sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-04 08:22:08 +03:00
Code Activity

s4-dns: Deprecate BIND9_FLATFILE and remove "rndc command"

Browse Source 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 22 21:24:00 UTC 2019 on sn-devel-184
This commit is contained in:
Andrew Bartlett
2019-07-05 16:46:04 +12:00
parent 561e0986ac
commit b4816861f2
7 changed files with 13 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
WHATSNEW.txt
View File

@ -20,6 +20,18 @@ NEW FEATURES/CHANGES
REMOVED FEATURES
================
BIND9_FLATFILE deprecated
-------------------------
The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future. This was only practically useful on a single
domain controller or under expert care and supervision.
This release removes the "rndc command" smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain. Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.
smb.conf changes
================
@ -28,6 +40,7 @@ smb.conf changes
-------------- ----------- -------
nfs4:acedup Changed default merge
rndc command Removed
KNOWN ISSUES
============

23
docs-xml/smbdotconf/domain/rndccommand.xml
View File

@ -1,23 +0,0 @@
<samba:parameter name="rndc command"
context="G"
type="cmdlist"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option is deprecated with Samba 4.11 and will be removed
in future.
</para>
<para>This option specifies the path to the name server control utility.
</para>
<para>This option is only useful when Samba as an AD DC is
configured with BIND9_FLATFILE for DNS.
</para>
<para>The <filename>rndc</filename> utility should be a part of the
bind installation.
</para>
</description>
<value type="default">/usr/sbin/rndc</value>
<value type="example">/usr/local/bind9/sbin/rndc</value>
</samba:parameter>

1
lib/param/loadparm.c
View File

@ -2790,7 +2790,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0");
lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "secure only");

8
python/samba/provision/sambadns.py
View File

@ -749,11 +749,6 @@ def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
hostip_host_line = ""
gc_msdcs_ip_line = ""
# we need to freeze the zone while we update the contents
if targetdir is None:
rndc = ' '.join(lp.get("rndc command"))
os.system(rndc + " freeze " + lp.get("realm"))
setup_file(setup_path("provision.zone"), paths.dns, {
"HOSTNAME": hostname,
"DNSDOMAIN": dnsdomain,
@ -780,9 +775,6 @@ def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
logger.error("Failed to chown %s to bind gid %u" % (
paths.dns, paths.bind_gid))
if targetdir is None:
os.system(rndc + " unfreeze " + lp.get("realm"))
def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid):
"""Create a copy of samdb and give write permissions to named for dns partitions

1
selftest/target/Samba4.pm
View File

@ -795,7 +795,6 @@ sub provision_raw_step1($$)
log level = $ctx->{server_loglevel}
lanman auth = Yes
ntlm auth = Yes
rndc command = true
client min protocol = CORE
server min protocol = LANMAN1
mangled names = yes

2
source3/param/loadparm.c
View File

@ -934,8 +934,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.nsupdate_command = str_list_make_v3_const(NULL, "/usr/bin/nsupdate -g", NULL);
Globals.rndc_command = str_list_make_v3_const(NULL, "/usr/sbin/rndc", NULL);
Globals.cldap_port = 389;
Globals.dgram_port = NBT_DGRAM_SERVICE_PORT;

259
source4/dsdb/dns/dns_update.c
View File

@ -66,251 +66,6 @@ struct dnsupdate_service {
} nameupdate;
};
/*
called when rndc reload has finished
*/
static void dnsupdate_rndc_done(struct tevent_req *subreq)
{
struct dnsupdate_service *service = tevent_req_callback_data(subreq,
struct dnsupdate_service);
int ret;
int sys_errno;
service->confupdate.subreq = NULL;
ret = samba_runcmd_recv(subreq, &sys_errno);
TALLOC_FREE(subreq);
if (ret != 0) {
service->confupdate.status = map_nt_error_from_unix_common(sys_errno);
} else {
service->confupdate.status = NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(service->confupdate.status)) {
DEBUG(0,(__location__ ": Failed rndc update - %s\n",
nt_errstr(service->confupdate.status)));
} else {
DEBUG(3,("Completed rndc reload OK\n"));
}
}
/*
called every 'dnsupdate:conf interval' seconds
*/
static void dnsupdate_rebuild(struct dnsupdate_service *service)
{
int ret;
size_t size;
struct ldb_result *res1, *res2;
const char *tmp_path, *path, *path_static;
char *static_policies;
int fd;
unsigned int i;
const char *attrs1[] = { "msDS-HasDomainNCs", NULL };
const char *attrs2[] = { "name", NULL };
const char *realm = lpcfg_realm(service->task->lp_ctx);
TALLOC_CTX *tmp_ctx = talloc_new(service);
const char * const *rndc_command = lpcfg_rndc_command(service->task->lp_ctx);
const char **dc_list;
int dc_count=0;
/* abort any pending script run */
TALLOC_FREE(service->confupdate.subreq);
/* find the DNs for all the non-RODC DCs in the forest */
ret = dsdb_search(service->samdb, tmp_ctx, &res1, ldb_get_config_basedn(service->samdb),
LDB_SCOPE_SUBTREE,
attrs1,
0,
"(&(objectclass=NTDSDSA)(!(msDS-isRODC=TRUE)))");
if (ret != LDB_SUCCESS) {
DBG_ERR("Unable to find DCs list - %s\n",
ldb_errstring(service->samdb));
talloc_free(tmp_ctx);
return;
}
dc_list = talloc_array(tmp_ctx, const char *, 0);
for (i=0; i<res1->count; i++) {
struct ldb_dn *server_dn = res1->msgs[i]->dn;
struct ldb_dn *domain_dn;
const char *acct_name, *full_account, *dns_domain;
/* this is a nasty hack to form the account name of
* this DC. We do it this way as we don't necessarily
* have access to the domain NC, so all we have to go
* on is what is in the configuration partition
*/
domain_dn = ldb_msg_find_attr_as_dn(service->samdb, tmp_ctx, res1->msgs[i], "msDS-HasDomainNCs");
if (domain_dn == NULL) continue;
ldb_dn_remove_child_components(server_dn, 1);
ret = dsdb_search_dn(service->samdb, tmp_ctx, &res2, server_dn, attrs2, 0);
if (ret != LDB_SUCCESS) {
continue;
}
acct_name = ldb_msg_find_attr_as_string(res2->msgs[0], "name", NULL);
if (acct_name == NULL) continue;
dns_domain = samdb_dn_to_dns_domain(tmp_ctx, domain_dn);
if (dns_domain == NULL) {
continue;
}
full_account = talloc_asprintf(tmp_ctx, "%s$@%s", acct_name, dns_domain);
if (full_account == NULL) continue;
dc_list = talloc_realloc(tmp_ctx, dc_list, const char *, dc_count+1);
if (dc_list == NULL) {
continue;
}
dc_list[dc_count++] = full_account;
}
path = lpcfg_parm_string(service->task->lp_ctx, NULL, "dnsupdate", "path");
if (path == NULL) {
path = lpcfg_private_path(tmp_ctx,
service->task->lp_ctx,
"named.conf.update");
if (path == NULL) {
DBG_ERR("Out of memory!");
talloc_free(tmp_ctx);
return;
}
/*
* If the file doesn't exist, we provisioned in a the new
* bind-dns directory
*/
if (!file_exist(path)) {
path = talloc_asprintf(tmp_ctx,
"%s/named.conf.update",
lpcfg_binddns_dir(service->task->lp_ctx));
if (path == NULL) {
DBG_ERR("Out of memory!");
talloc_free(tmp_ctx);
return;
}
}
}
path_static = lpcfg_parm_string(service->task->lp_ctx, NULL, "dnsupdate", "extra_static_grant_rules");
if (path_static == NULL) {
path_static = lpcfg_private_path(tmp_ctx,
service->task->lp_ctx,
"named.conf.update.static");
if (path_static == NULL) {
DBG_ERR("Out of memory!");
talloc_free(tmp_ctx);
return;
}
if (!file_exist(path_static)) {
path_static = talloc_asprintf(tmp_ctx,
"%s/named.conf.update.static",
lpcfg_binddns_dir(service->task->lp_ctx));
if (path_static == NULL) {
DBG_ERR("Out of memory!");
talloc_free(tmp_ctx);
return;
}
}
}
tmp_path = talloc_asprintf(tmp_ctx, "%s.tmp", path);
if (tmp_path == NULL) {
DEBUG(0,(__location__ ": Unable to get paths\n"));
talloc_free(tmp_ctx);
return;
}
static_policies = file_load(path_static, &size, 0, tmp_ctx);
unlink(tmp_path);
fd = open(tmp_path, O_CREAT|O_TRUNC|O_WRONLY, 0444);
if (fd == -1) {
DEBUG(1,(__location__ ": Unable to open %s - %s\n", tmp_path, strerror(errno)));
talloc_free(tmp_ctx);
return;
}
dprintf(fd, "/* this file is auto-generated - do not edit */\n");
dprintf(fd, "update-policy {\n");
if( static_policies != NULL ) {
dprintf(fd, "/* Start of static entries */\n");
dprintf(fd, "%s\n",static_policies);
dprintf(fd, "/* End of static entries */\n");
}
dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV CNAME;\n", realm);
for (i=0; i<dc_count; i++) {
dprintf(fd, "\tgrant %s wildcard * A AAAA SRV CNAME;\n", dc_list[i]);
}
dprintf(fd, "};\n");
close(fd);
if (NT_STATUS_IS_OK(service->confupdate.status) &&
file_compare(tmp_path, path) == true) {
unlink(tmp_path);
talloc_free(tmp_ctx);
return;
}
if (rename(tmp_path, path) != 0) {
DEBUG(0,(__location__ ": Failed to rename %s to %s - %s\n",
tmp_path, path, strerror(errno)));
talloc_free(tmp_ctx);
return;
}
DEBUG(2,("Loading new DNS update grant rules\n"));
service->confupdate.subreq = samba_runcmd_send(service,
service->task->event_ctx,
timeval_current_ofs(10, 0),
2, 0,
rndc_command,
"reload", NULL);
if (service->confupdate.subreq == NULL) {
DEBUG(0,(__location__ ": samba_runcmd_send() failed with no memory\n"));
talloc_free(tmp_ctx);
return;
}
tevent_req_set_callback(service->confupdate.subreq,
dnsupdate_rndc_done,
service);
talloc_free(tmp_ctx);
}
static NTSTATUS dnsupdate_confupdate_schedule(struct dnsupdate_service *service);
/*
called every 'dnsupdate:conf interval' seconds
*/
static void dnsupdate_confupdate_handler_te(struct tevent_context *ev, struct tevent_timer *te,
struct timeval t, void *ptr)
{
struct dnsupdate_service *service = talloc_get_type(ptr, struct dnsupdate_service);
dnsupdate_rebuild(service);
dnsupdate_confupdate_schedule(service);
}
static NTSTATUS dnsupdate_confupdate_schedule(struct dnsupdate_service *service)
{
service->confupdate.te = tevent_add_timer(service->task->event_ctx, service,
timeval_current_ofs(service->confupdate.interval, 0),
dnsupdate_confupdate_handler_te, service);
NT_STATUS_HAVE_NO_MEMORY(service->confupdate.te);
return NT_STATUS_OK;
}
/*
called when dns update script has finished
*/
@ -673,21 +428,9 @@ static NTSTATUS dnsupdate_task_init(struct task_server *task)
return NT_STATUS_UNSUCCESSFUL;
}
service->confupdate.interval = lpcfg_parm_int(task->lp_ctx, NULL,
"dnsupdate", "config interval", 60); /* in seconds */
service->nameupdate.interval = lpcfg_parm_int(task->lp_ctx, NULL,
"dnsupdate", "name interval", 600); /* in seconds */
dnsupdate_rebuild(service);
status = dnsupdate_confupdate_schedule(service);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, talloc_asprintf(task,
"dnsupdate: Failed to confupdate schedule: %s\n",
nt_errstr(status)), true);
return status;
}
dnsupdate_check_names(service);
status = dnsupdate_nameupdate_schedule(service);
if (!NT_STATUS_IS_OK(status)) {
@ -702,8 +445,6 @@ static NTSTATUS dnsupdate_task_init(struct task_server *task)
IRPC_REGISTER(task->msg_ctx, irpc, DNSUPDATE_RODC,
dnsupdate_dnsupdate_RODC, service);
/* create the intial file */
dnsupdate_rebuild(service);
return NT_STATUS_OK;
}