfg_private_path(state, - state->lp, - "dns/sam.ldb"); + state->options.url = talloc_asprintf(state, + "%s/dns/sam.ldb", + lpcfg_binddns_dir(state->lp)); if (state->options.url == NULL) { result = ISC_R_NOMEMORY; goto failed; @@ -693,7 +693,7 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, if (!file_exist(state->options.url)) { state->options.url = talloc_asprintf(state, "%s/dns/sam.ldb", - lpcfg_binddns_dir(state->lp)); + lpcfg_private_dir(state->lp)); if (state->options.url == NULL) { result = ISC_R_NOMEMORY; goto failed; @@ -1322,7 +1322,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const keytab_file = talloc_asprintf(tmp_ctx, "%s/dns.keytab", - lpcfg_private_dir(state->lp)); + lpcfg_binddns_dir(state->lp)); if (keytab_file == NULL) { state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!"); talloc_free(tmp_ctx); @@ -1332,7 +1332,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const if (!file_exist(keytab_file)) { keytab_file = talloc_asprintf(tmp_ctx, "%s/dns.keytab", - lpcfg_binddns_dir(state->lp)); + lpcfg_private_dir(state->lp)); if (keytab_file == NULL) { state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!"); talloc_free(tmp_ctx); diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index 2582da0..261d8a1 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -442,6 +442,12 @@ if __name__ == '__main__': # Special stuff for DLZ backend if opts.dns_backend == "BIND9_DLZ": + config_migration = False + + if (paths.private_dir != paths.binddns_dir and + os.path.isfile(os.path.join(paths.private_dir, "named.conf"))): + config_migration = True + # Check if dns-HOSTNAME account exists and create it if required secrets_msgs = ldbs.secrets.search(expression='(samAccountName=dns-%s)' % hostname, attrs=['secret']) msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, @@ -506,6 +512,13 @@ if __name__ == '__main__': # chown the dns.keytab in the bind-dns directory if paths.bind_gid is not None: try: + os.chmod(paths.binddns_dir, 0o770) + os.chown(paths.binddns_dir, -1, paths.bind_gid) + except OSError: + if not os.environ.has_key('SAMBA_SELFTEST'): + logger.info("Failed to chown %s to bind gid %u", + paths.binddns_dir, paths.bind_gid) + try: os.chmod(bind_dns_keytab_path, 0640) os.chown(bind_dns_keytab_path, -1, paths.bind_gid) except OSError: @@ -530,10 +543,33 @@ if __name__ == '__main__': cleanup_obsolete_dns_files(paths) - logger.info("See %s for an example configuration include file for BIND", paths.namedconf) - logger.info("and %s for further documentation required for secure DNS " - "updates", paths.namedtxt) + if config_migration: + logger.info("ATTENTION: The BIND configuration and keytab has been moved to: %s", + paths.binddns_dir) + logger.info(" Please update your BIND configuration accordingly.") + else: + logger.info("See %s for an example configuration include file for BIND", paths.namedconf) + logger.info("and %s for further documentation required for secure DNS " + "updates", paths.namedtxt) + elif opts.dns_backend == "SAMBA_INTERNAL": + # Make sure to remove everything from the bind-dns directory to avoid + # possible security issues with the named group having write access + # to all AD partions + cleanup_remove_file(os.path.join(paths.binddns_dir, "dns.keytab")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf.update")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.txt")) + + cleanup_remove_dir(os.path.dirname(paths.dns)) + + try: + os.chmod(paths.private_dir, 0o700) + os.chown(paths.private_dir, -1, 0) + except: + logger.warn("Failed to restore owner and permissions for %s", + (paths.private_dir)) + # Check if dns-HOSTNAME account exists and delete it if required try: dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname -- Samba Shared Repository