From 1689b69d7bf69a5d99a3ca023e7f96ed776ff514 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 24 Dec 2012 08:56:50 +1100
Subject: [PATCH 1/6] scripting/join.py: Handle creating the dns-NAME account
 during a DC join

This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the
domain.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b106d9090e8f8f44f02059d2ced3d10066787060)
---
 python/samba/join.py                   | 73 ++++++++++++++++++++++++++++++++--
 python/samba/provision/sambadns.py     | 11 +++--
 source4/scripting/bin/samba_upgradedns | 11 ++++-
 source4/setup/secrets_dns.ldif         |  2 +-
 4 files changed, 88 insertions(+), 9 deletions(-)

diff --git a/python/samba/join.py b/python/samba/join.py
index c55c22c..b2f4da4 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -26,9 +26,12 @@ from samba.ndr import ndr_pack
 from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
 from samba.credentials import Credentials, DONT_USE_KERBEROS
 from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
+from samba.provision.common import setup_path
 from samba.schema import Schema
 from samba.net import Net
 from samba.provision.sambadns import setup_bind9_dns
+from samba import read_and_sub_file
+from base64 import b64encode
 import logging
 import talloc
 import random
@@ -179,6 +182,19 @@ class dc_join(object):
                                        attrs=["msDS-krbTgtLink"])
                 if res:
                     ctx.del_noerror(res[0].dn, recursive=True)
+
+                res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+                                       expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)),
+                                       attrs=[])
+                if res:
+                    ctx.del_noerror(res[0].dn, recursive=True)
+
+                res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+                                       expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
+                                       attrs=[])
+                if res:
+                    raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)))
+
             if ctx.connection_dn is not None:
                 ctx.del_noerror(ctx.connection_dn)
             if ctx.krbtgt_dn is not None:
@@ -579,6 +595,56 @@ class dc_join(object):
                                                          "userAccountControl")
             ctx.samdb.modify(m)
 
+        if ctx.dns_backend.startswith("BIND9_"):
+            ctx.dnspass = samba.generate_random_password(128, 255)
+
+            recs = ctx.samdb.parse_ldif(read_and_sub_file(setup_path("provision_dns_add_samba.ldif"),
+                                                                {"DNSDOMAIN": ctx.dnsdomain,
+                                                                 "DOMAINDN": ctx.base_dn,
+                                                                 "HOSTNAME" : ctx.myname,
+                                                                 "DNSPASS_B64": b64encode(ctx.dnspass),
+                                                                 "DNSNAME" : ctx.dnshostname}))
+            for changetype, msg in recs:
+                assert changetype == ldb.CHANGETYPE_NONE
+                print "Adding DNS account %s with dns/ SPN" % msg["dn"]
+
+                # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP)
+                del msg["clearTextPassword"]
+                # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP
+                del msg["isCriticalSystemObject"]
+                try:
+                    ctx.samdb.add(msg)
+                    dns_acct_dn = msg["dn"]
+                except ldb.LdbError, (num, _):
+                    if num != ldb.ERR_ENTRY_ALREADY_EXISTS:
+                        raise
+
+            # The account password set operation should normally be done over
+            # LDAP. Windows 2000 DCs however allow this only with SSL
+            # connections which are hard to set up and otherwise refuse with
+            # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet
+            # over SAMR.
+            print "Setting account password for %s" % ctx.samname
+            try:
+                ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
+                                      % ldb.binary_encode(ctx.myname),
+                                      ctx.dnspass,
+                                      force_change_at_next_login=False,
+                                      username=ctx.samname)
+            except ldb.LdbError, (num, _):
+                if num != ldb.ERR_UNWILLING_TO_PERFORM:
+                    pass
+                ctx.net.set_password(account_name="dns-" % ctx.myname,
+                                     domain_name=ctx.domain_name,
+                                     newpassword=ctx.dnspass)
+
+            res = ctx.samdb.search(base=dns_acct_dn, scope=ldb.SCOPE_BASE,
+                                   attrs=["msDS-KeyVersionNumber"])
+            if "msDS-KeyVersionNumber" in res[0]:
+                ctx.dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0])
+            else:
+                ctx.dns_key_version_number = None
+
     def join_add_objects2(ctx):
         """add the various objects needed for the join, for subdomains post replication"""
 
@@ -861,13 +927,12 @@ class dc_join(object):
                             key_version_number=ctx.key_version_number)
 
         if ctx.dns_backend.startswith("BIND9_"):
-            dnspass = samba.generate_random_password(128, 255)
-
             setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
                             ctx.names, ctx.paths, ctx.lp, logger,
                             dns_backend=ctx.dns_backend,
-                            dnspass=dnspass, os_level=ctx.behavior_version,
-                            targetdir=ctx.targetdir)
+                            dnspass=ctx.dnspass, os_level=ctx.behavior_version,
+                            targetdir=ctx.targetdir,
+                            key_version_number=ctx.dns_key_version_number)
 
     def join_setup_trusts(ctx):
         """provision the local SAM."""
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index a5a45cf..4acc24b 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -620,7 +620,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname,
 
 
 def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
-                        dnsdomain, dns_keytab_path, dnspass):
+                        dnsdomain, dns_keytab_path, dnspass, key_version_number):
     """Add DNS specific bits to a secrets database.
 
     :param secretsdb: Ldb Handle to the secrets database
@@ -632,11 +632,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
     except OSError:
         pass
 
+    if key_version_number is None:
+        key_version_number = 1
+
     setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
             "REALM": realm,
             "DNSDOMAIN": dnsdomain,
             "DNS_KEYTAB": dns_keytab_path,
             "DNSPASS_B64": b64encode(dnspass),
+            "KEY_VERSION_NUMBER": str(key_version_number),
             "HOSTNAME": names.hostname,
             "DNSNAME" : '%s.%s' % (
                 names.netbiosname.lower(), names.dnsdomain.lower())
@@ -1074,7 +1078,7 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
 
 def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
         dns_backend, os_level, site=None, dnspass=None, hostip=None,
-        hostip6=None, targetdir=None):
+        hostip6=None, targetdir=None, key_version_number=None):
     """Provision DNS information (assuming BIND9 backend in DC role)
 
     :param samdb: LDB object connected to sam.ldb file
@@ -1107,7 +1111,8 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
     secretsdb_setup_dns(secretsdb, names,
                         paths.private_dir, realm=names.realm,
                         dnsdomain=names.dnsdomain,
-                        dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+                        dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
+                        key_version_number=key_version_number)
 
     create_dns_dir(logger, paths)
 
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index 3c30090..7ae5dbf 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -436,10 +436,19 @@ if __name__ == '__main__':
                     "DNSNAME" : dnsname }
                            )
 
+            res = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
+                                  expression='(sAMAccountName=dns-%s)' % (hostname),
+                                  attrs=["msDS-KeyVersionNumber"])
+            if "msDS-KeyVersionNumber" in res[0]:
+                dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0])
+            else:
+                dns_key_version_number = None
+
             secretsdb_setup_dns(ldbs.secrets, names,
                                 paths.private_dir, realm=names.realm,
                                 dnsdomain=names.dnsdomain,
-                                dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+                                dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
+                                key_version_number=dns_key_version_number)
         else:
             logger.info("dns-%s account already exists" % hostname)
 
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif
index 67fd66b..192c06d 100644
--- a/source4/setup/secrets_dns.ldif
+++ b/source4/setup/secrets_dns.ldif
@@ -5,7 +5,7 @@ objectClass: secret
 objectClass: kerberosSecret
 realm: ${REALM}
 servicePrincipalName: DNS/${DNSNAME}
-msDS-KeyVersionNumber: 1
+msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}
 samAccountName: dns-${HOSTNAME}
-- 
1.8.4.rc3


From 584a3f1a6e4773d1bb4699cb9f3868c256c5475f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 24 Dec 2012 09:12:04 +1100
Subject: [PATCH 2/6] scripting/samba_upgradedns: Tighten up exception and
 attribute list handling

This avoids asking for attributes that will not be used, and looks only for the
expected exceptions, rather than all exceptions.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d19c437a36b26e71c24bc25e672d714e21ba50bd)
---
 source4/scripting/bin/samba_upgradedns | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index 7ae5dbf..a8d2f90 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -284,7 +284,7 @@ if __name__ == '__main__':
                               expression='(sAMAccountName=DnsAdmins)',
                               attrs=['objectSid'])
         dnsadmins_sid = ndr_unpack(security.dom_sid, msg[0]['objectSid'][0])
-    except Exception, e:
+    except IndexError:
         logger.info("Adding DNS accounts")
         add_dns_accounts(ldbs.sam, domaindn)
         dnsadmins_sid = get_dnsadmins_sid(ldbs.sam, domaindn)
@@ -314,7 +314,7 @@ if __name__ == '__main__':
         msg = ldbs.sam.search(base=names.configdn, scope=ldb.SCOPE_DEFAULT,
                               expression=expression, attrs=['nCName'])
         ncname = msg[0]['nCName'][0]
-    except Exception, e:
+    except IndexError:
         logger.info("Creating DNS partitions")
 
         logger.info("Looking up IPv4 addresses")
@@ -415,16 +415,17 @@ if __name__ == '__main__':
             dn = 'samAccountName=dns-%s,CN=Principals' % hostname
             msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret'])
             dnssecret = msg[0]['secret'][0]
-        except Exception:
+        except IndexError:
+
             logger.info("Adding dns-%s account" % hostname)
 
             try:
                 msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
                                       expression='(sAMAccountName=dns-%s)' % (hostname),
-                                      attrs=['clearTextPassword'])
+                                      attrs=[])
                 dn = msg[0].dn
                 ldbs.sam.delete(dn)
-            except Exception:
+            except IndexError:
                 pass
 
             dnspass = samba.generate_random_password(128, 255)
@@ -472,9 +473,9 @@ if __name__ == '__main__':
         # Check if dns-HOSTNAME account exists and delete it if required
         try:
             dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname
-            msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=['secret'])
+            msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=[])
             dn = msg[0].dn
-        except Exception:
+        except IndexError:
             dn = None
 
         if dn is not None:
@@ -486,9 +487,9 @@ if __name__ == '__main__':
         try:
             msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
                                   expression='(sAMAccountName=dns-%s)' % (hostname),
-                                  attrs=['clearTextPassword'])
+                                  attrs=[])
             dn = msg[0].dn
-        except Exception:
+        except IndexError:
             dn = None
 
         if dn is not None:
-- 
1.8.4.rc3


From 8eb5ea30abefef562d6489edeb3b12344ae74ac6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 26 Dec 2012 10:03:47 +1100
Subject: [PATCH 3/6] selftest: Test creation of the dns-SERVER account during
 selftest

We do this by having the samba-tool domain dcpromo for promoted_vampire_dc also create a
dns-SERVER account.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e281037c9bfa68ca3dc564ec7a36e5c790024902)
---
 selftest/target/Samba4.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e574b48..c30f3e8 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1069,7 +1069,7 @@ sub provision_promoted_dc($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
 	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-	$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
-- 
1.8.4.rc3


From 5ca5e1fcf5e5c9dba2202adaf3a2b456caf411e5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 28 Dec 2012 09:25:11 +1100
Subject: [PATCH 4/6] selftest: Start internal DNS server on domain provisioned
 for BIND9_DLZ

This shows that the internal server can use the dns-SERVER account.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 013c4990c6f1412dd25592bf177ceffab4b5d16d)
---
 selftest/target/Samba4.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c30f3e8..37f7102 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1520,7 +1520,7 @@ sub provision_chgdcpass($$)
 				   "chgdcpassword.samba.example.com",
 				   "2008",
 				   "chgDCpass1",
-				   undef, "server services = -dns", "",
+				   undef, "", "",
 				   $extra_provision_options);
 
 	return undef unless(defined $ret);
-- 
1.8.4.rc3


From d3a0d96757da81dcedf2ed65f009ddbc8c7522ae Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 28 Dec 2012 10:06:39 +1100
Subject: [PATCH 5/6] selftest: Add a basic test of samba_upgradedns

This does not check that the command runs correctly, but does at least check
that the command runs to completion without errors.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 16b26eafa75280e576333975cff5dd1505c118fa)
---
 source4/selftest/tests.py                   |  1 +
 testprogs/blackbox/test_samba_upgradedns.sh | 37 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 10b8a25..f656acd 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -312,6 +312,7 @@ plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.
 plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
 plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
 plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
+plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
 
 # Tests using the "Simple" NTVFS backend
diff --git a/testprogs/blackbox/test_samba_upgradedns.sh b/testprogs/blackbox/test_samba_upgradedns.sh
new file mode 100755
index 0000000..a080f73
--- /dev/null
+++ b/testprogs/blackbox/test_samba_upgradedns.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# Blackbox tests for the samba_upgradedns
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_samba_upgradedns.sh SERVER REALM PREFIX PROVDIR
+EOF
+exit 1;
+fi
+
+SERVER=$1
+REALM=$2
+PREFIX=$3
+PROVDIR=$4
+shift 4
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+samba4kinit="$samba4bindir/samba4kinit"
+
+. `dirname $0`/subunit.sh
+
+testit "run samba_upgradedns converting to bind9 DLZ" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to internal" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to internal (2nd time)" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to bind9 DLZ (2nd time)" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to bind9 DLZ (3rd time)" $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+
+exit $failed
-- 
1.8.4.rc3


From 4ff4538ca03b0002b24a6419270d1e1ed719798d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 28 Dec 2012 21:00:28 +1100
Subject: [PATCH 6/6] torture: Ensure that GSSAPI and SPNEGO packets are
 accepted by dlz_bind9

This exercises some more of the dlz_bind9 code outside BIND, by
sending in a ticket to be access checked, wrapped either in SPNEGO or
just in GSSAPI.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Sep  4 11:25:10 CEST 2013 on sn-devel-104

(cherry picked from commit 38e43961c01f6f491b069e7106fe2a2ec80bd840)
---
 source4/selftest/tests.py         |  2 +-
 source4/torture/dns/dlz_bind9.c   | 78 +++++++++++++++++++++++++++++++++++++++
 source4/torture/winbind/winbind.c |  1 +
 3 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index f656acd..e738d1d9 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -283,7 +283,7 @@ for t in smbtorture4_testsuites("dns_internal."):
 # Local tests
 for t in smbtorture4_testsuites("dlz_bind9."):
     #The dlz_bind9 tests needs to look at the DNS database
-    plansmbtorture4testsuite(t, "chgdcpass:local", "ncalrpc:localhost")
+    plansmbtorture4testsuite(t, "chgdcpass:local", ["ncalrpc:$SERVER", '-U$USERNAME%$PASSWORD'])
 
 planpythontestsuite("s3dc", "samba.tests.libsmb_samba_internal");
 
diff --git a/source4/torture/dns/dlz_bind9.c b/source4/torture/dns/dlz_bind9.c
index 18d65a3..d7d1736 100644
--- a/source4/torture/dns/dlz_bind9.c
+++ b/source4/torture/dns/dlz_bind9.c
@@ -26,6 +26,9 @@
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/common/util.h"
 #include "auth/session.h"
+#include "auth/gensec/gensec.h"
+#include "auth/credentials/credentials.h"
+#include "lib/cmdline/popt_common.h"
 
 struct torture_context *tctx_static;
 
@@ -121,7 +124,80 @@ static bool test_dlz_bind9_configure(struct torture_context *tctx)
 	return true;
 }
 
+/*
+ * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side
+ *
+ */
+static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech)
+{
+	NTSTATUS status;
+
+	struct gensec_security *gensec_client_context;
+
+	DATA_BLOB client_to_server, server_to_client;
+
+	void *dbdata;
+	const char *argv[] = {
+		"samba_dlz",
+		"-H",
+		lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
+		NULL
+	};
+	tctx_static = tctx;
+	torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata,
+						  "log", dlz_bind9_log_wrapper,
+						  "writeable_zone", dlz_bind9_writeable_zone_hook, NULL),
+				 ISC_R_SUCCESS,
+				 "Failed to create samba_dlz");
+
+	torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
+						     ISC_R_SUCCESS,
+				 "Failed to configure samba_dlz");
+
+	status = gensec_client_start(tctx, &gensec_client_context,
+				     lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+	torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
+
+	status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL));
+	torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
+
+	status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
+	torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
+
+	status = gensec_start_mech_by_sasl_name(gensec_client_context, mech);
+	torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
+
+	server_to_client = data_blob(NULL, 0);
+
+	/* Do one step of the client-server update dance */
+	status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
+		torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
+	}
+
+	torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
+						    lpcfg_dnsdomain(tctx->lp_ctx),
+						    "127.0.0.1", "type", "key",
+						    client_to_server.length,
+						    client_to_server.data,
+						    dbdata),
+				 ISC_R_SUCCESS,
+				 "Failed to check key for update rights samba_dlz");
 
+	dlz_destroy(dbdata);
+
+	return true;
+}
+
+static bool test_dlz_bind9_gssapi(struct torture_context *tctx)
+{
+	return test_dlz_bind9_gensec(tctx, "GSSAPI");
+}
+
+static bool test_dlz_bind9_spnego(struct torture_context *tctx)
+{
+	return test_dlz_bind9_gensec(tctx, "GSS-SPNEGO");
+}
 
 static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx)
 {
@@ -132,6 +208,8 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx)
 	torture_suite_add_simple_test(suite, "version", test_dlz_bind9_version);
 	torture_suite_add_simple_test(suite, "create", test_dlz_bind9_create);
 	torture_suite_add_simple_test(suite, "configure", test_dlz_bind9_configure);
+	torture_suite_add_simple_test(suite, "gssapi", test_dlz_bind9_gssapi);
+	torture_suite_add_simple_test(suite, "spnego", test_dlz_bind9_spnego);
 	return suite;
 }
 
diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c
index 5956834..65382a9 100644
--- a/source4/torture/winbind/winbind.c
+++ b/source4/torture/winbind/winbind.c
@@ -201,6 +201,7 @@ static bool torture_winbind_pac(struct torture_context *tctx)
 	torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
 
 	status = gensec_set_target_hostname(gensec_client_context, cli_credentials_get_workstation(cmdline_credentials));
+	torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
 
 	status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
 	torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
-- 
1.8.4.rc3