summaryrefslogtreecommitdiff
path: root/source4/scripting/bin
diff options
context:
space:
mode:
Diffstat (limited to 'source4/scripting/bin')
-rwxr-xr-xsource4/scripting/bin/upgradedns404
-rw-r--r--source4/scripting/bin/wscript_build1
2 files changed, 405 insertions, 0 deletions
diff --git a/source4/scripting/bin/upgradedns b/source4/scripting/bin/upgradedns
new file mode 100755
index 0000000000..234bfe84a3
--- /dev/null
+++ b/source4/scripting/bin/upgradedns
@@ -0,0 +1,404 @@
+#!/usr/bin/env python
+#
+# Unix SMB/CIFS implementation.
+# Copyright (C) Amitay Isaacs <amitay@gmail.com> 2012
+#
+# Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or SAMBA_INTERNAL
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import os
+import optparse
+import logging
+import grp
+from base64 import b64encode
+
+sys.path.insert(0, 'bin/python')
+
+import ldb
+import samba
+from samba import param
+from samba.auth import system_session
+from samba.ndr import (
+ ndr_pack,
+ ndr_unpack )
+import samba.getopt as options
+from samba.upgradehelpers import (
+ get_paths,
+ get_ldbs )
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003
+from samba.provision import (
+ find_provision_key_parameters,
+ interface_ips_v4,
+ interface_ips_v6 )
+from samba.provision.common import (
+ setup_path,
+ setup_add_ldif )
+from samba.provision.sambadns import (
+ ARecord,
+ AAAARecord,
+ CNameRecord,
+ NSRecord,
+ SOARecord,
+ SRVRecord,
+ TXTRecord,
+ get_dnsadmins_sid,
+ get_domainguid,
+ add_dns_accounts,
+ create_dns_partitions,
+ fill_dns_data_partitions,
+ create_dns_dir,
+ secretsdb_setup_dns,
+ create_samdb_copy,
+ create_named_conf,
+ create_named_txt )
+from samba.dcerpc import security
+
+samba.ensure_external_module("dns", "dnspython")
+import dns.zone, dns.rdatatype
+
+__docformat__ = 'restructuredText'
+
+
+def find_bind_gid():
+ """Find system group id for bind9
+ """
+ for name in ["bind", "named"]:
+ try:
+ return grp.getgrnam(name)[2]
+ except KeyError:
+ pass
+ return None
+
+
+def fix_names(pnames):
+ """Convert elements to strings from MessageElement
+ """
+ names = pnames
+ names.rootdn = pnames.rootdn[0]
+ names.domaindn = pnames.domaindn[0]
+ names.configdn = pnames.configdn[0]
+ names.schemadn = pnames.schemadn[0]
+ names.wheel_gid = pnames.wheel_gid[0]
+ names.serverdn = str(pnames.serverdn)
+ return names
+
+
+def convert_dns_rdata(rdata, serial=1):
+ """Convert resource records in dnsRecord format
+ """
+ if rdata.rdtype == dns.rdatatype.A:
+ rec = ARecord(rdata.address, serial=serial)
+ elif rdata.rdtype == dns.rdatatype.AAAA:
+ rec = AAAARecord(rdata.address, serial=serial)
+ elif rdata.rdtype == dns.rdatatype.CNAME:
+ rec = CNameRecord(rdata.target.to_text(), serial=serial)
+ elif rdata.rdtype == dns.rdatatype.NS:
+ rec = NSRecord(rdata.target.to_text(), serial=serial)
+ elif rdata.rdtype == dns.rdatatype.SRV:
+ rec = SRVRecord(rdata.target.to_text(), int(rdata.port),
+ priority=int(rdata.priority), weight=int(rdata.weight),
+ serial=serial)
+ elif rdata.rdtype == dns.rdatatype.TXT:
+ rec = TXTRecord(rdata.to_text(relativize=False), serial=serial)
+ elif rdata.rdtype == dns.rdatatype.SOA:
+ rec = SOARecord(rdata.mname.to_text(), rdata.rname.to_text(),
+ serial=int(rdata.serial),
+ refresh=int(rdata.refresh), retry=int(rdata.retry),
+ expire=int(rdata.expire), minimum=int(rdata.minimum))
+ else:
+ rec = None
+ return rec
+
+
+def import_zone_data(samdb, logger, zone, serial, domaindn, forestdn,
+ dnsdomain, dnsforest):
+ """Insert zone data in DNS partitions
+ """
+ labels = dnsdomain.split('.')
+ labels.append('')
+ domain_root = dns.name.Name(labels)
+ domain_prefix = "DC=%s,CN=MicrosoftDNS,DC=DomainDnsZones,%s" % (dnsdomain,
+ domaindn)
+
+ tmp = "_msdcs.%s" % dnsforest
+ labels = tmp.split('.')
+ labels.append('')
+ forest_root = dns.name.Name(labels)
+ dnsmsdcs = "_msdcs.%s" % dnsforest
+ forest_prefix = "DC=%s,CN=MicrosoftDNS,DC=ForestDnsZones,%s" % (dnsmsdcs,
+ forestdn)
+
+ # Extract @ record
+ at_record = zone.get_node(domain_root)
+ zone.delete_node(domain_root)
+
+ # SOA record
+ rdset = at_record.get_rdataset(dns.rdataclass.IN, dns.rdatatype.SOA)
+ soa_rec = ndr_pack(convert_dns_rdata(rdset[0]))
+ at_record.delete_rdataset(dns.rdataclass.IN, dns.rdatatype.SOA)
+
+ # NS record
+ rdset = at_record.get_rdataset(dns.rdataclass.IN, dns.rdatatype.NS)
+ ns_rec = ndr_pack(convert_dns_rdata(rdset[0]))
+ at_record.delete_rdataset(dns.rdataclass.IN, dns.rdatatype.NS)
+
+ # A/AAAA records
+ ip_recs = []
+ for rdset in at_record:
+ for r in rdset:
+ rec = convert_dns_rdata(r)
+ ip_recs.append(ndr_pack(rec))
+
+ # Add @ record for domain
+ dns_rec = [soa_rec, ns_rec] + ip_recs
+ msg = ldb.Message(ldb.Dn(samdb, 'DC=@,%s' % domain_prefix))
+ msg["objectClass"] = ["top", "dnsNode"]
+ msg["dnsRecord"] = ldb.MessageElement(dns_rec, ldb.FLAG_MOD_ADD,
+ "dnsRecord")
+ try:
+ samdb.add(msg)
+ except Exception:
+ logger.error("Failed to add @ record for domain")
+ raise
+ logger.debug("Added @ record for domain")
+
+ # Add @ record for forest
+ dns_rec = [soa_rec, ns_rec]
+ msg = ldb.Message(ldb.Dn(samdb, 'DC=@,%s' % forest_prefix))
+ msg["objectClass"] = ["top", "dnsNode"]
+ msg["dnsRecord"] = ldb.MessageElement(dns_rec, ldb.FLAG_MOD_ADD,
+ "dnsRecord")
+ try:
+ samdb.add(msg)
+ except Exception:
+ logger.error("Failed to add @ record for forest")
+ raise
+ logger.debug("Added @ record for forest")
+
+ # Add remaining records in domain and forest
+ for node in zone.nodes:
+ name = node.relativize(forest_root).to_text()
+ if name == node.to_text():
+ name = node.relativize(domain_root).to_text()
+ dn = "DC=%s,%s" % (name, domain_prefix)
+ fqdn = "%s.%s" % (name, dnsdomain)
+ else:
+ dn = "DC=%s,%s" % (name, forest_prefix)
+ fqdn = "%s.%s" % (name, dnsmsdcs)
+
+ dns_rec = []
+ for rdataset in zone.nodes[node]:
+ for rdata in rdataset:
+ rec = convert_dns_rdata(rdata, serial)
+ if not rec:
+ logger.warn("Unsupported record type (%s) for %s, ignoring" %
+ dns.rdatatype.to_text(rdata.rdatatype), name)
+ else:
+ dns_rec.append(ndr_pack(rec))
+
+ msg = ldb.Message(ldb.Dn(samdb, dn))
+ msg["objectClass"] = ["top", "dnsNode"]
+ msg["dnsRecord"] = ldb.MessageElement(dns_rec, ldb.FLAG_MOD_ADD,
+ "dnsRecord")
+ try:
+ samdb.add(msg)
+ except Exception:
+ logger.error("Failed to add DNS record %s" % (fqdn))
+ raise
+ logger.debug("Added DNS record %s" % (fqdn))
+
+
+# dnsprovision creates application partitions for AD based DNS mainly if the existing
+# provision was created using earlier snapshots of samba4 which did not have support
+# for DNS partitions
+
+if __name__ == '__main__':
+
+ # Setup command line parser
+ parser = optparse.OptionParser("upgradedns [options]")
+ sambaopts = options.SambaOptions(parser)
+ credopts = options.CredentialsOptions(parser)
+
+ parser.add_option_group(options.VersionOptions(parser))
+ parser.add_option_group(sambaopts)
+ parser.add_option_group(credopts)
+
+ parser.add_option("--dns-backend", type="choice", metavar="<BIND9_DLZ|SAMBA_INTERNAL>",
+ choices=["SAMBA_INTERNAL", "BIND9_DLZ"], default="BIND9_DLZ",
+ help="The DNS server backend, default BIND9_DLZ")
+ parser.add_option("--migrate", type="choice", metavar="<yes|no>",
+ choices=["yes","no"], default="yes",
+ help="Migrate existing zone data, default yes")
+ parser.add_option("--verbose", help="Be verbose", action="store_true")
+
+ opts = parser.parse_args()[0]
+
+ if opts.dns_backend is None:
+ opts.dns_backend = 'DLZ_BIND9'
+
+ if opts.migrate:
+ autofill = False
+ else:
+ autofill = True
+
+ # Set up logger
+ logger = logging.getLogger("upgradedns")
+ logger.addHandler(logging.StreamHandler(sys.stdout))
+ logger.setLevel(logging.INFO)
+ if opts.verbose:
+ logger.setLevel(logging.DEBUG)
+
+ lp = sambaopts.get_loadparm()
+ lp.load(lp.configfile)
+ creds = credopts.get_credentials(lp)
+
+ logger.info("Reading domain information")
+ paths = get_paths(param, smbconf=lp.configfile)
+ paths.bind_gid = find_bind_gid()
+ ldbs = get_ldbs(paths, creds, system_session(), lp)
+ pnames = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
+ paths, lp.configfile, lp)
+ names = fix_names(pnames)
+
+ if names.domainlevel < DS_DOMAIN_FUNCTION_2003:
+ logger.error("Cannot create AD based DNS for OS level < 2003")
+ sys.exit(1)
+
+ logger.info("Looking up IPv4 addresses")
+ hostip = interface_ips_v4(lp)
+ try:
+ hostip.remove('127.0.0.1')
+ except ValueError:
+ pass
+ if not hostip:
+ logger.error("No IPv4 addresses found")
+ sys.exit(1)
+ else:
+ hostip = hostip[0]
+ logger.debug("IPv4 addresses: %s" % hostip)
+
+ logger.info("Looking up IPv6 addresses")
+ hostip6 = interface_ips_v6(lp, linklocal=False)
+ if not hostip6:
+ hostip6 = None
+ else:
+ hostip6 = hostip6[0]
+ logger.debug("IPv6 addresses: %s" % hostip6)
+
+ domaindn = names.domaindn
+ forestdn = names.rootdn
+
+ dnsdomain = names.dnsdomain.lower()
+ dnsforest = dnsdomain
+
+ site = names.sitename
+ hostname = names.hostname
+ dnsname = '%s.%s' % (hostname, dnsdomain)
+
+ domainsid = names.domainsid
+ domainguid = names.domainguid
+ ntdsguid = names.ntdsguid
+
+ # Check for DNS accounts and create them if required
+ try:
+ msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
+ expression='(sAMAccountName=DnsAdmins)',
+ attrs=['objectSid'])
+ dnsadmins_sid = ndr_unpack(security.dom_sid, msg[0]['objectSid'][0])
+ except Exception, e:
+ logger.info("Adding DNS accounts")
+ add_dns_accounts(ldbs.sam, domaindn)
+ dnsadmins_sid = get_dnsadmins_sid(ldbs.sam, domaindn)
+
+ # Import dns records from zone file
+ if os.path.exists(paths.dns):
+ logger.info("Reading records from zone file %s" % paths.dns)
+ try:
+ zone = dns.zone.from_file(paths.dns, relativize=False)
+ rrset = zone.get_rdataset("%s." % dnsdomain, dns.rdatatype.SOA)
+ serial = int(rrset[0].serial)
+ except Exception, e:
+ logger.warn("Error parsing DNS data from '%s' (%s)" % (paths.dns, str(e)))
+ logger.warn("DNS records will be automatically created")
+ autofill = True
+ else:
+ logger.info("No zone file %s" % paths.dns)
+ logger.warn("DNS records will be automatically created")
+ autofill = True
+
+ # Fill DNS information
+ logger.info("Creating DNS partitions")
+ create_dns_partitions(ldbs.sam, domainsid, names, domaindn, forestdn,
+ dnsadmins_sid)
+
+ logger.info("Populating DNS partitions")
+ fill_dns_data_partitions(ldbs.sam, domainsid, site, domaindn, forestdn,
+ dnsdomain, dnsforest, hostname, hostip, hostip6,
+ domainguid, ntdsguid, dnsadmins_sid,
+ autofill=autofill)
+
+ if not autofill:
+ logger.info("Importing records from zone file")
+ import_zone_data(ldbs.sam, logger, zone, serial, domaindn, forestdn,
+ dnsdomain, dnsforest)
+
+ if opts.dns_backend == "BIND9_DLZ":
+ create_dns_dir(logger, paths)
+
+ # Check if dns-HOSTNAME account exists and create it if required
+ try:
+ dn = 'samAccountName=dns-%s,CN=Principals' % hostname
+ msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret'])
+ dnssecret = msg[0]['secret'][0]
+ except Exception:
+ logger.info("Creating DNS account for BIND9")
+
+ try:
+ msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
+ expression='(sAMAccountName=dns-%s)' % (hostname),
+ attrs=['clearTextPassword'])
+ dn = msg[0].dn
+ ldbs.sam.delete(dn)
+ except Exception:
+ pass
+
+ dnspass = samba.generate_random_password(128, 255)
+ setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), {
+ "DNSDOMAIN": dnsdomain,
+ "DOMAINDN": domaindn,
+ "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
+ "HOSTNAME" : hostname,
+ "DNSNAME" : dnsname }
+ )
+
+ secretsdb_setup_dns(ldbs.secrets, names,
+ paths.private_dir, realm=names.realm,
+ dnsdomain=names.dnsdomain,
+ dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+
+ # Setup a copy of SAM for BIND9
+ create_samdb_copy(ldbs.sam, logger, paths, names, domainsid,
+ domainguid)
+
+ create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend)
+
+ create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname,
+ paths.private_dir, paths.dns_keytab)
+ logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
+ logger.info("and %s for further documentation required for secure DNS "
+ "updates", paths.namedtxt)
+
+ logger.info("Finished upgrading DNS")
diff --git a/source4/scripting/bin/wscript_build b/source4/scripting/bin/wscript_build
index ad83894c8c..65e9c58b69 100644
--- a/source4/scripting/bin/wscript_build
+++ b/source4/scripting/bin/wscript_build
@@ -5,3 +5,4 @@ bld.SAMBA_SCRIPT('samba_spnupdate', pattern='samba_spnupdate', installdir='.')
bld.SAMBA_SCRIPT('samba_kcc', pattern='samba_kcc', installdir='.')
bld.SAMBA_SCRIPT('upgradeprovision', pattern='upgradeprovision', installdir='.')
bld.SAMBA_SCRIPT('samba-tool', pattern='samba-tool', installdir='.')
+bld.SAMBA_SCRIPT('upgradedns', pattern='upgradedns', installdir='.')