git.samba.org / abartlet / samba.git / .git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s4-provision: freeze the DNS zone before creating the zone file
[abartlet/samba.git/.git] / source4 / scripting / python / samba / provision.py
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index d0bc32340311747f9c5521f44440fbfea0ff6dde..1e1bf480f53259e9273a4c8cc1d8a51cbfd4c9cd 100644 (file)
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -42,7 +42,7 @@ import ldb
 from samba.auth import system_session, admin_session
 from samba import glue, version, Ldb, substitute_var, valid_netbios_name
 from samba import check_all_substituted, read_and_sub_file, setup_file
-from samba import DS_DOMAIN_FUNCTION_2003, DS_DC_FUNCTION_2008
+from samba import DS_DOMAIN_FUNCTION_2003, DS_DC_FUNCTION_2008, DS_DC_FUNCTION_2008_R2
 from samba.dcerpc import security
 from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
 from samba.idmap import IDmapDB
@@ -465,7 +465,11 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
     if os.path.exists(smbconf):
         default_lp.load(smbconf)
     if eadb:
-        posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(os.path.join(targetdir, "private"),"eadb.tdb"))
+        if targetdir is not None:
+            privdir = os.path.join(targetdir, "private")
+        else:
+            privdir = default_lp.get("private dir")
+        posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(privdir,"eadb.tdb"))
     else:
         posixeadb_line = ""
 
@@ -1061,8 +1065,8 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
 FILL_FULL = "FULL"
 FILL_NT4SYNC = "NT4SYNC"
 FILL_DRS = "DRS"
-SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
-POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
+SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
+POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
 
 def set_gpo_acl(path,acl,lp,domsid):
        setntacl(lp,path,acl,domsid)
@@ -1074,27 +1078,25 @@ def set_gpo_acl(path,acl,lp,domsid):
 
 def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
        canchown = 1
-       acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
        try:
                os.chown(sysvol,-1,gid)
        except:
                canchown = 0
 
-       setntacl(lp,sysvol,acl,str(domainsid))
+       setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid))
        for root, dirs, files in os.walk(sysvol, topdown=False):
                for name in files:
                        if canchown:
                                os.chown(os.path.join(root, name),-1,gid)
-                       setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+                       setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
                for name in dirs:
                        if canchown:
                                os.chown(os.path.join(root, name),-1,gid)
-                       setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+                       setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
 
        # Set ACL for GPO
        policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
-       acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
-       set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
+       set_gpo_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
        res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
                                                attrs=["cn","nTSecurityDescriptor"],
                                                expression="", scope=ldb.SCOPE_ONELEVEL)
@@ -1373,7 +1375,7 @@ def provision(setup_dir, message, session_info,
 
             # Only make a zone file on the first DC, it should be replicated
             # with DNS replication
-            create_zone_file(message, paths, setup_path, dnsdomain=names.dnsdomain,
+            create_zone_file(lp, message, paths, targetdir, setup_path, dnsdomain=names.dnsdomain,
                              hostip=hostip,
                              hostip6=hostip6, hostname=names.hostname,
                              realm=names.realm,
@@ -1484,7 +1486,7 @@ def create_phpldapadmin_config(path, setup_path, ldapi_uri):
             {"S4_LDAPI_URI": ldapi_uri})
 
 
-def create_zone_file(message, paths, setup_path, dnsdomain,
+def create_zone_file(lp, message, paths, targetdir, setup_path, dnsdomain,
                      hostip, hostip6, hostname, realm, domainguid,
                      ntdsguid):
     """Write out a DNS zone file, from the info in the current database.
@@ -1523,13 +1525,12 @@ def create_zone_file(message, paths, setup_path, dnsdomain,
     except OSError:
         pass
 
-    os.mkdir(dns_dir, 0770)
+    os.mkdir(dns_dir, 0775)
 
-    if paths.bind_gid is not None:
-        try:
-            os.chown(dns_dir, -1, paths.bind_gid)
-        except OSError:
-            message("Failed to chown %s to bind gid %u" % (dns_dir, paths.bind_gid))
+    # we need to freeze the zone while we update the contents
+    if targetdir is None:
+        rndc = lp.get("rndc command")
+        os.system(rndc + " freeze " + lp.get("realm"))
 
     setup_file(setup_path("provision.zone"), paths.dns, {
             "HOSTNAME": hostname,
@@ -1545,6 +1546,19 @@ def create_zone_file(message, paths, setup_path, dnsdomain,
             "HOSTIP6_HOST_LINE": hostip6_host_line,
         })
 
+    if paths.bind_gid is not None:
+        try:
+            os.chown(dns_dir, -1, paths.bind_gid)
+            os.chown(paths.dns, -1, paths.bind_gid)
+            # chmod needed to cope with umask
+            os.chmod(dns_dir, 0775)
+            os.chmod(paths.dns, 0664)
+        except OSError:
+            message("Failed to chown %s to bind gid %u" % (dns_dir, paths.bind_gid))
+
+    if targetdir is None:
+        os.system(rndc + " unfreeze " + lp.get("realm"))
+
 
 def create_named_conf(paths, setup_path, realm, dnsdomain,
                       private_dir):
Unnamed repository; edit this file to name it for gitweb.