diff options
| author | Matthieu Patou <mat@matws.net> | 2012-04-19 01:44:14 -0700 |
|---|---|---|
| committer | Matthieu Patou <mat@samba.org> | 2012-04-19 10:57:10 +0200 |
| commit | 89cb1a46760b2f95abdf832f0db713f1c979caf8 (patch) | |
| tree | 6534eeac1569741545bfbec5d4edc944ebda09a7 /source4 | |
| parent | 9ce9389b292dfee7d6c82681a78ef93eeef9b443 (diff) | |
| download | samba-89cb1a46760b2f95abdf832f0db713f1c979caf8.tar.gz samba-89cb1a46760b2f95abdf832f0db713f1c979caf8.tar.bz2 samba-89cb1a46760b2f95abdf832f0db713f1c979caf8.zip | |
samba_spnupdate: don't try to register DNS related SPN if we are not mastering the NC
For RW DC the impact is pretty small but for RODC the whole SPN set is
rejected by the target DC as RODC hasn't the right to register DNS SPN
if it is not mastering this NC.
Diffstat (limited to 'source4')
| -rwxr-xr-x | source4/scripting/bin/samba_spnupdate | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/source4/scripting/bin/samba_spnupdate b/source4/scripting/bin/samba_spnupdate index 52a51d8b81..69406a8196 100755 --- a/source4/scripting/bin/samba_spnupdate +++ b/source4/scripting/bin/samba_spnupdate @@ -3,6 +3,7 @@ # update our servicePrincipalName names from spn_update_list # # Copyright (C) Andrew Tridgell 2010 +# Copyright (C) Matthieu Patou <mat@matws.net> 2012 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -18,7 +19,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os, sys +import os, sys, re # ensure we get messages out immediately, so they get in the samba logs, # and don't get swallowed by a timeout @@ -120,11 +121,31 @@ file = open(spn_update_list, "r") spn_list = [] +has_forest_dns = False +has_domain_dns = False +# check if we "are DNS server" +res = samdb.search(base=samdb.get_config_basedn(), + expression='(objectguid=%s)' % sub_vars['NTDSGUID'], + attrs=["msDS-hasMasterNCs"]) + +basedn = str(samdb.get_default_basedn()) +if len(res) == 1: + for e in res[0]["msDS-hasMasterNCs"]: + if str(e) == "DC=DomainDnsZones,%s" % basedn: + has_domain_dns = True + if str(e) == "DC=ForestDnsZones,%s" % basedn: + has_forest_dns = True + + # build the spn list for line in file: line = line.strip() if line == '' or line[0] == "#": continue + if re.match(r".*/DomainDnsZones\..*", line) and not has_domain_dns: + continue + if re.match(r".*/ForestDnsZones\..*", line) and not has_forest_dns: + continue line = samba.substitute_var(line, sub_vars) spn_list.append(line) @@ -221,6 +242,8 @@ def call_rodc_update(d): return req1.spn_names = spn_names (level, res) = drs.DsWriteAccountSpn(drs_handle, 1, req1) + if (res.status != (0, 'WERR_OK')): + print "WriteAccountSpn has failed with error %s" % str(res.status) if samdb.am_rodc(): call_rodc_update(add_list) |