7 files changed, 13 insertions, 294 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8a15c4449af..9abc4538125 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -20,6 +20,18 @@ NEW FEATURES/CHANGES
 REMOVED FEATURES
 ================
 
+BIND9_FLATFILE deprecated
+-------------------------
+
+The BIND9_FLATFILE DNS backend is deprecated in this release and will
+be removed in the future.  This was only practically useful on a single
+domain controller or under expert care and supervision.
+
+This release removes the "rndc command" smb.conf parameter, which
+supported this configuration by writing out a list of DCs permitted to
+make changes to the DNS Zone and nudging the 'named' server if a new
+DC was added to the domain.  Administrators using BIND9_FLATFILE will
+need to maintain this manually from now on.
 
 smb.conf changes
 ================
@@ -28,6 +40,7 @@ smb.conf changes
   --------------                     -----------                -------
 
   nfs4:acedup                        Changed default            merge
+  rndc command                       Removed
 
 KNOWN ISSUES
 ============
diff --git a/docs-xml/smbdotconf/domain/rndccommand.xml b/docs-xml/smbdotconf/domain/rndccommand.xml
deleted file mode 100644
index c9a1526c0cd..00000000000
--- a/docs-xml/smbdotconf/domain/rndccommand.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<samba:parameter name="rndc command"
-                 context="G"
-                 type="cmdlist"
-		 deprecated="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-	<para>This option is deprecated with Samba 4.11 and will be removed
-	in future.
-	</para>
-	<para>This option specifies the path to the name server control utility.
-	</para>
-	<para>This option is only useful when Samba as an AD DC is
-	configured with BIND9_FLATFILE for DNS.
-	</para>
-
-	<para>The <filename>rndc</filename> utility should be a part of the
-		bind installation.
-	</para>
-</description>
-
-<value type="default">/usr/sbin/rndc</value>
-<value type="example">/usr/local/bind9/sbin/rndc</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 13e8b677e30..97addf45470 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2790,7 +2790,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0");
 
-	lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");
 	lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
 
         lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "secure only");
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 9b245608c63..e7273fc759e 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -749,11 +749,6 @@ def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
         hostip_host_line = ""
         gc_msdcs_ip_line = ""
 
-    # we need to freeze the zone while we update the contents
-    if targetdir is None:
-        rndc = ' '.join(lp.get("rndc command"))
-        os.system(rndc + " freeze " + lp.get("realm"))
-
     setup_file(setup_path("provision.zone"), paths.dns, {
             "HOSTNAME": hostname,
             "DNSDOMAIN": dnsdomain,
@@ -780,9 +775,6 @@ def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
                 logger.error("Failed to chown %s to bind gid %u" % (
                     paths.dns, paths.bind_gid))
 
-    if targetdir is None:
-        os.system(rndc + " unfreeze " + lp.get("realm"))
-
 
 def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid):
     """Create a copy of samdb and give write permissions to named for dns partitions
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 02cdfc18bad..8048eba8b54 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -795,7 +795,6 @@ sub provision_raw_step1($$)
 	log level = $ctx->{server_loglevel}
 	lanman auth = Yes
 	ntlm auth = Yes
-	rndc command = true
 	client min protocol = CORE
 	server min protocol = LANMAN1
 	mangled names = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index bcda6a1c600..b1a52055ade 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -934,8 +934,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.nsupdate_command = str_list_make_v3_const(NULL, "/usr/bin/nsupdate -g", NULL);
 
-	Globals.rndc_command = str_list_make_v3_const(NULL, "/usr/sbin/rndc", NULL);
-
 	Globals.cldap_port = 389;
 
 	Globals.dgram_port = NBT_DGRAM_SERVICE_PORT;
diff --git a/source4/dsdb/dns/dns_update.c b/source4/dsdb/dns/dns_update.c
index 0a1f0ac2330..4a81d06b097 100644
--- a/source4/dsdb/dns/dns_update.c
+++ b/source4/dsdb/dns/dns_update.c
@@ -67,251 +67,6 @@ struct dnsupdate_service {
 };
 
 /*
-  called when rndc reload has finished
- */
-static void dnsupdate_rndc_done(struct tevent_req *subreq)
-{
-	struct dnsupdate_service *service = tevent_req_callback_data(subreq,
-					    struct dnsupdate_service);
-	int ret;
-	int sys_errno;
-
-	service->confupdate.subreq = NULL;
-
-	ret = samba_runcmd_recv(subreq, &sys_errno);
-	TALLOC_FREE(subreq);
-	if (ret != 0) {
-		service->confupdate.status = map_nt_error_from_unix_common(sys_errno);
-	} else {
-		service->confupdate.status = NT_STATUS_OK;
-	}
-
-	if (!NT_STATUS_IS_OK(service->confupdate.status)) {
-		DEBUG(0,(__location__ ": Failed rndc update - %s\n",
-			 nt_errstr(service->confupdate.status)));
-	} else {
-		DEBUG(3,("Completed rndc reload OK\n"));
-	}
-}
-
-/*
-  called every 'dnsupdate:conf interval' seconds
- */
-static void dnsupdate_rebuild(struct dnsupdate_service *service)
-{
-	int ret;
-	size_t size;
-	struct ldb_result *res1, *res2;
-	const char *tmp_path, *path, *path_static;
-	char *static_policies;
-	int fd;
-	unsigned int i;
-	const char *attrs1[] = { "msDS-HasDomainNCs", NULL };
-	const char *attrs2[] = { "name", NULL };
-	const char *realm = lpcfg_realm(service->task->lp_ctx);
-	TALLOC_CTX *tmp_ctx = talloc_new(service);
-	const char * const *rndc_command = lpcfg_rndc_command(service->task->lp_ctx);
-	const char **dc_list;
-	int dc_count=0;
-
-	/* abort any pending script run */
-	TALLOC_FREE(service->confupdate.subreq);
-
-	/* find the DNs for all the non-RODC DCs in the forest */
-	ret = dsdb_search(service->samdb, tmp_ctx, &res1, ldb_get_config_basedn(service->samdb),
-			  LDB_SCOPE_SUBTREE,
-			  attrs1,
-			  0,
-			  "(&(objectclass=NTDSDSA)(!(msDS-isRODC=TRUE)))");
-	if (ret != LDB_SUCCESS) {
-		DBG_ERR("Unable to find DCs list - %s\n",
-			ldb_errstring(service->samdb));
-		talloc_free(tmp_ctx);
-		return;
-	}
-
-	dc_list = talloc_array(tmp_ctx, const char *, 0);
-	for (i=0; i<res1->count; i++) {
-		struct ldb_dn *server_dn = res1->msgs[i]->dn;
-		struct ldb_dn *domain_dn;
-		const char *acct_name, *full_account, *dns_domain;
-
-		/* this is a nasty hack to form the account name of
-		 * this DC. We do it this way as we don't necessarily
-		 * have access to the domain NC, so all we have to go
-		 * on is what is in the configuration partition
-		 */
-
-		domain_dn = ldb_msg_find_attr_as_dn(service->samdb, tmp_ctx, res1->msgs[i], "msDS-HasDomainNCs");
-		if (domain_dn == NULL) continue;
-
-		ldb_dn_remove_child_components(server_dn, 1);
-		ret = dsdb_search_dn(service->samdb, tmp_ctx, &res2, server_dn, attrs2, 0);
-		if (ret != LDB_SUCCESS) {
-			continue;
-		}
-
-		acct_name = ldb_msg_find_attr_as_string(res2->msgs[0], "name", NULL);
-		if (acct_name == NULL) continue;
-
-		dns_domain = samdb_dn_to_dns_domain(tmp_ctx, domain_dn);
-		if (dns_domain == NULL) {
-			continue;
-		}
-
-		full_account = talloc_asprintf(tmp_ctx, "%s$@%s", acct_name, dns_domain);
-		if (full_account == NULL) continue;
-
-		dc_list = talloc_realloc(tmp_ctx, dc_list, const char *, dc_count+1);
-		if (dc_list == NULL) {
-			continue;
-		}
-		dc_list[dc_count++] = full_account;
-	}
-
-	path = lpcfg_parm_string(service->task->lp_ctx, NULL, "dnsupdate", "path");
-	if (path == NULL) {
-		path = lpcfg_private_path(tmp_ctx,
-					  service->task->lp_ctx,
-					  "named.conf.update");
-		if (path == NULL) {
-			DBG_ERR("Out of memory!");
-			talloc_free(tmp_ctx);
-			return;
-		}
-
-		/*
-		 * If the file doesn't exist, we provisioned in a the new
-		 * bind-dns directory
-		 */
-		if (!file_exist(path)) {
-			path = talloc_asprintf(tmp_ctx,
-					       "%s/named.conf.update",
-					       lpcfg_binddns_dir(service->task->lp_ctx));
-			if (path == NULL) {
-				DBG_ERR("Out of memory!");
-				talloc_free(tmp_ctx);
-				return;
-			}
-		}
-	}
-
-	path_static = lpcfg_parm_string(service->task->lp_ctx, NULL, "dnsupdate", "extra_static_grant_rules");
-	if (path_static == NULL) {
-		path_static = lpcfg_private_path(tmp_ctx,
-						 service->task->lp_ctx,
-						 "named.conf.update.static");
-		if (path_static == NULL) {
-			DBG_ERR("Out of memory!");
-			talloc_free(tmp_ctx);
-			return;
-		}
-
-		if (!file_exist(path_static)) {
-			path_static = talloc_asprintf(tmp_ctx,
-						      "%s/named.conf.update.static",
-						      lpcfg_binddns_dir(service->task->lp_ctx));
-			if (path_static == NULL) {
-				DBG_ERR("Out of memory!");
-				talloc_free(tmp_ctx);
-				return;
-			}
-		}
-	}
-
-	tmp_path = talloc_asprintf(tmp_ctx, "%s.tmp", path);
-	if (tmp_path == NULL) {
-		DEBUG(0,(__location__ ": Unable to get paths\n"));
-		talloc_free(tmp_ctx);
-		return;
-	}
-
-	static_policies = file_load(path_static, &size, 0, tmp_ctx);
-
-	unlink(tmp_path);
-	fd = open(tmp_path, O_CREAT|O_TRUNC|O_WRONLY, 0444);
-	if (fd == -1) {
-		DEBUG(1,(__location__ ": Unable to open %s - %s\n", tmp_path, strerror(errno)));
-		talloc_free(tmp_ctx);
-		return;
-	}
-
-	dprintf(fd, "/* this file is auto-generated - do not edit */\n");
-	dprintf(fd, "update-policy {\n");
-	if( static_policies != NULL ) {
-		dprintf(fd, "/* Start of static entries */\n");
-		dprintf(fd, "%s\n",static_policies);
-		dprintf(fd, "/* End of static entries */\n");
-	}
-	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
-	dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV CNAME;\n", realm);
-
-	for (i=0; i<dc_count; i++) {
-		dprintf(fd, "\tgrant %s wildcard * A AAAA SRV CNAME;\n", dc_list[i]);
-	}
-	dprintf(fd, "};\n");
-	close(fd);
-
-
-	if (NT_STATUS_IS_OK(service->confupdate.status) &&
-	    file_compare(tmp_path, path) == true) {
-		unlink(tmp_path);
-		talloc_free(tmp_ctx);
-		return;
-	}
-
-	if (rename(tmp_path, path) != 0) {
-		DEBUG(0,(__location__ ": Failed to rename %s to %s - %s\n",
-			 tmp_path, path, strerror(errno)));
-		talloc_free(tmp_ctx);
-		return;
-	}
-
-	DEBUG(2,("Loading new DNS update grant rules\n"));
-	service->confupdate.subreq = samba_runcmd_send(service,
-						       service->task->event_ctx,
-						       timeval_current_ofs(10, 0),
-						       2, 0,
-						       rndc_command,
-						       "reload", NULL);
-	if (service->confupdate.subreq == NULL) {
-		DEBUG(0,(__location__ ": samba_runcmd_send() failed with no memory\n"));
-		talloc_free(tmp_ctx);
-		return;
-	}
-	tevent_req_set_callback(service->confupdate.subreq,
-				dnsupdate_rndc_done,
-				service);
-
-	talloc_free(tmp_ctx);
-}
-
-static NTSTATUS dnsupdate_confupdate_schedule(struct dnsupdate_service *service);
-
-/*
-  called every 'dnsupdate:conf interval' seconds
- */
-static void dnsupdate_confupdate_handler_te(struct tevent_context *ev, struct tevent_timer *te,
-					  struct timeval t, void *ptr)
-{
-	struct dnsupdate_service *service = talloc_get_type(ptr, struct dnsupdate_service);
-
-	dnsupdate_rebuild(service);
-	dnsupdate_confupdate_schedule(service);
-}
-
-
-static NTSTATUS dnsupdate_confupdate_schedule(struct dnsupdate_service *service)
-{
-	service->confupdate.te = tevent_add_timer(service->task->event_ctx, service,
-						timeval_current_ofs(service->confupdate.interval, 0),
-						dnsupdate_confupdate_handler_te, service);
-	NT_STATUS_HAVE_NO_MEMORY(service->confupdate.te);
-	return NT_STATUS_OK;
-}
-
-
-/*
   called when dns update script has finished
  */
 static void dnsupdate_nameupdate_done(struct tevent_req *subreq)
@@ -673,21 +428,9 @@ static NTSTATUS dnsupdate_task_init(struct task_server *task)
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	service->confupdate.interval	= lpcfg_parm_int(task->lp_ctx, NULL,
-						      "dnsupdate", "config interval", 60); /* in seconds */
-
 	service->nameupdate.interval	= lpcfg_parm_int(task->lp_ctx, NULL,
 						      "dnsupdate", "name interval", 600); /* in seconds */
 
-	dnsupdate_rebuild(service);
-	status = dnsupdate_confupdate_schedule(service);
-	if (!NT_STATUS_IS_OK(status)) {
-		task_server_terminate(task, talloc_asprintf(task,
-				      "dnsupdate: Failed to confupdate schedule: %s\n",
-							    nt_errstr(status)), true);
-		return status;
-	}
-
 	dnsupdate_check_names(service);
 	status = dnsupdate_nameupdate_schedule(service);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -702,8 +445,6 @@ static NTSTATUS dnsupdate_task_init(struct task_server *task)
 	IRPC_REGISTER(task->msg_ctx, irpc, DNSUPDATE_RODC,
 		      dnsupdate_dnsupdate_RODC, service);
 
-	/* create the intial file */
-	dnsupdate_rebuild(service);
 	return NT_STATUS_OK;
 
 }