From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 26 Nov 2015 00:57:36 +0000 (+1300)
Subject: samba_upgradedns: Set correct permissions on secrets.keytab for BIND9
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=dc20c307cc1f0a5f245ff47757e8f0afe3ab8353;p=obnox%2Fsamba%2Fsamba-obnox.git

samba_upgradedns: Set correct permissions on secrets.keytab for BIND9

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---

diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index f57ff729630..596371226ae 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -446,9 +446,20 @@ if __name__ == '__main__':
                                 dnsdomain=names.dnsdomain,
                                 dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
                                 key_version_number=dns_key_version_number)
+
         else:
             logger.info("dns-%s account already exists" % hostname)
 
+        dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
+        if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
+            try:
+                os.chmod(dns_keytab_path, 0640)
+                os.chown(dns_keytab_path, -1, paths.bind_gid)
+            except OSError:
+                if not os.environ.has_key('SAMBA_SELFTEST'):
+                    logger.info("Failed to chown %s to bind gid %u",
+                                dns_keytab_path, paths.bind_gid)
+
         # This forces a re-creation of dns directory and all the files within
         # It's an overkill, but it's easier to re-create a samdb copy, rather
         # than trying to fix a broken copy.