Fix Samba AD DC operations on F33 or later

- Report 'samba' daemon status back to systemd
- Support dnspython 2.0.0 or later in samba_dnsupdate
This commit is contained in:
Alexander Bokovoy 2020-10-25 09:54:45 +02:00
parent 1e29c417eb
commit 92693f66e9
3 changed files with 270 additions and 1 deletions

View File

@ -0,0 +1,143 @@
From 12b51be8633689763080f2eb1e0b13487e3e71e1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Sat, 24 Oct 2020 12:17:44 +0300
Subject: [PATCH] DNS Resolver: support both dnspython before and after 2.0.0
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
The compatibility shim was developed by Stanislav Levin for FreeIPA and
adopted for Samba by Alexander Bokovoy.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
python/samba/dnsresolver.py | 68 +++++++++++++++++++++++++++
source4/scripting/bin/samba_dnsupdate | 5 +-
2 files changed, 71 insertions(+), 2 deletions(-)
create mode 100644 python/samba/dnsresolver.py
diff --git a/python/samba/dnsresolver.py b/python/samba/dnsresolver.py
new file mode 100644
index 00000000000..a627555a855
--- /dev/null
+++ b/python/samba/dnsresolver.py
@@ -0,0 +1,68 @@
+# Samba wrapper for DNS resolvers
+#
+# Copyright (C) Stanislav Levin <slev@altlinux.org>
+# Copyright (C) Alexander Bokovoy <ab@samba.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import dns.resolver
+import dns.rdatatype
+import dns.reversename
+
+class DNSResolver(dns.resolver.Resolver):
+ """DNS stub resolver compatible with both dnspython < 2.0.0
+ and dnspython >= 2.0.0.
+
+ Set `use_search_by_default` attribute to `True`, which
+ determines the default for whether the search list configured
+ in the system's resolver configuration is used for relative
+ names, and whether the resolver's domain may be added to relative
+ names.
+
+ Increase the default lifetime which determines the number of seconds
+ to spend trying to get an answer to the question. dnspython 2.0.0
+ changes this to 5sec, while the previous one was 30sec.
+ """
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+ self.reset_defaults()
+ self.resolve = getattr(super(), "resolve", self.query)
+ self.resolve_address = getattr(
+ super(),
+ "resolve_address",
+ self._resolve_address
+ )
+
+ def reset_defaults(self):
+ self.use_search_by_default = True
+ # the default is 5sec
+ self.lifetime = 15
+
+ def reset(self):
+ super().reset()
+ self.reset_defaults()
+
+ def _resolve_address(self, ip_address, *args, **kwargs):
+ """Query nameservers for PTR records.
+
+ :param ip_address: IPv4 or IPv6 address
+ :type ip_address: str
+ """
+ return self.resolve(
+ dns.reversename.from_address(ip_address),
+ rdtype=dns.rdatatype.PTR,
+ *args,
+ **kwargs,
+ )
diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index 44eb1cadd27..fe04ce71338 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -53,6 +53,7 @@ from samba.compat import get_string
from samba.compat import text_type
import ldb
+from samba.dnsresolver import DNSResolver
import dns.resolver
import dns.exception
@@ -259,7 +260,7 @@ def hostname_match(h1, h2):
def get_resolver(d=None):
resolv_conf = os.getenv('RESOLV_CONF', default='/etc/resolv.conf')
- resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True)
+ resolver = DNSResolver(filename=resolv_conf, configure=True)
if d is not None and d.nameservers != []:
resolver.nameservers = d.nameservers
@@ -271,7 +272,7 @@ def check_one_dns_name(name, name_type, d=None):
if d and not d.nameservers:
d.nameservers = resolver.nameservers
# dns.resolver.Answer
- return resolver.query(name, name_type)
+ return resolver.resolve(name, name_type)
def check_dns_name(d):
"""check that a DNS entry exists."""
--
2.28.0

View File

@ -0,0 +1,118 @@
From 9dd1a4809b1b6d65bfb2258b443b0fe36e0a32f7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Sat, 24 Oct 2020 16:52:43 +0300
Subject: [PATCH] daemons: report status to systemd even when running in
foreground
When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().
As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit
d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc
This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.
Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/nmbd/nmbd.c | 4 +++-
source3/smbd/server.c | 4 +++-
source3/winbindd/winbindd.c | 5 ++++-
source4/smbd/server.c | 4 +++-
4 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
index 0b881d13f7b..f6aeba1f714 100644
--- a/source3/nmbd/nmbd.c
+++ b/source3/nmbd/nmbd.c
@@ -1009,6 +1009,8 @@ static bool open_sockets(bool isdaemon, int port)
if (is_daemon && !opt_interactive) {
DEBUG(3, ("Becoming a daemon.\n"));
become_daemon(Fork, no_process_group, log_stdout);
+ } else if (!opt_interactive) {
+ daemon_status("nmbd", "Starting process...");
}
#ifdef HAVE_SETPGID
@@ -1135,7 +1137,7 @@ static bool open_sockets(bool isdaemon, int port)
exit_daemon( "NMBD failed to setup packet server.", EACCES);
}
- if (is_daemon && !opt_interactive) {
+ if (!opt_interactive) {
daemon_ready("nmbd");
}
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 153dd3c9323..3d9db5d8407 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1893,6 +1893,8 @@ extern void build_options(bool screen);
if (is_daemon && !interactive) {
DEBUG(3, ("Becoming a daemon.\n"));
become_daemon(Fork, no_process_group, log_stdout);
+ } else {
+ daemon_status("smbd", "Starting process ...");
}
#ifdef HAVE_SETPGID
@@ -2100,7 +2102,7 @@ extern void build_options(bool screen);
exit_daemon("Samba cannot setup ep pipe", EACCES);
}
- if (is_daemon && !interactive) {
+ if (!interactive) {
daemon_ready("smbd");
}
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 4397a1bc0d1..1e08237905a 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1880,8 +1880,11 @@ int main(int argc, const char **argv)
BlockSignals(False, SIGHUP);
BlockSignals(False, SIGCHLD);
- if (!interactive)
+ if (!interactive) {
become_daemon(Fork, no_process_group, log_stdout);
+ } else {
+ daemon_status("winbindd", "Starting process ...");
+ }
pidfile_create(lp_pid_directory(), "winbindd");
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 95acb99b86c..ee2e7508bb3 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -648,6 +648,8 @@ static int binary_smbd_main(const char *binary_name,
if (opt_daemon) {
DBG_NOTICE("Becoming a daemon.\n");
become_daemon(opt_fork, opt_no_process_group, false);
+ } else if (!opt_interactive) {
+ daemon_status("samba", "Starting process...");
}
/* Create the memory context to hang everything off. */
@@ -931,7 +933,7 @@ static int binary_smbd_main(const char *binary_name,
}
}
- if (opt_daemon) {
+ if (!opt_interactive) {
daemon_ready("samba");
}
--
2.28.0

View File

@ -8,7 +8,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%define main_release 12 %define main_release 13
%define samba_version 4.13.0 %define samba_version 4.13.0
%define talloc_version 2.3.1 %define talloc_version 2.3.1
@ -132,6 +132,8 @@ Source14: samba.pamd
Source201: README.downgrade Source201: README.downgrade
Patch1: samba-s4u.patch Patch1: samba-s4u.patch
Patch2: samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch Patch2: samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch
Patch3: samba-dnspython-2.0.0-v4.13.patch
Patch4: samba-systemd-notification.patch
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
Requires(post): systemd Requires(post): systemd
@ -1984,6 +1986,7 @@ fi
%{python3_sitearch}/samba/__pycache__/compat.*.pyc %{python3_sitearch}/samba/__pycache__/compat.*.pyc
%{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc
%{python3_sitearch}/samba/__pycache__/descriptor.*.pyc %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc
%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc
%{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
%{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc
%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
@ -2061,6 +2064,7 @@ fi
%{python3_sitearch}/samba/dcerpc/wkssvc.*.so %{python3_sitearch}/samba/dcerpc/wkssvc.*.so
%{python3_sitearch}/samba/dcerpc/xattr.*.so %{python3_sitearch}/samba/dcerpc/xattr.*.so
%{python3_sitearch}/samba/descriptor.py %{python3_sitearch}/samba/descriptor.py
%{python3_sitearch}/samba/dnsresolver.py
%{python3_sitearch}/samba/drs_utils.py %{python3_sitearch}/samba/drs_utils.py
%{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/gensec.*.so
%{python3_sitearch}/samba/getopt.py %{python3_sitearch}/samba/getopt.py
@ -3621,6 +3625,10 @@ fi
%endif %endif
%changelog %changelog
* Sun Oct 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-13
- Report 'samba' daemon status back to systemd
- Support dnspython 2.0.0 or later in samba_dnsupdate
* Thu Oct 22 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-12 * Thu Oct 22 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-12
- Add preliminary support for S4U operations in Samba AD DC - Add preliminary support for S4U operations in Samba AD DC
resolves: #1836630 - Samba DC: Remote Desktop cannot access files resolves: #1836630 - Samba DC: Remote Desktop cannot access files