4 files changed, 33 insertions, 25 deletions

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 7d8b08f54d..c1a35c9338 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -687,21 +687,26 @@ def secretsdb_self_join(secretsdb, domain,
            "priorChanged",
            "krb5Keytab",
            "privateKeytab"]
+
+    if realm is not None:
+      if dnsdomain is None:
+          dnsdomain = realm.lower()
+      dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower())
+    else:
+      dnsname = None
+    shortname = netbiosname.lower()
     
     #We don't need to set msg["flatname"] here, because rdn_name will handle it, and it causes problems for modifies anyway
     msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
     msg["secureChannelType"] = [str(secure_channel_type)]
     msg["objectClass"] = ["top", "primaryDomain"]
-    if realm is not None:
-      if dnsdomain is None:
-        dnsdomain = realm.lower()
+    if dnsname is not None:
       msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
       msg["realm"] = [realm]
-      msg["saltPrincipal"] = ["host/%s.%s@%s" % (netbiosname.lower(), dnsdomain.lower(), realm.upper())]
+      msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())]
       msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
       msg["privateKeytab"] = ["secrets.keytab"]
 
-
     msg["secret"] = [machinepass]
     msg["samAccountName"] = ["%s$" % netbiosname]
     msg["secureChannelType"] = [str(secure_channel_type)]
@@ -742,10 +747,17 @@ def secretsdb_self_join(secretsdb, domain,
       secretsdb.modify(msg)
       secretsdb.rename(res[0].dn, msg.dn)
     else:
+      spn = [ 'HOST/%s' % shortname ]
+      if secure_channel_type == SEC_CHAN_BDC and dnsname is not None:
+          # we are a domain controller then we add servicePrincipalName entries
+          # for the keytab code to update
+          spn.extend([ 'HOST/%s' % dnsname ])
+      msg["servicePrincipalName"] = spn
+
       secretsdb.add(msg)
 
 
-def secretsdb_setup_dns(secretsdb, setup_path, private_dir,
+def secretsdb_setup_dns(secretsdb, setup_path, names, private_dir,
                         realm, dnsdomain,
                         dns_keytab_path, dnspass):
     """Add DNS specific bits to a secrets database.
@@ -764,6 +776,8 @@ def secretsdb_setup_dns(secretsdb, setup_path, private_dir,
             "DNSDOMAIN": dnsdomain,
             "DNS_KEYTAB": dns_keytab_path,
             "DNSPASS_B64": b64encode(dnspass),
+            "HOSTNAME": names.hostname,
+            "DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower())
             })
 
 
@@ -944,6 +958,8 @@ def setup_self_join(samdb, names,
               "DNSDOMAIN": names.dnsdomain,
               "DOMAINDN": names.domaindn,
               "DNSPASS_B64": b64encode(dnspass),
+              "HOSTNAME" : names.hostname,
+              "DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower())
               })
 
 def getpolicypath(sysvolpath, dnsdomain, guid):
@@ -1583,7 +1599,7 @@ def provision(setup_dir, logger, session_info,
 
 
             if serverrole == "domain controller":
-                secretsdb_setup_dns(secrets_ldb, setup_path,
+                secretsdb_setup_dns(secrets_ldb, setup_path, names,
                                     paths.private_dir,
                                     realm=names.realm, dnsdomain=names.dnsdomain,
                                     dns_keytab_path=paths.dns_keytab,
diff --git a/source4/setup/provision_dns_add.ldif b/source4/setup/provision_dns_add.ldif
index ac818a573d..a0a8187030 100644
--- a/source4/setup/provision_dns_add.ldif
+++ b/source4/setup/provision_dns_add.ldif
@@ -88,15 +88,19 @@ dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
 
 
 # NOTE: This account is SAMBA4 specific!
-dn: CN=dns,CN=Users,${DOMAINDN}
+# we have it to avoid the need for the bind daemon to
+# have access to the whole secrets.keytab for the domain,
+# otherwise bind could impersonate any user
+dn: CN=dns-${HOSTNAME},CN=Users,${DOMAINDN}
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
-description: DNS Service Account
+description: DNS Service Account for ${HOSTNAME}
 userAccountControl: 514
 accountExpires: 9223372036854775807
-sAMAccountName: dns
+sAMAccountName: dns-${HOSTNAME}
+servicePrincipalName: DNS/${DNSNAME}
 servicePrincipalName: DNS/${DNSDOMAIN}
 userPassword:: ${DNSPASS_B64}
 isCriticalSystemObject: TRUE
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif
index 840d1d6c43..641bce6382 100644
--- a/source4/setup/secrets_dns.ldif
+++ b/source4/setup/secrets_dns.ldif
@@ -1,11 +1,12 @@
 #Update a keytab for the external DNS server to use 
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+dn: samAccountName=dns-${HOSTNAME},CN=Principals
 objectClass: top
 objectClass: secret
 objectClass: kerberosSecret
 realm: ${REALM}
 servicePrincipalName: DNS/${DNSDOMAIN}
+servicePrincipalName: DNS/${DNSNAME}
 msDS-KeyVersionNumber: 1
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}
-samAccountName: dns
+samAccountName: dns-${HOSTNAME}
diff --git a/source4/setup/secrets_self_join.ldif b/source4/setup/secrets_self_join.ldif
deleted file mode 100644
index 22be0cab0b..0000000000
--- a/source4/setup/secrets_self_join.ldif
+++ /dev/null
@@ -1,13 +0,0 @@
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-saltPrincipal: ${SALT_PRINCIPAL}