Bug 10882 - samba_upgradedns with BIND9_DLZ doesn't recreate dns-hostname account
samba_upgradedns with BIND9_DLZ doesn't recreate dns-hostname account
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.2.0rc2
All All
: P5 normal
: 4.5
Assigned To: Garming Sam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-17 12:48 UTC by Marc Muehlfeld
Modified: 2016-12-01 10:20 UTC (History)
4 users (show)

See Also:


Attachments
Delete secrets.ldb record if there's no account in sam.ldb (1.66 KB, patch)
2016-07-26 09:21 UTC, Garming Sam
no flags Details
fix for bug 10882 (6.93 KB, patch)
2016-09-07 11:19 UTC, Rowland Penny
no flags Details
backport saltPrincipal fix for 4.5 (4.71 KB, patch)
2016-11-29 01:59 UTC, Garming Sam
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2014-10-17 12:48:14 UTC
If you accidently delete the dns-hostname account, that is required for BIND to update the zones in AD, samba_upgradedns doesn't recreate it, because it persists saying that it already exists:


# samba-tool user delete dns-DC2
Deleted user dns-DC2


# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
dns-DC2 account already exists
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

(Pay attention to the "dns-DC2 account already exists" message, what is wrong, because we had deleted the account before).





The problem seems to be in the "try" section of source4/scripting/bin/samba_upgradedns, because it directly jumpes into the else statement:

    if opts.dns_backend == "BIND9_DLZ":
        # Check if dns-HOSTNAME account exists and create it if required
        try:
            dn = 'samAccountName=dns-%s,CN=Principals' % hostname
            msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret'])
            dnssecret = msg[0]['secret'][0]
        except IndexError:
           .....
        else:
            logger.info("dns-%s account already exists" % hostname)





Reproducable bug in 4.2.0rc2 and 4.1.12 (haven't tried 4.0.x).
Comment 1 Marc Muehlfeld 2014-10-17 12:50:11 UTC
WORKAROUND:
==============

Switch to internal DNS and then directly back to BIND_DLZ9 backend. In this case, samba_upgradedns re-creates the dns-hostname account.


 # samba_upgradedns --dns-backend=SAMBA_INTERNAL
 Reading domain information
 DNS accounts already exist
 No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
 DNS records will be automatically created
 DNS partitions already exist
 Finished upgrading DNS

 # samba_upgradedns --dns-backend=BIND9_DLZ
 Reading domain information
 DNS accounts already exist
 No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
 DNS records will be automatically created
 DNS partitions already exist
 Adding dns-DC2 account
 See /usr/local/samba/private/named.conf for an example configuration include file for BIND
 and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
 Finished upgrading DNS
Comment 2 Andrew Bartlett 2015-12-07 23:02:07 UTC
There is a possible fix in:

http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads
/samba_dnsupdate-and-tests-base
Comment 3 Marc Muehlfeld 2016-02-21 18:49:52 UTC
(In reply to Andrew Bartlett from comment #2)
I tried the latest master. It already contains your commit 308d645f3428660b0466dbe273b995a887af68da "samba_upgradedns: Improve search for existing accounts in secrets.ldb".

However, it doesn't fix the problem. It still says that the account exists, even if I deleted it before, and it is not created:


[root@DC2 samba-master]# samba-tool user delete dns-DC2
Deleted user dns-DC2

[root@DC2 samba-master]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
dns-DC2 account already exists
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
Comment 4 Rowland Penny 2016-06-16 18:19:07 UTC
(In reply to Marc Muehlfeld from comment #3)

The reason why the dns-hostname doesn't get created is that the search for the required account isn't done on sam.ldb (the place it is most likely to be deleted from) but on secrets.ldb.
As most people don't even know it is also created in there, it will most likely still exist and the search will succeed and if the search succeeds, the user account in sam.ldb will not get created.
Comment 5 Garming Sam 2016-07-26 09:21:03 UTC
Created attachment 12290 [details]
Delete secrets.ldb record if there's no account in sam.ldb

I think this is probably what you wanted, but I haven't tested to make sure it hasn't broken anything else.
Comment 6 Marc Muehlfeld 2016-08-26 00:16:39 UTC
Update: The problem is still exists in 4.5.0rc2.


It looks you're already close to a solution. It would be great if you could get this fixed in 4.5.
Comment 7 Marc Muehlfeld 2016-08-29 16:53:33 UTC
(In reply to Garming Sam from comment #5)
> Created attachment 12290 [details]
> Delete secrets.ldb record if there's no account in sam.ldb

Garmin, I tried your patch in master, and it fails:



[root@DC1 samba-master]# samba-tool user delete dns-DC1
Deleted user dns-DC1

[root@DC1 samba-master]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-DC1 account
Traceback (most recent call last):
  File "/usr/local/samba/sbin/samba_upgradedns", line 426, in <module>
    ldbs.secrets.delete(dn)
_ldb.LdbError: (1, 'Failed to update keytab from entry samAccountName=dns-DC1,CN=Principals in /usr/local/samba/private/secrets.ldb: No saltPrincipal provided')
Comment 8 Garming Sam 2016-08-31 22:57:35 UTC
(In reply to Marc Muehlfeld from comment #7)
I haven't been able to reproduce the error you've seen yet. I'll probably have to defer this for now. Do you think there's anything else that you may have modified about this domain that could have an impact?
Comment 9 Marc Muehlfeld 2016-09-03 22:17:29 UTC
(In reply to Garming Sam from comment #8)
I'm not able to reproduce the problem with a new provisioned 4.5.0rc3 domain:


[root@DC1 samba-4.5.0rc3]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMDOM.EXAMPLE.COM]: 
 Domain [SAMDOM]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
...

[root@DC1 samba-4.5.0rc3]# systemctl start named

[root@DC1 samba-4.5.0rc3]# samba-tool user delete dns-DC1
Deleted user dns-DC1

[root@DC1 samba-4.5.0rc3]# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
dns-DC1 account already exists
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS




However it fails in a constantly updated environment. The domain was provisioned with 4.1.11 (self compiled), and regularly updated up to now 4.5.0rc3. The DNS setup has never been changed (no accounts deleted/recreated, no back end switch, etc.).
Comment 10 Stefan Metzmacher 2016-09-06 12:38:38 UTC
Ping!

Is there anything we can do before the 4.5.0 release?
Comment 11 Garming Sam 2016-09-07 00:11:12 UTC
(In reply to Stefan Metzmacher from comment #10)
I've managed to reproduce the bug (provision a domain from 4.1, then samba_dnsupgrade on master), and it's actually a side-effect of 86652c02083b411ad94217a871a2bcc81f16b369 (s4-setup: Add saltPrincipal to secrets_dns.ldif) and c9a8fff52519bb57040bf34b730263f191a6a88f (s4-auth: Always pass down the salt principal) which makes deletion of the account in secrets.ldb impossible.

As far as I can tell, the workaround by switching to the internal DNS shouldn't have worked in the upgraded case either.

Currently writing a patch to remedy this case...
Comment 12 Garming Sam 2016-09-07 00:32:59 UTC
Patch is sent to the list. Then it should probably be backported, as well as the one already in master to attempt the delete.
Comment 13 Marc Muehlfeld 2016-09-07 05:26:48 UTC
(In reply to Garming Sam from comment #12)
I applied the patch sent to samba-technical to my 4.5rc3 installation without problem and it fixes the problem. Thanks.

Good work, Garmin.
Comment 14 Marc Muehlfeld 2016-09-07 05:34:50 UTC
(In reply to Marc Muehlfeld from comment #13)
Sorry; to withdraw my previous comment: It only does not fail any more. But it does not recreate the account. It says, like in the original bug report: "dns-DC1 account already exists", what is incorrect.


# samba-tool user delete dns-DC1
Deleted user dns-DC1


# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
dns-DC1 account already exists
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS



# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=dns-DC1)'
# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 3 records
# 0 entries
# 3 referrals
Comment 15 Rowland Penny 2016-09-07 07:07:17 UTC
(In reply to Marc Muehlfeld from comment #14)

That explains why my patch works for me, I have the 'saltPrincipal' attribute:

 saltPrincipal: dns-dc1@SAMDOM.EXAMPLE.COM

Try checking if you have this attribute and then try my patch again.
Comment 16 Rowland Penny 2016-09-07 11:19:32 UTC
Created attachment 12451 [details]
fix for bug 10882
Comment 17 Rowland Penny 2016-09-07 11:23:33 UTC
(In reply to Rowland Penny from comment #16)

I hate this bugzilla, wrote out how I tested, went to add the patch and it wiped everything I wrote :-(

I created a 4.1.11 DC, upgraded to 4.4.5, deleted dns user, used my patch, but no go, recompiled 4.4.5 with Garmin's patch, this time success:

root@testdc:~# samba-tool user delete dns-testdc
Deleted user dns-testdc
root@testdc:~# net cache flush
root@testdc:~# wbinfo -u
TESTING\administrator
TESTING\krbtgt
TESTING\guest
root@testdc:~# samba_upgradedns --dns-backend=BIND9_DLZ --verbose
Reading domain information
DNS group account 'DnsAdmins' already exists
No zone file /usr/local/samba/private/dns/TESTING.TLD.zone
DNS records will be automatically created
DNS partitions already exist
Deleting samAccountName=dns-testdc,CN=Principals from secrets.ldb
Adding dns-testdc account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
root@testdc:~# wbinfo -u
TESTING\administrator
TESTING\dns-testdc
TESTING\krbtgt
TESTING\guest
Comment 18 Garming Sam 2016-09-07 22:21:08 UTC
(In reply to Marc Muehlfeld from comment #14)
Just making sure Marc, is this with both patches? The one currently in master isn't it 4.5.0rc3 and it needs both to work correctly in the upgrade case.
Comment 19 Rowland Penny 2016-09-08 06:42:27 UTC
(In reply to Garming Sam from comment #18)

Helloo is anybody listening ?????

With Garmins latest patch and mine, it works, you can recreate the deleted 'dns-*' users, even if the 'saltPrincipal' attribute doesn't exist, note: it will afterwards.

If people would revue my patch's to samba-technical, we could probably have fixed this two months ago.
Comment 20 Jeremy Allison 2016-09-08 16:50:32 UTC
Rowland, can you propose these two on samba-technical and I promise I'll try and learn enough about the subject to review :-).
Comment 21 cleberson 2016-09-20 19:21:32 UTC
Update the samba to 4.1.X to 4.5.0, it was necessary to apply the following command:

ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
dn: samAccountName=dns-<hostname>,CN=Principals
changetype: modify
add: saltPrincipal
saltPrincipal: dns-<hostname>@<REALM>
%EOF

Replaces the <hostname> and <REAL> in command.

Apparently it functioned normally without applying any patch suggested above.
Comment 22 cleberson 2016-09-20 20:04:20 UTC
(In reply to cleberson from comment #21)

Sorry, but the patch (comment #5) is still necessary for the entry into secrets.ldb be deleted and allows be recreated.
Comment 23 Garming Sam 2016-11-29 01:59:26 UTC
Created attachment 12699 [details]
backport saltPrincipal fix for 4.5

The salt principal patches should at least be backported to 4.5. That should at least resolve the superficial issues we currently have with missing salt principals.
Comment 24 Karolin Seeger 2016-11-30 08:23:06 UTC
(In reply to Garming Sam from comment #23)
Pushed to autobuild-v4-5-test.
Comment 25 Karolin Seeger 2016-12-01 10:19:57 UTC
(In reply to Karolin Seeger from comment #24)
Pushed to v4-5-test.
Comment 26 Karolin Seeger 2016-12-01 10:20:57 UTC
Re-assigning to Garming, because it sounds like that this is not the full fix.