diff options
-rw-r--r-- | WHATSNEW.txt | 13 | ||||
-rw-r--r-- | docs-xml/smbdotconf/domain/rndccommand.xml | 23 | ||||
-rw-r--r-- | lib/param/loadparm.c | 1 | ||||
-rw-r--r-- | python/samba/provision/sambadns.py | 8 | ||||
-rwxr-xr-x | selftest/target/Samba4.pm | 1 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 | ||||
-rw-r--r-- | source4/dsdb/dns/dns_update.c | 259 |
7 files changed, 13 insertions, 294 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8a15c4449af..9abc4538125 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -20,6 +20,18 @@ NEW FEATURES/CHANGES REMOVED FEATURES ================ +BIND9_FLATFILE deprecated +------------------------- + +The BIND9_FLATFILE DNS backend is deprecated in this release and will +be removed in the future. This was only practically useful on a single +domain controller or under expert care and supervision. + +This release removes the "rndc command" smb.conf parameter, which +supported this configuration by writing out a list of DCs permitted to +make changes to the DNS Zone and nudging the 'named' server if a new +DC was added to the domain. Administrators using BIND9_FLATFILE will +need to maintain this manually from now on. smb.conf changes ================ @@ -28,6 +40,7 @@ smb.conf changes -------------- ----------- ------- nfs4:acedup Changed default merge + rndc command Removed KNOWN ISSUES ============ diff --git a/docs-xml/smbdotconf/domain/rndccommand.xml b/docs-xml/smbdotconf/domain/rndccommand.xml deleted file mode 100644 index c9a1526c0cd..00000000000 --- a/docs-xml/smbdotconf/domain/rndccommand.xml +++ /dev/null @@ -1,23 +0,0 @@ -<samba:parameter name="rndc command" - context="G" - type="cmdlist" - deprecated="1" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> -<description> - <para>This option is deprecated with Samba 4.11 and will be removed - in future. - </para> - <para>This option specifies the path to the name server control utility. - </para> - <para>This option is only useful when Samba as an AD DC is - configured with BIND9_FLATFILE for DNS. - </para> - - <para>The <filename>rndc</filename> utility should be a part of the - bind installation. - </para> -</description> - -<value type="default">/usr/sbin/rndc</value> -<value type="example">/usr/local/bind9/sbin/rndc</value> -</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 13e8b677e30..97addf45470 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2790,7 +2790,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0"); - lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc"); lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g"); lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "secure only"); diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index 9b245608c63..e7273fc759e 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -749,11 +749,6 @@ def create_zone_file(lp, logger, paths, targetdir, dnsdomain, hostip_host_line = "" gc_msdcs_ip_line = "" - # we need to freeze the zone while we update the contents - if targetdir is None: - rndc = ' '.join(lp.get("rndc command")) - os.system(rndc + " freeze " + lp.get("realm")) - setup_file(setup_path("provision.zone"), paths.dns, { "HOSTNAME": hostname, "DNSDOMAIN": dnsdomain, @@ -780,9 +775,6 @@ def create_zone_file(lp, logger, paths, targetdir, dnsdomain, logger.error("Failed to chown %s to bind gid %u" % ( paths.dns, paths.bind_gid)) - if targetdir is None: - os.system(rndc + " unfreeze " + lp.get("realm")) - def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid): """Create a copy of samdb and give write permissions to named for dns partitions diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 02cdfc18bad..8048eba8b54 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -795,7 +795,6 @@ sub provision_raw_step1($$) log level = $ctx->{server_loglevel} lanman auth = Yes ntlm auth = Yes - rndc command = true client min protocol = CORE server min protocol = LANMAN1 mangled names = yes diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index bcda6a1c600..b1a52055ade 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -934,8 +934,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.nsupdate_command = str_list_make_v3_const(NULL, "/usr/bin/nsupdate -g", NULL); - Globals.rndc_command = str_list_make_v3_const(NULL, "/usr/sbin/rndc", NULL); - Globals.cldap_port = 389; Globals.dgram_port = NBT_DGRAM_SERVICE_PORT; diff --git a/source4/dsdb/dns/dns_update.c b/source4/dsdb/dns/dns_update.c index 0a1f0ac2330..4a81d06b097 100644 --- a/source4/dsdb/dns/dns_update.c +++ b/source4/dsdb/dns/dns_update.c @@ -67,251 +67,6 @@ struct dnsupdate_service { }; /* - called when rndc reload has finished - */ -static void dnsupdate_rndc_done(struct tevent_req *subreq) -{ - struct dnsupdate_service *service = tevent_req_callback_data(subreq, - struct dnsupdate_service); - int ret; - int sys_errno; - - service->confupdate.subreq = NULL; - - ret = samba_runcmd_recv(subreq, &sys_errno); - TALLOC_FREE(subreq); - if (ret != 0) { - service->confupdate.status = map_nt_error_from_unix_common(sys_errno); - } else { - service->confupdate.status = NT_STATUS_OK; - } - - if (!NT_STATUS_IS_OK(service->confupdate.status)) { - DEBUG(0,(__location__ ": Failed rndc update - %s\n", - nt_errstr(service->confupdate.status))); - } else { - DEBUG(3,("Completed rndc reload OK\n")); - } -} - -/* - called every 'dnsupdate:conf interval' seconds - */ -static void dnsupdate_rebuild(struct dnsupdate_service *service) -{ - int ret; - size_t size; - struct ldb_result *res1, *res2; - const char *tmp_path, *path, *path_static; - char *static_policies; - int fd; - unsigned int i; - const char *attrs1[] = { "msDS-HasDomainNCs", NULL }; - const char *attrs2[] = { "name", NULL }; - const char *realm = lpcfg_realm(service->task->lp_ctx); - TALLOC_CTX *tmp_ctx = talloc_new(service); - const char * const *rndc_command = lpcfg_rndc_command(service->task->lp_ctx); - const char **dc_list; - int dc_count=0; - - /* abort any pending script run */ - TALLOC_FREE(service->confupdate.subreq); - - /* find the DNs for all the non-RODC DCs in the forest */ - ret = dsdb_search(service->samdb, tmp_ctx, &res1, ldb_get_config_basedn(service->samdb), - LDB_SCOPE_SUBTREE, - attrs1, - 0, - "(&(objectclass=NTDSDSA)(!(msDS-isRODC=TRUE)))"); - if (ret != LDB_SUCCESS) { - DBG_ERR("Unable to find DCs list - %s\n", - ldb_errstring(service->samdb)); - talloc_free(tmp_ctx); - return; - } - - dc_list = talloc_array(tmp_ctx, const char *, 0); - for (i=0; i<res1->count; i++) { - struct ldb_dn *server_dn = res1->msgs[i]->dn; - struct ldb_dn *domain_dn; - const char *acct_name, *full_account, *dns_domain; - - /* this is a nasty hack to form the account name of - * this DC. We do it this way as we don't necessarily - * have access to the domain NC, so all we have to go - * on is what is in the configuration partition - */ - - domain_dn = ldb_msg_find_attr_as_dn(service->samdb, tmp_ctx, res1->msgs[i], "msDS-HasDomainNCs"); - if (domain_dn == NULL) continue; - - ldb_dn_remove_child_components(server_dn, 1); - ret = dsdb_search_dn(service->samdb, tmp_ctx, &res2, server_dn, attrs2, 0); - if (ret != LDB_SUCCESS) { - continue; - } - - acct_name = ldb_msg_find_attr_as_string(res2->msgs[0], "name", NULL); - if (acct_name == NULL) continue; - - dns_domain = samdb_dn_to_dns_domain(tmp_ctx, domain_dn); - if (dns_domain == NULL) { - continue; - } - - full_account = talloc_asprintf(tmp_ctx, "%s$@%s", acct_name, dns_domain); - if (full_account == NULL) continue; - - dc_list = talloc_realloc(tmp_ctx, dc_list, const char *, dc_count+1); - if (dc_list == NULL) { - continue; - } - dc_list[dc_count++] = full_account; - } - - path = lpcfg_parm_string(service->task->lp_ctx, NULL, "dnsupdate", "path"); - if (path == NULL) { - path = lpcfg_private_path(tmp_ctx, - service->task->lp_ctx, - "named.conf.update"); - if (path == NULL) { - DBG_ERR("Out of memory!"); - talloc_free(tmp_ctx); - return; - } - - /* - * If the file doesn't exist, we provisioned in a the new - * bind-dns directory - */ - if (!file_exist(path)) { - path = talloc_asprintf(tmp_ctx, - "%s/named.conf.update", - lpcfg_binddns_dir(service->task->lp_ctx)); - if (path == NULL) { - DBG_ERR("Out of memory!"); - talloc_free(tmp_ctx); - return; - } - } - } - - path_static = lpcfg_parm_string(service->task->lp_ctx, NULL, "dnsupdate", "extra_static_grant_rules"); - if (path_static == NULL) { - path_static = lpcfg_private_path(tmp_ctx, - service->task->lp_ctx, - "named.conf.update.static"); - if (path_static == NULL) { - DBG_ERR("Out of memory!"); - talloc_free(tmp_ctx); - return; - } - - if (!file_exist(path_static)) { - path_static = talloc_asprintf(tmp_ctx, - "%s/named.conf.update.static", - lpcfg_binddns_dir(service->task->lp_ctx)); - if (path_static == NULL) { - DBG_ERR("Out of memory!"); - talloc_free(tmp_ctx); - return; - } - } - } - - tmp_path = talloc_asprintf(tmp_ctx, "%s.tmp", path); - if (tmp_path == NULL) { - DEBUG(0,(__location__ ": Unable to get paths\n")); - talloc_free(tmp_ctx); - return; - } - - static_policies = file_load(path_static, &size, 0, tmp_ctx); - - unlink(tmp_path); - fd = open(tmp_path, O_CREAT|O_TRUNC|O_WRONLY, 0444); - if (fd == -1) { - DEBUG(1,(__location__ ": Unable to open %s - %s\n", tmp_path, strerror(errno))); - talloc_free(tmp_ctx); - return; - } - - dprintf(fd, "/* this file is auto-generated - do not edit */\n"); - dprintf(fd, "update-policy {\n"); - if( static_policies != NULL ) { - dprintf(fd, "/* Start of static entries */\n"); - dprintf(fd, "%s\n",static_policies); - dprintf(fd, "/* End of static entries */\n"); - } - dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm); - dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV CNAME;\n", realm); - - for (i=0; i<dc_count; i++) { - dprintf(fd, "\tgrant %s wildcard * A AAAA SRV CNAME;\n", dc_list[i]); - } - dprintf(fd, "};\n"); - close(fd); - - - if (NT_STATUS_IS_OK(service->confupdate.status) && - file_compare(tmp_path, path) == true) { - unlink(tmp_path); - talloc_free(tmp_ctx); - return; - } - - if (rename(tmp_path, path) != 0) { - DEBUG(0,(__location__ ": Failed to rename %s to %s - %s\n", - tmp_path, path, strerror(errno))); - talloc_free(tmp_ctx); - return; - } - - DEBUG(2,("Loading new DNS update grant rules\n")); - service->confupdate.subreq = samba_runcmd_send(service, - service->task->event_ctx, - timeval_current_ofs(10, 0), - 2, 0, - rndc_command, - "reload", NULL); - if (service->confupdate.subreq == NULL) { - DEBUG(0,(__location__ ": samba_runcmd_send() failed with no memory\n")); - talloc_free(tmp_ctx); - return; - } - tevent_req_set_callback(service->confupdate.subreq, - dnsupdate_rndc_done, - service); - - talloc_free(tmp_ctx); -} - -static NTSTATUS dnsupdate_confupdate_schedule(struct dnsupdate_service *service); - -/* - called every 'dnsupdate:conf interval' seconds - */ -static void dnsupdate_confupdate_handler_te(struct tevent_context *ev, struct tevent_timer *te, - struct timeval t, void *ptr) -{ - struct dnsupdate_service *service = talloc_get_type(ptr, struct dnsupdate_service); - - dnsupdate_rebuild(service); - dnsupdate_confupdate_schedule(service); -} - - -static NTSTATUS dnsupdate_confupdate_schedule(struct dnsupdate_service *service) -{ - service->confupdate.te = tevent_add_timer(service->task->event_ctx, service, - timeval_current_ofs(service->confupdate.interval, 0), - dnsupdate_confupdate_handler_te, service); - NT_STATUS_HAVE_NO_MEMORY(service->confupdate.te); - return NT_STATUS_OK; -} - - -/* called when dns update script has finished */ static void dnsupdate_nameupdate_done(struct tevent_req *subreq) @@ -673,21 +428,9 @@ static NTSTATUS dnsupdate_task_init(struct task_server *task) return NT_STATUS_UNSUCCESSFUL; } - service->confupdate.interval = lpcfg_parm_int(task->lp_ctx, NULL, - "dnsupdate", "config interval", 60); /* in seconds */ - service->nameupdate.interval = lpcfg_parm_int(task->lp_ctx, NULL, "dnsupdate", "name interval", 600); /* in seconds */ - dnsupdate_rebuild(service); - status = dnsupdate_confupdate_schedule(service); - if (!NT_STATUS_IS_OK(status)) { - task_server_terminate(task, talloc_asprintf(task, - "dnsupdate: Failed to confupdate schedule: %s\n", - nt_errstr(status)), true); - return status; - } - dnsupdate_check_names(service); status = dnsupdate_nameupdate_schedule(service); if (!NT_STATUS_IS_OK(status)) { @@ -702,8 +445,6 @@ static NTSTATUS dnsupdate_task_init(struct task_server *task) IRPC_REGISTER(task->msg_ctx, irpc, DNSUPDATE_RODC, dnsupdate_dnsupdate_RODC, service); - /* create the intial file */ - dnsupdate_rebuild(service); return NT_STATUS_OK; } |