mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
This provisions the bind_dlz files in the 'binddns dir'. If you want to migrate to the new files strcuture you can run samba_upgradedns! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
This commit is contained in:
parent
3fa7c43ef7
commit
8f2dee256e
@ -27,6 +27,7 @@
|
|||||||
__docformat__ = "restructuredText"
|
__docformat__ = "restructuredText"
|
||||||
|
|
||||||
from base64 import b64encode
|
from base64 import b64encode
|
||||||
|
import errno
|
||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
import pwd
|
import pwd
|
||||||
@ -145,6 +146,7 @@ class ProvisionPaths(object):
|
|||||||
self.dns = None
|
self.dns = None
|
||||||
self.winsdb = None
|
self.winsdb = None
|
||||||
self.private_dir = None
|
self.private_dir = None
|
||||||
|
self.binddns_dir = None
|
||||||
self.state_dir = None
|
self.state_dir = None
|
||||||
|
|
||||||
|
|
||||||
@ -531,6 +533,7 @@ def provision_paths_from_lp(lp, dnsdomain):
|
|||||||
"""
|
"""
|
||||||
paths = ProvisionPaths()
|
paths = ProvisionPaths()
|
||||||
paths.private_dir = lp.get("private dir")
|
paths.private_dir = lp.get("private dir")
|
||||||
|
paths.binddns_dir = lp.get("binddns dir")
|
||||||
paths.state_dir = lp.get("state directory")
|
paths.state_dir = lp.get("state directory")
|
||||||
|
|
||||||
# This is stored without path prefix for the "privateKeytab" attribute in
|
# This is stored without path prefix for the "privateKeytab" attribute in
|
||||||
@ -543,16 +546,18 @@ def provision_paths_from_lp(lp, dnsdomain):
|
|||||||
paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
|
paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
|
||||||
paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
|
paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
|
||||||
paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
|
paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
|
||||||
paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
|
|
||||||
paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
|
paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
|
||||||
paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
|
paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
|
||||||
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
|
|
||||||
paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
|
|
||||||
paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
|
|
||||||
paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
|
paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
|
||||||
paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf")
|
paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf")
|
||||||
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
|
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
|
||||||
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
|
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
|
||||||
|
|
||||||
|
paths.dns = os.path.join(paths.binddns_dir, "dns", dnsdomain + ".zone")
|
||||||
|
paths.namedconf = os.path.join(paths.binddns_dir, "named.conf")
|
||||||
|
paths.namedconf_update = os.path.join(paths.binddns_dir, "named.conf.update")
|
||||||
|
paths.namedtxt = os.path.join(paths.binddns_dir, "named.txt")
|
||||||
|
|
||||||
paths.hklm = "hklm.ldb"
|
paths.hklm = "hklm.ldb"
|
||||||
paths.hkcr = "hkcr.ldb"
|
paths.hkcr = "hkcr.ldb"
|
||||||
paths.hkcu = "hkcu.ldb"
|
paths.hkcu = "hkcu.ldb"
|
||||||
@ -945,6 +950,10 @@ def setup_secretsdb(paths, session_info, backend_credentials, lp):
|
|||||||
if os.path.exists(keytab_path):
|
if os.path.exists(keytab_path):
|
||||||
os.unlink(keytab_path)
|
os.unlink(keytab_path)
|
||||||
|
|
||||||
|
bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
|
||||||
|
if os.path.exists(bind_dns_keytab_path):
|
||||||
|
os.unlink(bind_dns_keytab_path)
|
||||||
|
|
||||||
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
|
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
|
||||||
if os.path.exists(dns_keytab_path):
|
if os.path.exists(dns_keytab_path):
|
||||||
os.unlink(dns_keytab_path)
|
os.unlink(dns_keytab_path)
|
||||||
@ -1928,6 +1937,15 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
|
|||||||
else:
|
else:
|
||||||
samdb.transaction_commit()
|
samdb.transaction_commit()
|
||||||
|
|
||||||
|
def directory_create_or_exists(path, mode=0o755):
|
||||||
|
if not os.path.exists(path):
|
||||||
|
try:
|
||||||
|
os.mkdir(path, mode)
|
||||||
|
except OSError as e:
|
||||||
|
if e.errno in [errno.EEXIST]:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
raise ProvisioningError("Failed to create directory %s: %s" % (path, e.strerror))
|
||||||
|
|
||||||
def provision(logger, session_info, smbconf=None,
|
def provision(logger, session_info, smbconf=None,
|
||||||
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
|
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
|
||||||
@ -2064,12 +2082,10 @@ def provision(logger, session_info, smbconf=None,
|
|||||||
if serverrole is None:
|
if serverrole is None:
|
||||||
serverrole = lp.get("server role")
|
serverrole = lp.get("server role")
|
||||||
|
|
||||||
if not os.path.exists(paths.private_dir):
|
directory_create_or_exists(paths.private_dir, 0o700)
|
||||||
os.mkdir(paths.private_dir, 0o700)
|
directory_create_or_exists(paths.binddns_dir, 0o770)
|
||||||
if not os.path.exists(os.path.join(paths.private_dir, "tls")):
|
directory_create_or_exists(os.path.join(paths.private_dir, "tls"))
|
||||||
os.makedirs(os.path.join(paths.private_dir, "tls"), 0700)
|
directory_create_or_exists(paths.state_dir)
|
||||||
if not os.path.exists(paths.state_dir):
|
|
||||||
os.mkdir(paths.state_dir)
|
|
||||||
|
|
||||||
if paths.sysvol and not os.path.exists(paths.sysvol):
|
if paths.sysvol and not os.path.exists(paths.sysvol):
|
||||||
os.makedirs(paths.sysvol, 0775)
|
os.makedirs(paths.sysvol, 0775)
|
||||||
@ -2198,16 +2214,34 @@ def provision(logger, session_info, smbconf=None,
|
|||||||
# Now commit the secrets.ldb to disk
|
# Now commit the secrets.ldb to disk
|
||||||
secrets_ldb.transaction_commit()
|
secrets_ldb.transaction_commit()
|
||||||
|
|
||||||
# the commit creates the dns.keytab, now chown it
|
# the commit creates the dns.keytab in the private directory
|
||||||
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
|
private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
|
||||||
if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
|
bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
|
||||||
|
|
||||||
|
if os.path.isfile(private_dns_keytab_path):
|
||||||
|
if os.path.isfile(bind_dns_keytab_path):
|
||||||
|
try:
|
||||||
|
os.unlink(bind_dns_keytab_path)
|
||||||
|
except OSError as e:
|
||||||
|
logger.error("Failed to remove %s: %s" %
|
||||||
|
(bind_dns_keytab_path, e.strerror))
|
||||||
|
|
||||||
|
# link the dns.keytab to the bind-dns directory
|
||||||
try:
|
try:
|
||||||
os.chmod(dns_keytab_path, 0640)
|
os.link(private_dns_keytab_path, bind_dns_keytab_path)
|
||||||
os.chown(dns_keytab_path, -1, paths.bind_gid)
|
except OSError as e:
|
||||||
except OSError:
|
logger.error("Failed to create link %s -> %s: %s" %
|
||||||
if not os.environ.has_key('SAMBA_SELFTEST'):
|
(private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
|
||||||
logger.info("Failed to chown %s to bind gid %u",
|
|
||||||
dns_keytab_path, paths.bind_gid)
|
# chown the dns.keytab in the bind-dns directory
|
||||||
|
if paths.bind_gid is not None:
|
||||||
|
try:
|
||||||
|
os.chmod(bind_dns_keytab_path, 0640)
|
||||||
|
os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
|
||||||
|
except OSError:
|
||||||
|
if not os.environ.has_key('SAMBA_SELFTEST'):
|
||||||
|
logger.info("Failed to chown %s to bind gid %u",
|
||||||
|
bind_dns_keytab_path, paths.bind_gid)
|
||||||
|
|
||||||
result = ProvisionResult()
|
result = ProvisionResult()
|
||||||
result.server_role = serverrole
|
result.server_role = serverrole
|
||||||
|
@ -649,7 +649,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname,
|
|||||||
fqdn_hostname)
|
fqdn_hostname)
|
||||||
|
|
||||||
|
|
||||||
def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
|
def secretsdb_setup_dns(secretsdb, names, private_dir, binddns_dir, realm,
|
||||||
dnsdomain, dns_keytab_path, dnspass, key_version_number):
|
dnsdomain, dns_keytab_path, dnspass, key_version_number):
|
||||||
"""Add DNS specific bits to a secrets database.
|
"""Add DNS specific bits to a secrets database.
|
||||||
|
|
||||||
@ -659,12 +659,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
|
|||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
os.unlink(os.path.join(private_dir, dns_keytab_path))
|
os.unlink(os.path.join(private_dir, dns_keytab_path))
|
||||||
|
os.unlink(os.path.join(binddns_dir, dns_keytab_path))
|
||||||
except OSError:
|
except OSError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
if key_version_number is None:
|
if key_version_number is None:
|
||||||
key_version_number = 1
|
key_version_number = 1
|
||||||
|
|
||||||
|
# This will create the dns.keytab file in the private_dir when it is
|
||||||
|
# commited!
|
||||||
setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
|
setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
|
||||||
"REALM": realm,
|
"REALM": realm,
|
||||||
"DNSDOMAIN": dnsdomain,
|
"DNSDOMAIN": dnsdomain,
|
||||||
@ -954,7 +957,7 @@ def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
|
|||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
|
def create_named_txt(path, realm, dnsdomain, dnsname, binddns_dir,
|
||||||
keytab_name):
|
keytab_name):
|
||||||
"""Write out a file containing zone statements suitable for inclusion in a
|
"""Write out a file containing zone statements suitable for inclusion in a
|
||||||
named.conf file (including GSS-TSIG configuration).
|
named.conf file (including GSS-TSIG configuration).
|
||||||
@ -962,7 +965,7 @@ def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
|
|||||||
:param path: Path of the new named.conf file.
|
:param path: Path of the new named.conf file.
|
||||||
:param realm: Realm name
|
:param realm: Realm name
|
||||||
:param dnsdomain: DNS Domain name
|
:param dnsdomain: DNS Domain name
|
||||||
:param private_dir: Path to private directory
|
:param binddns_dir: Path to bind dns directory
|
||||||
:param keytab_name: File name of DNS keytab file
|
:param keytab_name: File name of DNS keytab file
|
||||||
"""
|
"""
|
||||||
setup_file(setup_path("named.txt"), path, {
|
setup_file(setup_path("named.txt"), path, {
|
||||||
@ -970,8 +973,8 @@ def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
|
|||||||
"DNSNAME" : dnsname,
|
"DNSNAME" : dnsname,
|
||||||
"REALM": realm,
|
"REALM": realm,
|
||||||
"DNS_KEYTAB": keytab_name,
|
"DNS_KEYTAB": keytab_name,
|
||||||
"DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
|
"DNS_KEYTAB_ABS": os.path.join(binddns_dir, keytab_name),
|
||||||
"PRIVATE_DIR": private_dir
|
"PRIVATE_DIR": binddns_dir
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
@ -1194,7 +1197,9 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
|
|||||||
domainguid = get_domainguid(samdb, domaindn)
|
domainguid = get_domainguid(samdb, domaindn)
|
||||||
|
|
||||||
secretsdb_setup_dns(secretsdb, names,
|
secretsdb_setup_dns(secretsdb, names,
|
||||||
paths.private_dir, realm=names.realm,
|
paths.private_dir,
|
||||||
|
paths.binddns_dir,
|
||||||
|
realm=names.realm,
|
||||||
dnsdomain=names.dnsdomain,
|
dnsdomain=names.dnsdomain,
|
||||||
dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
|
dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
|
||||||
key_version_number=key_version_number)
|
key_version_number=key_version_number)
|
||||||
@ -1218,7 +1223,7 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
|
|||||||
create_named_txt(paths.namedtxt,
|
create_named_txt(paths.namedtxt,
|
||||||
realm=names.realm, dnsdomain=names.dnsdomain,
|
realm=names.realm, dnsdomain=names.dnsdomain,
|
||||||
dnsname = "%s.%s" % (names.hostname, names.dnsdomain),
|
dnsname = "%s.%s" % (names.hostname, names.dnsdomain),
|
||||||
private_dir=paths.private_dir,
|
binddns_dir=paths.binddns_dir,
|
||||||
keytab_name=paths.dns_keytab)
|
keytab_name=paths.dns_keytab)
|
||||||
logger.info("See %s for an example configuration include file for BIND",
|
logger.info("See %s for an example configuration include file for BIND",
|
||||||
paths.namedconf)
|
paths.namedconf)
|
||||||
|
@ -42,6 +42,7 @@ def create_dummy_secretsdb(path, lp=None):
|
|||||||
paths = ProvisionPaths()
|
paths = ProvisionPaths()
|
||||||
paths.secrets = path
|
paths.secrets = path
|
||||||
paths.private_dir = os.path.dirname(path)
|
paths.private_dir = os.path.dirname(path)
|
||||||
|
paths.binddns_dir = os.path.dirname(path)
|
||||||
paths.keytab = "no.keytab"
|
paths.keytab = "no.keytab"
|
||||||
paths.dns_keytab = "no.dns.keytab"
|
paths.dns_keytab = "no.dns.keytab"
|
||||||
secrets_ldb = setup_secretsdb(paths, None, None, lp=lp)
|
secrets_ldb = setup_secretsdb(paths, None, None, lp=lp)
|
||||||
@ -59,6 +60,7 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
|
|||||||
secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
|
secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
|
||||||
paths.secrets = path
|
paths.secrets = path
|
||||||
paths.private_dir = os.path.dirname(path)
|
paths.private_dir = os.path.dirname(path)
|
||||||
|
paths.binddns_dir = os.path.dirname(path)
|
||||||
paths.keytab = "no.keytab"
|
paths.keytab = "no.keytab"
|
||||||
paths.dns_keytab = "no.dns.keytab"
|
paths.dns_keytab = "no.dns.keytab"
|
||||||
ldb = setup_secretsdb(paths, None, None, lp=env_loadparm())
|
ldb = setup_secretsdb(paths, None, None, lp=env_loadparm())
|
||||||
|
@ -446,7 +446,7 @@ if __name__ == '__main__':
|
|||||||
dns_key_version_number = None
|
dns_key_version_number = None
|
||||||
|
|
||||||
secretsdb_setup_dns(ldbs.secrets, names,
|
secretsdb_setup_dns(ldbs.secrets, names,
|
||||||
paths.private_dir, realm=names.realm,
|
paths.private_dir, paths.binddns_dir, realm=names.realm,
|
||||||
dnsdomain=names.dnsdomain,
|
dnsdomain=names.dnsdomain,
|
||||||
dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
|
dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
|
||||||
key_version_number=dns_key_version_number)
|
key_version_number=dns_key_version_number)
|
||||||
@ -454,15 +454,34 @@ if __name__ == '__main__':
|
|||||||
else:
|
else:
|
||||||
logger.info("dns-%s account already exists" % hostname)
|
logger.info("dns-%s account already exists" % hostname)
|
||||||
|
|
||||||
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
|
private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
|
||||||
if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
|
bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
|
||||||
|
|
||||||
|
if os.path.isfile(private_dns_keytab_path):
|
||||||
|
if os.path.isfile(bind_dns_keytab_path):
|
||||||
|
try:
|
||||||
|
os.unlink(bind_dns_keytab_path)
|
||||||
|
except OSError as e:
|
||||||
|
logger.error("Failed to remove %s: %s" %
|
||||||
|
(bind_dns_keytab_path, e.strerror))
|
||||||
|
|
||||||
|
# link the dns.keytab to the bind-dns directory
|
||||||
try:
|
try:
|
||||||
os.chmod(dns_keytab_path, 0640)
|
os.link(private_dns_keytab_path, bind_dns_keytab_path)
|
||||||
os.chown(dns_keytab_path, -1, paths.bind_gid)
|
except OSError as e:
|
||||||
except OSError:
|
logger.error("Failed to create link %s -> %s: %s" %
|
||||||
if not os.environ.has_key('SAMBA_SELFTEST'):
|
(private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
|
||||||
logger.info("Failed to chown %s to bind gid %u",
|
|
||||||
dns_keytab_path, paths.bind_gid)
|
# chown the dns.keytab in the bind-dns directory
|
||||||
|
if paths.bind_gid is not None:
|
||||||
|
try:
|
||||||
|
os.chmod(bind_dns_keytab_path, 0640)
|
||||||
|
os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
|
||||||
|
except OSError:
|
||||||
|
if not os.environ.has_key('SAMBA_SELFTEST'):
|
||||||
|
logger.info("Failed to chown %s to bind gid %u",
|
||||||
|
bind_dns_keytab_path, paths.bind_gid)
|
||||||
|
|
||||||
|
|
||||||
# This forces a re-creation of dns directory and all the files within
|
# This forces a re-creation of dns directory and all the files within
|
||||||
# It's an overkill, but it's easier to re-create a samdb copy, rather
|
# It's an overkill, but it's easier to re-create a samdb copy, rather
|
||||||
@ -476,7 +495,7 @@ if __name__ == '__main__':
|
|||||||
create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend, logger)
|
create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend, logger)
|
||||||
|
|
||||||
create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname,
|
create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname,
|
||||||
paths.private_dir, paths.dns_keytab)
|
paths.binddns_dir, paths.dns_keytab)
|
||||||
logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
|
logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
|
||||||
logger.info("and %s for further documentation required for secure DNS "
|
logger.info("and %s for further documentation required for secure DNS "
|
||||||
"updates", paths.namedtxt)
|
"updates", paths.namedtxt)
|
||||||
|
@ -207,7 +207,7 @@ creds.set_kerberos_state(DONT_USE_KERBEROS)
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
def check_for_DNS(refprivate, private, dns_backend):
|
def check_for_DNS(refprivate, private, refbinddns_dir, binddns_dir, dns_backend):
|
||||||
"""Check if the provision has already the requirement for dynamic dns
|
"""Check if the provision has already the requirement for dynamic dns
|
||||||
|
|
||||||
:param refprivate: The path to the private directory of the reference
|
:param refprivate: The path to the private directory of the reference
|
||||||
@ -229,17 +229,17 @@ def check_for_DNS(refprivate, private, dns_backend):
|
|||||||
|
|
||||||
namedfile = lp.get("dnsupdate:path")
|
namedfile = lp.get("dnsupdate:path")
|
||||||
if not namedfile:
|
if not namedfile:
|
||||||
namedfile = "%s/named.conf.update" % private
|
namedfile = "%s/named.conf.update" % binddns_dir
|
||||||
if not os.path.exists(namedfile):
|
if not os.path.exists(namedfile):
|
||||||
destdir = "%s/new_dns" % private
|
destdir = "%s/new_dns" % binddns_dir
|
||||||
dnsdir = "%s/dns" % private
|
dnsdir = "%s/dns" % binddns_dir
|
||||||
|
|
||||||
if not os.path.exists(destdir):
|
if not os.path.exists(destdir):
|
||||||
os.mkdir(destdir)
|
os.mkdir(destdir)
|
||||||
if not os.path.exists(dnsdir):
|
if not os.path.exists(dnsdir):
|
||||||
os.mkdir(dnsdir)
|
os.mkdir(dnsdir)
|
||||||
shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir)
|
shutil.copy("%s/named.conf" % refbinddns_dir, "%s/named.conf" % destdir)
|
||||||
shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir)
|
shutil.copy("%s/named.txt" % refbinddns_dir, "%s/named.txt" % destdir)
|
||||||
message(SIMPLE, "It seems that your provision did not integrate "
|
message(SIMPLE, "It seems that your provision did not integrate "
|
||||||
"new rules for dynamic dns update of domain related entries")
|
"new rules for dynamic dns update of domain related entries")
|
||||||
message(SIMPLE, "A copy of the new bind configuration files and "
|
message(SIMPLE, "A copy of the new bind configuration files and "
|
||||||
@ -1793,7 +1793,9 @@ if __name__ == '__main__':
|
|||||||
# 20)
|
# 20)
|
||||||
updateOEMInfo(ldbs.sam, str(names.rootdn))
|
updateOEMInfo(ldbs.sam, str(names.rootdn))
|
||||||
# 21)
|
# 21)
|
||||||
check_for_DNS(newpaths.private_dir, paths.private_dir, names.dns_backend)
|
check_for_DNS(newpaths.private_dir, paths.private_dir,
|
||||||
|
newpaths.binddns_dir, paths.binddns_dir,
|
||||||
|
names.dns_backend)
|
||||||
# 22)
|
# 22)
|
||||||
update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation)
|
update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation)
|
||||||
if opts.full and (names.policyid is None or names.policyid_dc is None):
|
if opts.full and (names.policyid is None or names.policyid_dc is None):
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
server role = domain controller
|
server role = domain controller
|
||||||
|
|
||||||
private dir = @@PREFIX@@/private
|
private dir = @@PREFIX@@/private
|
||||||
|
binddns dir = @@PREFIX@@/bind-dns
|
||||||
lock dir = @@PREFIX@@/
|
lock dir = @@PREFIX@@/
|
||||||
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
||||||
|
|
||||||
|
@ -11,13 +11,13 @@ tkey-domain "ALPHA13.SAMBA.CORP";
|
|||||||
# - Modify BIND init scripts to pass the location of the generated keytab file.
|
# - Modify BIND init scripts to pass the location of the generated keytab file.
|
||||||
# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
|
# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
|
||||||
# for this purpose:
|
# for this purpose:
|
||||||
KEYTAB_FILE="/home/mat/workspace/samba/alpha13/private/dns.keytab"
|
KEYTAB_FILE="/home/mat/workspace/samba/alpha13/bind-dns/dns.keytab"
|
||||||
# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
|
# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
|
||||||
# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
|
# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
|
||||||
# your distribution does not provide a variable like KEYTAB_FILE to pass a
|
# your distribution does not provide a variable like KEYTAB_FILE to pass a
|
||||||
# keytab file to the BIND daemon, a workaround is to place the following line in
|
# keytab file to the BIND daemon, a workaround is to place the following line in
|
||||||
# BIND's sysconfig file or in the init script for BIND:
|
# BIND's sysconfig file or in the init script for BIND:
|
||||||
export KRB5_KTNAME="/home/mat/workspace/samba/alpha13/private/dns.keytab"
|
export KRB5_KTNAME="/home/mat/workspace/samba/alpha13/bind-dns/dns.keytab"
|
||||||
|
|
||||||
# - Set appropriate ownership and permissions on the dns.keytab file. Note
|
# - Set appropriate ownership and permissions on the dns.keytab file. Note
|
||||||
# that most distributions have BIND configured to run under a non-root user
|
# that most distributions have BIND configured to run under a non-root user
|
||||||
@ -26,8 +26,8 @@ export KRB5_KTNAME="/home/mat/workspace/samba/alpha13/private/dns.keytab"
|
|||||||
# by the user that BIND run as. If BIND is running as a non-root user, the
|
# by the user that BIND run as. If BIND is running as a non-root user, the
|
||||||
# "dns.keytab" file must have its permissions altered to allow the daemon to
|
# "dns.keytab" file must have its permissions altered to allow the daemon to
|
||||||
# read it. Under Fedora 9, execute the following commands:
|
# read it. Under Fedora 9, execute the following commands:
|
||||||
chgrp named /home/mat/workspace/samba/alpha13/private/dns.keytab
|
chgrp named /home/mat/workspace/samba/alpha13/bind-dns/dns.keytab
|
||||||
chmod g+r /home/mat/workspace/samba/alpha13/private/dns.keytab
|
chmod g+r /home/mat/workspace/samba/alpha13/bind-dns/dns.keytab
|
||||||
|
|
||||||
# - Ensure the BIND zone file(s) that will be dynamically updated are in a
|
# - Ensure the BIND zone file(s) that will be dynamically updated are in a
|
||||||
# directory where the BIND daemon can write. When BIND performs dynamic
|
# directory where the BIND daemon can write. When BIND performs dynamic
|
||||||
@ -43,4 +43,4 @@ chmod g+r /home/mat/workspace/samba/alpha13/private/dns.keytab
|
|||||||
# file contexts. The dns.keytab file must be accessible by the BIND daemon
|
# file contexts. The dns.keytab file must be accessible by the BIND daemon
|
||||||
# and should have a SELinux type of named_conf_t. This can be set with the
|
# and should have a SELinux type of named_conf_t. This can be set with the
|
||||||
# following command:
|
# following command:
|
||||||
chcon -t named_conf_t /home/mat/workspace/samba/alpha13/private/dns.keytab
|
chcon -t named_conf_t /home/mat/workspace/samba/alpha13/bind-dns/dns.keytab
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
server role = domain controller
|
server role = domain controller
|
||||||
|
|
||||||
private dir = @@PREFIX@@/private
|
private dir = @@PREFIX@@/private
|
||||||
|
binddns dir = @@PREFIX@@/bind-dns
|
||||||
lock dir = @@PREFIX@@/
|
lock dir = @@PREFIX@@/
|
||||||
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
||||||
|
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
server role = domain controller
|
server role = domain controller
|
||||||
|
|
||||||
private dir = @@PREFIX@@/private
|
private dir = @@PREFIX@@/private
|
||||||
|
binddns dir = @@PREFIX@@/bind-dns
|
||||||
lock dir = @@PREFIX@@/
|
lock dir = @@PREFIX@@/
|
||||||
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
||||||
|
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
|
|
||||||
# 1. Insert following lines into the options {} section of your named.conf
|
# 1. Insert following lines into the options {} section of your named.conf
|
||||||
# file:
|
# file:
|
||||||
tkey-gssapi-keytab "/data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab";
|
tkey-gssapi-keytab "/data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab";
|
||||||
|
|
||||||
#
|
#
|
||||||
# Common Steps for BIND 9.x.x --------------------------------------------
|
# Common Steps for BIND 9.x.x --------------------------------------------
|
||||||
@ -24,8 +24,8 @@ tkey-gssapi-keytab "/data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab";
|
|||||||
# is running as a non-root user, the "dns.keytab" file must have its
|
# is running as a non-root user, the "dns.keytab" file must have its
|
||||||
# permissions altered to allow the daemon to read it. Under Fedora 9,
|
# permissions altered to allow the daemon to read it. Under Fedora 9,
|
||||||
# execute the following commands:
|
# execute the following commands:
|
||||||
chgrp named /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab
|
chgrp named /data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab
|
||||||
chmod g+r /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab
|
chmod g+r /data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab
|
||||||
|
|
||||||
# 3. Ensure the BIND zone file(s) that will be dynamically updated are in
|
# 3. Ensure the BIND zone file(s) that will be dynamically updated are in
|
||||||
# a directory where the BIND daemon can write. When BIND performs
|
# a directory where the BIND daemon can write. When BIND performs
|
||||||
@ -42,4 +42,4 @@ chmod g+r /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab
|
|||||||
# SELinux file contexts. The dns.keytab file must be accessible by the
|
# SELinux file contexts. The dns.keytab file must be accessible by the
|
||||||
# BIND daemon and should have a SELinux type of named_conf_t. This can be
|
# BIND daemon and should have a SELinux type of named_conf_t. This can be
|
||||||
# set with the following command:
|
# set with the following command:
|
||||||
chcon -t named_conf_t /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab
|
chcon -t named_conf_t /data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
workgroup = SAMBADOMAIN
|
workgroup = SAMBADOMAIN
|
||||||
realm = SAMBA.EXAMPLE.COM
|
realm = SAMBA.EXAMPLE.COM
|
||||||
private dir = @@PREFIX@@/private
|
private dir = @@PREFIX@@/private
|
||||||
|
binddns dir = @@PREFIX@@/bind-dns
|
||||||
lock dir = @@PREFIX@@/
|
lock dir = @@PREFIX@@/
|
||||||
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
posix:eadb = @@PREFIX@@/private/eadb.tdb
|
||||||
|
|
||||||
|
@ -341,15 +341,15 @@ nameserver %s
|
|||||||
elif self.getvar('NAMESERVER_BACKEND') != 'SAMBA_INTERNAL':
|
elif self.getvar('NAMESERVER_BACKEND') != 'SAMBA_INTERNAL':
|
||||||
if self.named_supports_gssapi_keytab():
|
if self.named_supports_gssapi_keytab():
|
||||||
self.setvar("NAMED_TKEY_OPTION",
|
self.setvar("NAMED_TKEY_OPTION",
|
||||||
'tkey-gssapi-keytab "${PREFIX}/private/dns.keytab";')
|
'tkey-gssapi-keytab "${PREFIX}/bind-dns/dns.keytab";')
|
||||||
else:
|
else:
|
||||||
self.info("LCREALM=${LCREALM}")
|
self.info("LCREALM=${LCREALM}")
|
||||||
self.setvar("NAMED_TKEY_OPTION",
|
self.setvar("NAMED_TKEY_OPTION",
|
||||||
'''tkey-gssapi-credential "DNS/${LCREALM}";
|
'''tkey-gssapi-credential "DNS/${LCREALM}";
|
||||||
tkey-domain "${LCREALM}";
|
tkey-domain "${LCREALM}";
|
||||||
''')
|
''')
|
||||||
self.putenv('KEYTAB_FILE', '${PREFIX}/private/dns.keytab')
|
self.putenv('KEYTAB_FILE', '${PREFIX}/bind-dns/dns.keytab')
|
||||||
self.putenv('KRB5_KTNAME', '${PREFIX}/private/dns.keytab')
|
self.putenv('KRB5_KTNAME', '${PREFIX}/bind-dns/dns.keytab')
|
||||||
else:
|
else:
|
||||||
self.setvar("NAMED_TKEY_OPTION", "")
|
self.setvar("NAMED_TKEY_OPTION", "")
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user