samba-tool domain demote: Remove dns-SERVER object as well

This object is not in standard AD, but Marc Muehlfeld
correctly notes that Samba creates it for BIND9_DLZ

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/python/samba/remove_dc.py b/python/samba/remove_dc.py
index 45e78881d4e1db7b7e1ec98478680ddef227b87b..6e9415386e29698fdbda842a2b3e0d76c158529a 100644 (file)
--- a/python/samba/remove_dc.py
+++ b/python/samba/remove_dc.py
@@ -193,7 +193,8 @@ def offline_remove_server(samdb, server_dn,
                           remove_computer_obj=False,
                           remove_server_obj=False,
                           remove_sysvol_obj=False,
-                          remove_dns_names=False):
+                          remove_dns_names=False,
+                          remove_dns_account=False):
     res = samdb.search("",
                        scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
     assert len(res) == 1
@@ -226,7 +227,8 @@ def offline_remove_server(samdb, server_dn,
         computer_msgs = samdb.search(base=computer_dn,
                                      expression="objectclass=computer",
                                      attrs=["msDS-KrbTgtLink",
-                                            "rIDSetReferences"],
+                                            "rIDSetReferences",
+                                            "cn"],
                                      scope=ldb.SCOPE_BASE)
         if "rIDSetReferences" in computer_msgs[0]:
             samdb.delete(computer_msgs[0]["rIDSetReferences"][0])
@@ -240,6 +242,14 @@ def offline_remove_server(samdb, server_dn,
         if "dnsHostName" in msgs[0]:
             dnsHostName = msgs[0]["dnsHostName"][0]
 
+    if remove_dns_account:
+        res = samdb.search(expression="(&(objectclass=user)(cn=dns-%s)(servicePrincipalName=DNS/%s))" %
+                           (ldb.binary_encode(dc_name), dnsHostName),
+                           attrs=[], scope=ldb.SCOPE_SUBTREE,
+                           base=samdb.get_default_basedn())
+        if len(res) == 1:
+            samdb.delete(res[0].dn)
+
     if dnsHostName is not None and remove_dns_names:
         remove_dns_references(samdb, dnsHostName)
 
@@ -252,7 +262,8 @@ def offline_remove_ntds_dc(samdb, ntds_dn,
                            remove_connection_obj=False,
                            seize_stale_fsmo=False,
                            remove_sysvol_obj=False,
-                           remove_dns_names=False):
+                           remove_dns_names=False,
+                           remove_dns_account=False):
     res = samdb.search("",
                        scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
     assert len(res) == 1
@@ -318,7 +329,8 @@ def offline_remove_ntds_dc(samdb, ntds_dn,
                           remove_computer_obj=remove_computer_obj,
                           remove_server_obj=remove_server_obj,
                           remove_sysvol_obj=remove_sysvol_obj,
-                          remove_dns_names=remove_dns_names)
+                          remove_dns_names=remove_dns_names,
+                          remove_dns_account=remove_dns_account)
 
 
 def remove_dc(samdb, dc_name):
@@ -350,7 +362,8 @@ def remove_dc(samdb, dc_name):
                                   remove_computer_obj=True,
                                   remove_server_obj=True,
                                   remove_sysvol_obj=True,
-                                  remove_dns_names=True)
+                                  remove_dns_names=True,
+                                  remove_dns_account=True)
 
             samdb.transaction_commit()
             return
@@ -363,7 +376,8 @@ def remove_dc(samdb, dc_name):
                            remove_connection_obj=True,
                            seize_stale_fsmo=True,
                            remove_sysvol_obj=True,
-                           remove_dns_names=True)
+                           remove_dns_names=True,
+                           remove_dns_account=True)
 
     samdb.transaction_commit()
 

diff --git a/python/samba/tests/blackbox/samba_tool_drs.py b/python/samba/tests/blackbox/samba_tool_drs.py
index a0315e811834cde573eef371ef387479d00649eb..7ca7c33ede13b021eaab96f32a85c99f51551226 100644 (file)
--- a/python/samba/tests/blackbox/samba_tool_drs.py
+++ b/python/samba/tests/blackbox/samba_tool_drs.py
@@ -168,6 +168,14 @@ class SambaToolDrsTests(samba.tests.BlackboxTestCase):
         server_dn = samdb.searchone("serverReferenceBL", "cn=%s,ou=domain controllers,%s" % (self.dc2, server_nc_name))
         ntds_guid = samdb.searchone("objectGUID", "cn=ntds settings,%s" % server_dn)
 
+        res = samdb.search(base=str(server_nc_name),
+                           expression="(&(objectclass=user)(cn=dns-%s))" % (self.dc2),
+                           attrs=[], scope=ldb.SCOPE_SUBTREE)
+        if len(res) == 1:
+            dns_obj = res[0]
+        else:
+            dns_obj = None
+
         def demote_self():
             # While we have this cloned, try demoting the other server on the clone
             out = self.check_output("samba-tool domain demote --remove-other-dead-server=%s -H %s/private/sam.ldb"
@@ -193,6 +201,13 @@ class SambaToolDrsTests(samba.tests.BlackboxTestCase):
             samdb.searchone("CN", "<GUID=%s>" % ntds_guid)
         self.assertRaises(ldb.LdbError, check_ntds_guid)
 
+        if dns_obj is not None:
+            # Check some of the objects that should have been removed
+            def check_dns_account_obj():
+                samdb.search(base=dns_obj.dn, scope=ldb.SCOPE_BASE,
+                             attrs=[])
+            self.assertRaises(ldb.LdbError, check_dns_account_obj)
+
         shutil.rmtree(os.path.join(self.tempdir, "private"))
         shutil.rmtree(os.path.join(self.tempdir, "etc"))
         shutil.rmtree(os.path.join(self.tempdir, "msg.lock"))