1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns

This provisions the bind_dlz files in the 'binddns dir'. If you want to
migrate to the new files strcuture you can run samba_upgradedns!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2017-08-10 15:37:54 +02:00 committed by Jeremy Allison
parent 3fa7c43ef7
commit 8f2dee256e
12 changed files with 121 additions and 55 deletions

View File

@ -27,6 +27,7 @@
__docformat__ = "restructuredText" __docformat__ = "restructuredText"
from base64 import b64encode from base64 import b64encode
import errno
import os import os
import re import re
import pwd import pwd
@ -145,6 +146,7 @@ class ProvisionPaths(object):
self.dns = None self.dns = None
self.winsdb = None self.winsdb = None
self.private_dir = None self.private_dir = None
self.binddns_dir = None
self.state_dir = None self.state_dir = None
@ -531,6 +533,7 @@ def provision_paths_from_lp(lp, dnsdomain):
""" """
paths = ProvisionPaths() paths = ProvisionPaths()
paths.private_dir = lp.get("private dir") paths.private_dir = lp.get("private dir")
paths.binddns_dir = lp.get("binddns dir")
paths.state_dir = lp.get("state directory") paths.state_dir = lp.get("state directory")
# This is stored without path prefix for the "privateKeytab" attribute in # This is stored without path prefix for the "privateKeytab" attribute in
@ -543,16 +546,18 @@ def provision_paths_from_lp(lp, dnsdomain):
paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb") paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
paths.secrets = os.path.join(paths.private_dir, "secrets.ldb") paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
paths.privilege = os.path.join(paths.private_dir, "privilege.ldb") paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list") paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list") paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf") paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf") paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf")
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb") paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi") paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
paths.dns = os.path.join(paths.binddns_dir, "dns", dnsdomain + ".zone")
paths.namedconf = os.path.join(paths.binddns_dir, "named.conf")
paths.namedconf_update = os.path.join(paths.binddns_dir, "named.conf.update")
paths.namedtxt = os.path.join(paths.binddns_dir, "named.txt")
paths.hklm = "hklm.ldb" paths.hklm = "hklm.ldb"
paths.hkcr = "hkcr.ldb" paths.hkcr = "hkcr.ldb"
paths.hkcu = "hkcu.ldb" paths.hkcu = "hkcu.ldb"
@ -945,6 +950,10 @@ def setup_secretsdb(paths, session_info, backend_credentials, lp):
if os.path.exists(keytab_path): if os.path.exists(keytab_path):
os.unlink(keytab_path) os.unlink(keytab_path)
bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
if os.path.exists(bind_dns_keytab_path):
os.unlink(bind_dns_keytab_path)
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
if os.path.exists(dns_keytab_path): if os.path.exists(dns_keytab_path):
os.unlink(dns_keytab_path) os.unlink(dns_keytab_path)
@ -1928,6 +1937,15 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
else: else:
samdb.transaction_commit() samdb.transaction_commit()
def directory_create_or_exists(path, mode=0o755):
if not os.path.exists(path):
try:
os.mkdir(path, mode)
except OSError as e:
if e.errno in [errno.EEXIST]:
pass
else:
raise ProvisioningError("Failed to create directory %s: %s" % (path, e.strerror))
def provision(logger, session_info, smbconf=None, def provision(logger, session_info, smbconf=None,
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None, targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
@ -2064,12 +2082,10 @@ def provision(logger, session_info, smbconf=None,
if serverrole is None: if serverrole is None:
serverrole = lp.get("server role") serverrole = lp.get("server role")
if not os.path.exists(paths.private_dir): directory_create_or_exists(paths.private_dir, 0o700)
os.mkdir(paths.private_dir, 0o700) directory_create_or_exists(paths.binddns_dir, 0o770)
if not os.path.exists(os.path.join(paths.private_dir, "tls")): directory_create_or_exists(os.path.join(paths.private_dir, "tls"))
os.makedirs(os.path.join(paths.private_dir, "tls"), 0700) directory_create_or_exists(paths.state_dir)
if not os.path.exists(paths.state_dir):
os.mkdir(paths.state_dir)
if paths.sysvol and not os.path.exists(paths.sysvol): if paths.sysvol and not os.path.exists(paths.sysvol):
os.makedirs(paths.sysvol, 0775) os.makedirs(paths.sysvol, 0775)
@ -2198,16 +2214,34 @@ def provision(logger, session_info, smbconf=None,
# Now commit the secrets.ldb to disk # Now commit the secrets.ldb to disk
secrets_ldb.transaction_commit() secrets_ldb.transaction_commit()
# the commit creates the dns.keytab, now chown it # the commit creates the dns.keytab in the private directory
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None: bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
if os.path.isfile(private_dns_keytab_path):
if os.path.isfile(bind_dns_keytab_path):
try:
os.unlink(bind_dns_keytab_path)
except OSError as e:
logger.error("Failed to remove %s: %s" %
(bind_dns_keytab_path, e.strerror))
# link the dns.keytab to the bind-dns directory
try: try:
os.chmod(dns_keytab_path, 0640) os.link(private_dns_keytab_path, bind_dns_keytab_path)
os.chown(dns_keytab_path, -1, paths.bind_gid) except OSError as e:
except OSError: logger.error("Failed to create link %s -> %s: %s" %
if not os.environ.has_key('SAMBA_SELFTEST'): (private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
logger.info("Failed to chown %s to bind gid %u",
dns_keytab_path, paths.bind_gid) # chown the dns.keytab in the bind-dns directory
if paths.bind_gid is not None:
try:
os.chmod(bind_dns_keytab_path, 0640)
os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
except OSError:
if not os.environ.has_key('SAMBA_SELFTEST'):
logger.info("Failed to chown %s to bind gid %u",
bind_dns_keytab_path, paths.bind_gid)
result = ProvisionResult() result = ProvisionResult()
result.server_role = serverrole result.server_role = serverrole

View File

@ -649,7 +649,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname,
fqdn_hostname) fqdn_hostname)
def secretsdb_setup_dns(secretsdb, names, private_dir, realm, def secretsdb_setup_dns(secretsdb, names, private_dir, binddns_dir, realm,
dnsdomain, dns_keytab_path, dnspass, key_version_number): dnsdomain, dns_keytab_path, dnspass, key_version_number):
"""Add DNS specific bits to a secrets database. """Add DNS specific bits to a secrets database.
@ -659,12 +659,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
""" """
try: try:
os.unlink(os.path.join(private_dir, dns_keytab_path)) os.unlink(os.path.join(private_dir, dns_keytab_path))
os.unlink(os.path.join(binddns_dir, dns_keytab_path))
except OSError: except OSError:
pass pass
if key_version_number is None: if key_version_number is None:
key_version_number = 1 key_version_number = 1
# This will create the dns.keytab file in the private_dir when it is
# commited!
setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), { setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
"REALM": realm, "REALM": realm,
"DNSDOMAIN": dnsdomain, "DNSDOMAIN": dnsdomain,
@ -954,7 +957,7 @@ def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
}) })
def create_named_txt(path, realm, dnsdomain, dnsname, private_dir, def create_named_txt(path, realm, dnsdomain, dnsname, binddns_dir,
keytab_name): keytab_name):
"""Write out a file containing zone statements suitable for inclusion in a """Write out a file containing zone statements suitable for inclusion in a
named.conf file (including GSS-TSIG configuration). named.conf file (including GSS-TSIG configuration).
@ -962,7 +965,7 @@ def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
:param path: Path of the new named.conf file. :param path: Path of the new named.conf file.
:param realm: Realm name :param realm: Realm name
:param dnsdomain: DNS Domain name :param dnsdomain: DNS Domain name
:param private_dir: Path to private directory :param binddns_dir: Path to bind dns directory
:param keytab_name: File name of DNS keytab file :param keytab_name: File name of DNS keytab file
""" """
setup_file(setup_path("named.txt"), path, { setup_file(setup_path("named.txt"), path, {
@ -970,8 +973,8 @@ def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
"DNSNAME" : dnsname, "DNSNAME" : dnsname,
"REALM": realm, "REALM": realm,
"DNS_KEYTAB": keytab_name, "DNS_KEYTAB": keytab_name,
"DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name), "DNS_KEYTAB_ABS": os.path.join(binddns_dir, keytab_name),
"PRIVATE_DIR": private_dir "PRIVATE_DIR": binddns_dir
}) })
@ -1194,7 +1197,9 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
domainguid = get_domainguid(samdb, domaindn) domainguid = get_domainguid(samdb, domaindn)
secretsdb_setup_dns(secretsdb, names, secretsdb_setup_dns(secretsdb, names,
paths.private_dir, realm=names.realm, paths.private_dir,
paths.binddns_dir,
realm=names.realm,
dnsdomain=names.dnsdomain, dnsdomain=names.dnsdomain,
dns_keytab_path=paths.dns_keytab, dnspass=dnspass, dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
key_version_number=key_version_number) key_version_number=key_version_number)
@ -1218,7 +1223,7 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
create_named_txt(paths.namedtxt, create_named_txt(paths.namedtxt,
realm=names.realm, dnsdomain=names.dnsdomain, realm=names.realm, dnsdomain=names.dnsdomain,
dnsname = "%s.%s" % (names.hostname, names.dnsdomain), dnsname = "%s.%s" % (names.hostname, names.dnsdomain),
private_dir=paths.private_dir, binddns_dir=paths.binddns_dir,
keytab_name=paths.dns_keytab) keytab_name=paths.dns_keytab)
logger.info("See %s for an example configuration include file for BIND", logger.info("See %s for an example configuration include file for BIND",
paths.namedconf) paths.namedconf)

View File

@ -42,6 +42,7 @@ def create_dummy_secretsdb(path, lp=None):
paths = ProvisionPaths() paths = ProvisionPaths()
paths.secrets = path paths.secrets = path
paths.private_dir = os.path.dirname(path) paths.private_dir = os.path.dirname(path)
paths.binddns_dir = os.path.dirname(path)
paths.keytab = "no.keytab" paths.keytab = "no.keytab"
paths.dns_keytab = "no.dns.keytab" paths.dns_keytab = "no.dns.keytab"
secrets_ldb = setup_secretsdb(paths, None, None, lp=lp) secrets_ldb = setup_secretsdb(paths, None, None, lp=lp)
@ -59,6 +60,7 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
paths.secrets = path paths.secrets = path
paths.private_dir = os.path.dirname(path) paths.private_dir = os.path.dirname(path)
paths.binddns_dir = os.path.dirname(path)
paths.keytab = "no.keytab" paths.keytab = "no.keytab"
paths.dns_keytab = "no.dns.keytab" paths.dns_keytab = "no.dns.keytab"
ldb = setup_secretsdb(paths, None, None, lp=env_loadparm()) ldb = setup_secretsdb(paths, None, None, lp=env_loadparm())

View File

@ -446,7 +446,7 @@ if __name__ == '__main__':
dns_key_version_number = None dns_key_version_number = None
secretsdb_setup_dns(ldbs.secrets, names, secretsdb_setup_dns(ldbs.secrets, names,
paths.private_dir, realm=names.realm, paths.private_dir, paths.binddns_dir, realm=names.realm,
dnsdomain=names.dnsdomain, dnsdomain=names.dnsdomain,
dns_keytab_path=paths.dns_keytab, dnspass=dnspass, dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
key_version_number=dns_key_version_number) key_version_number=dns_key_version_number)
@ -454,15 +454,34 @@ if __name__ == '__main__':
else: else:
logger.info("dns-%s account already exists" % hostname) logger.info("dns-%s account already exists" % hostname)
dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None: bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
if os.path.isfile(private_dns_keytab_path):
if os.path.isfile(bind_dns_keytab_path):
try:
os.unlink(bind_dns_keytab_path)
except OSError as e:
logger.error("Failed to remove %s: %s" %
(bind_dns_keytab_path, e.strerror))
# link the dns.keytab to the bind-dns directory
try: try:
os.chmod(dns_keytab_path, 0640) os.link(private_dns_keytab_path, bind_dns_keytab_path)
os.chown(dns_keytab_path, -1, paths.bind_gid) except OSError as e:
except OSError: logger.error("Failed to create link %s -> %s: %s" %
if not os.environ.has_key('SAMBA_SELFTEST'): (private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
logger.info("Failed to chown %s to bind gid %u",
dns_keytab_path, paths.bind_gid) # chown the dns.keytab in the bind-dns directory
if paths.bind_gid is not None:
try:
os.chmod(bind_dns_keytab_path, 0640)
os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
except OSError:
if not os.environ.has_key('SAMBA_SELFTEST'):
logger.info("Failed to chown %s to bind gid %u",
bind_dns_keytab_path, paths.bind_gid)
# This forces a re-creation of dns directory and all the files within # This forces a re-creation of dns directory and all the files within
# It's an overkill, but it's easier to re-create a samdb copy, rather # It's an overkill, but it's easier to re-create a samdb copy, rather
@ -476,7 +495,7 @@ if __name__ == '__main__':
create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend, logger) create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend, logger)
create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname, create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname,
paths.private_dir, paths.dns_keytab) paths.binddns_dir, paths.dns_keytab)
logger.info("See %s for an example configuration include file for BIND", paths.namedconf) logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
logger.info("and %s for further documentation required for secure DNS " logger.info("and %s for further documentation required for secure DNS "
"updates", paths.namedtxt) "updates", paths.namedtxt)

View File

@ -207,7 +207,7 @@ creds.set_kerberos_state(DONT_USE_KERBEROS)
def check_for_DNS(refprivate, private, dns_backend): def check_for_DNS(refprivate, private, refbinddns_dir, binddns_dir, dns_backend):
"""Check if the provision has already the requirement for dynamic dns """Check if the provision has already the requirement for dynamic dns
:param refprivate: The path to the private directory of the reference :param refprivate: The path to the private directory of the reference
@ -229,17 +229,17 @@ def check_for_DNS(refprivate, private, dns_backend):
namedfile = lp.get("dnsupdate:path") namedfile = lp.get("dnsupdate:path")
if not namedfile: if not namedfile:
namedfile = "%s/named.conf.update" % private namedfile = "%s/named.conf.update" % binddns_dir
if not os.path.exists(namedfile): if not os.path.exists(namedfile):
destdir = "%s/new_dns" % private destdir = "%s/new_dns" % binddns_dir
dnsdir = "%s/dns" % private dnsdir = "%s/dns" % binddns_dir
if not os.path.exists(destdir): if not os.path.exists(destdir):
os.mkdir(destdir) os.mkdir(destdir)
if not os.path.exists(dnsdir): if not os.path.exists(dnsdir):
os.mkdir(dnsdir) os.mkdir(dnsdir)
shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir) shutil.copy("%s/named.conf" % refbinddns_dir, "%s/named.conf" % destdir)
shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir) shutil.copy("%s/named.txt" % refbinddns_dir, "%s/named.txt" % destdir)
message(SIMPLE, "It seems that your provision did not integrate " message(SIMPLE, "It seems that your provision did not integrate "
"new rules for dynamic dns update of domain related entries") "new rules for dynamic dns update of domain related entries")
message(SIMPLE, "A copy of the new bind configuration files and " message(SIMPLE, "A copy of the new bind configuration files and "
@ -1793,7 +1793,9 @@ if __name__ == '__main__':
# 20) # 20)
updateOEMInfo(ldbs.sam, str(names.rootdn)) updateOEMInfo(ldbs.sam, str(names.rootdn))
# 21) # 21)
check_for_DNS(newpaths.private_dir, paths.private_dir, names.dns_backend) check_for_DNS(newpaths.private_dir, paths.private_dir,
newpaths.binddns_dir, paths.binddns_dir,
names.dns_backend)
# 22) # 22)
update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation) update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation)
if opts.full and (names.policyid is None or names.policyid_dc is None): if opts.full and (names.policyid is None or names.policyid_dc is None):

View File

@ -5,6 +5,7 @@
server role = domain controller server role = domain controller
private dir = @@PREFIX@@/private private dir = @@PREFIX@@/private
binddns dir = @@PREFIX@@/bind-dns
lock dir = @@PREFIX@@/ lock dir = @@PREFIX@@/
posix:eadb = @@PREFIX@@/private/eadb.tdb posix:eadb = @@PREFIX@@/private/eadb.tdb

View File

@ -11,13 +11,13 @@ tkey-domain "ALPHA13.SAMBA.CORP";
# - Modify BIND init scripts to pass the location of the generated keytab file. # - Modify BIND init scripts to pass the location of the generated keytab file.
# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named # Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
# for this purpose: # for this purpose:
KEYTAB_FILE="/home/mat/workspace/samba/alpha13/private/dns.keytab" KEYTAB_FILE="/home/mat/workspace/samba/alpha13/bind-dns/dns.keytab"
# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a # Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If # variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
# your distribution does not provide a variable like KEYTAB_FILE to pass a # your distribution does not provide a variable like KEYTAB_FILE to pass a
# keytab file to the BIND daemon, a workaround is to place the following line in # keytab file to the BIND daemon, a workaround is to place the following line in
# BIND's sysconfig file or in the init script for BIND: # BIND's sysconfig file or in the init script for BIND:
export KRB5_KTNAME="/home/mat/workspace/samba/alpha13/private/dns.keytab" export KRB5_KTNAME="/home/mat/workspace/samba/alpha13/bind-dns/dns.keytab"
# - Set appropriate ownership and permissions on the dns.keytab file. Note # - Set appropriate ownership and permissions on the dns.keytab file. Note
# that most distributions have BIND configured to run under a non-root user # that most distributions have BIND configured to run under a non-root user
@ -26,8 +26,8 @@ export KRB5_KTNAME="/home/mat/workspace/samba/alpha13/private/dns.keytab"
# by the user that BIND run as. If BIND is running as a non-root user, the # by the user that BIND run as. If BIND is running as a non-root user, the
# "dns.keytab" file must have its permissions altered to allow the daemon to # "dns.keytab" file must have its permissions altered to allow the daemon to
# read it. Under Fedora 9, execute the following commands: # read it. Under Fedora 9, execute the following commands:
chgrp named /home/mat/workspace/samba/alpha13/private/dns.keytab chgrp named /home/mat/workspace/samba/alpha13/bind-dns/dns.keytab
chmod g+r /home/mat/workspace/samba/alpha13/private/dns.keytab chmod g+r /home/mat/workspace/samba/alpha13/bind-dns/dns.keytab
# - Ensure the BIND zone file(s) that will be dynamically updated are in a # - Ensure the BIND zone file(s) that will be dynamically updated are in a
# directory where the BIND daemon can write. When BIND performs dynamic # directory where the BIND daemon can write. When BIND performs dynamic
@ -43,4 +43,4 @@ chmod g+r /home/mat/workspace/samba/alpha13/private/dns.keytab
# file contexts. The dns.keytab file must be accessible by the BIND daemon # file contexts. The dns.keytab file must be accessible by the BIND daemon
# and should have a SELinux type of named_conf_t. This can be set with the # and should have a SELinux type of named_conf_t. This can be set with the
# following command: # following command:
chcon -t named_conf_t /home/mat/workspace/samba/alpha13/private/dns.keytab chcon -t named_conf_t /home/mat/workspace/samba/alpha13/bind-dns/dns.keytab

View File

@ -5,6 +5,7 @@
server role = domain controller server role = domain controller
private dir = @@PREFIX@@/private private dir = @@PREFIX@@/private
binddns dir = @@PREFIX@@/bind-dns
lock dir = @@PREFIX@@/ lock dir = @@PREFIX@@/
posix:eadb = @@PREFIX@@/private/eadb.tdb posix:eadb = @@PREFIX@@/private/eadb.tdb

View File

@ -5,6 +5,7 @@
server role = domain controller server role = domain controller
private dir = @@PREFIX@@/private private dir = @@PREFIX@@/private
binddns dir = @@PREFIX@@/bind-dns
lock dir = @@PREFIX@@/ lock dir = @@PREFIX@@/
posix:eadb = @@PREFIX@@/private/eadb.tdb posix:eadb = @@PREFIX@@/private/eadb.tdb

View File

@ -10,7 +10,7 @@
# 1. Insert following lines into the options {} section of your named.conf # 1. Insert following lines into the options {} section of your named.conf
# file: # file:
tkey-gssapi-keytab "/data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab"; tkey-gssapi-keytab "/data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab";
# #
# Common Steps for BIND 9.x.x -------------------------------------------- # Common Steps for BIND 9.x.x --------------------------------------------
@ -24,8 +24,8 @@ tkey-gssapi-keytab "/data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab";
# is running as a non-root user, the "dns.keytab" file must have its # is running as a non-root user, the "dns.keytab" file must have its
# permissions altered to allow the daemon to read it. Under Fedora 9, # permissions altered to allow the daemon to read it. Under Fedora 9,
# execute the following commands: # execute the following commands:
chgrp named /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab chgrp named /data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab
chmod g+r /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab chmod g+r /data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab
# 3. Ensure the BIND zone file(s) that will be dynamically updated are in # 3. Ensure the BIND zone file(s) that will be dynamically updated are in
# a directory where the BIND daemon can write. When BIND performs # a directory where the BIND daemon can write. When BIND performs
@ -42,4 +42,4 @@ chmod g+r /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab
# SELinux file contexts. The dns.keytab file must be accessible by the # SELinux file contexts. The dns.keytab file must be accessible by the
# BIND daemon and should have a SELinux type of named_conf_t. This can be # BIND daemon and should have a SELinux type of named_conf_t. This can be
# set with the following command: # set with the following command:
chcon -t named_conf_t /data/samba/git/samba4.1/st/promoted_dc/private/dns.keytab chcon -t named_conf_t /data/samba/git/samba4.1/st/promoted_dc/bind-dns/dns.keytab

View File

@ -4,6 +4,7 @@
workgroup = SAMBADOMAIN workgroup = SAMBADOMAIN
realm = SAMBA.EXAMPLE.COM realm = SAMBA.EXAMPLE.COM
private dir = @@PREFIX@@/private private dir = @@PREFIX@@/private
binddns dir = @@PREFIX@@/bind-dns
lock dir = @@PREFIX@@/ lock dir = @@PREFIX@@/
posix:eadb = @@PREFIX@@/private/eadb.tdb posix:eadb = @@PREFIX@@/private/eadb.tdb

View File

@ -341,15 +341,15 @@ nameserver %s
elif self.getvar('NAMESERVER_BACKEND') != 'SAMBA_INTERNAL': elif self.getvar('NAMESERVER_BACKEND') != 'SAMBA_INTERNAL':
if self.named_supports_gssapi_keytab(): if self.named_supports_gssapi_keytab():
self.setvar("NAMED_TKEY_OPTION", self.setvar("NAMED_TKEY_OPTION",
'tkey-gssapi-keytab "${PREFIX}/private/dns.keytab";') 'tkey-gssapi-keytab "${PREFIX}/bind-dns/dns.keytab";')
else: else:
self.info("LCREALM=${LCREALM}") self.info("LCREALM=${LCREALM}")
self.setvar("NAMED_TKEY_OPTION", self.setvar("NAMED_TKEY_OPTION",
'''tkey-gssapi-credential "DNS/${LCREALM}"; '''tkey-gssapi-credential "DNS/${LCREALM}";
tkey-domain "${LCREALM}"; tkey-domain "${LCREALM}";
''') ''')
self.putenv('KEYTAB_FILE', '${PREFIX}/private/dns.keytab') self.putenv('KEYTAB_FILE', '${PREFIX}/bind-dns/dns.keytab')
self.putenv('KRB5_KTNAME', '${PREFIX}/private/dns.keytab') self.putenv('KRB5_KTNAME', '${PREFIX}/bind-dns/dns.keytab')
else: else:
self.setvar("NAMED_TKEY_OPTION", "") self.setvar("NAMED_TKEY_OPTION", "")