From ae5964be42459beed8c174b8e2dd4d4167623158 Mon Sep 17 00:00:00 2001
From: Derek Lambert <dlambert@dereklambert.com>
Date: Wed, 22 Apr 2020 15:30:53 -0500
Subject: [PATCH] sambadns: Create BINDDNS_DIR/dns.keytab link to
 PRIVATE_DIR/dns.keytab on DC join

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14181

Signed-off-by: Derek Lambert <dlambert@dereklambert.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 python/samba/provision/sambadns.py     | 43 ++++++++++++++++++++++++++
 source4/scripting/bin/samba_upgradedns | 37 ++--------------------
 2 files changed, 45 insertions(+), 35 deletions(-)

diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 2e969a91057..cd8df680749 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -723,6 +723,48 @@ def create_dns_dir(logger, paths):
                     dns_dir, paths.bind_gid))
 
 
+def create_dns_dir_keytab_link(logger, paths):
+    """Create link for BIND to DNS keytab
+
+    :param logger: Logger object
+    :param paths: paths object
+    """
+    private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
+    bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
+
+    if os.path.isfile(private_dns_keytab_path):
+        if os.path.isfile(bind_dns_keytab_path):
+            try:
+                os.unlink(bind_dns_keytab_path)
+            except OSError as e:
+                logger.error("Failed to remove %s: %s" %
+                             (bind_dns_keytab_path, e.strerror))
+
+        # link the dns.keytab to the bind-dns directory
+        try:
+            os.link(private_dns_keytab_path, bind_dns_keytab_path)
+        except OSError as e:
+            logger.error("Failed to create link %s -> %s: %s" %
+                         (private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
+
+        # chown the dns.keytab in the bind-dns directory
+        if paths.bind_gid is not None:
+            try:
+                os.chmod(paths.binddns_dir, 0o770)
+                os.chown(paths.binddns_dir, -1, paths.bind_gid)
+            except OSError:
+                if 'SAMBA_SELFTEST' not in os.environ:
+                    logger.info("Failed to chown %s to bind gid %u",
+                                paths.binddns_dir, paths.bind_gid)
+            try:
+                os.chmod(bind_dns_keytab_path, 0o640)
+                os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
+            except OSError:
+                if 'SAMBA_SELFTEST' not in os.environ:
+                    logger.info("Failed to chown %s to bind gid %u",
+                                bind_dns_keytab_path, paths.bind_gid)
+
+
 def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
                      hostip, hostip6, hostname, realm, domainguid,
                      ntdsguid, site):
@@ -1261,6 +1303,7 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
                         key_version_number=key_version_number)
 
     create_dns_dir(logger, paths)
+    create_dns_dir_keytab_link(logger, paths)
 
     if dns_backend == "BIND9_FLATFILE":
         create_zone_file(lp, logger, paths, targetdir, site=site,
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index a3d515c0df3..72e6a52e76e 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -63,6 +63,7 @@ from samba.provision.sambadns import (
     fill_dns_data_partitions,
     create_dns_dir,
     secretsdb_setup_dns,
+    create_dns_dir_keytab_link,
     create_samdb_copy,
     create_named_conf,
     create_named_txt )
@@ -496,41 +497,7 @@ if __name__ == '__main__':
             # This directory won't exist if we're restoring from an offline backup.
             os.mkdir(paths.binddns_dir, 0o770)
 
-        private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
-        bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
-
-        if os.path.isfile(private_dns_keytab_path):
-            if os.path.isfile(bind_dns_keytab_path):
-                try:
-                    os.unlink(bind_dns_keytab_path)
-                except OSError as e:
-                    logger.error("Failed to remove %s: %s" %
-                                 (bind_dns_keytab_path, e.strerror))
-
-            # link the dns.keytab to the bind-dns directory
-            try:
-                os.link(private_dns_keytab_path, bind_dns_keytab_path)
-            except OSError as e:
-                logger.error("Failed to create link %s -> %s: %s" %
-                             (private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
-
-            # chown the dns.keytab in the bind-dns directory
-            if paths.bind_gid is not None:
-                try:
-                    os.chmod(paths.binddns_dir, 0o770)
-                    os.chown(paths.binddns_dir, -1, paths.bind_gid)
-                except OSError:
-                    if 'SAMBA_SELFTEST' not in os.environ:
-                        logger.info("Failed to chown %s to bind gid %u",
-                                    paths.binddns_dir, paths.bind_gid)
-                try:
-                    os.chmod(bind_dns_keytab_path, 0o640)
-                    os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
-                except OSError:
-                    if 'SAMBA_SELFTEST' not in os.environ:
-                        logger.info("Failed to chown %s to bind gid %u",
-                                    bind_dns_keytab_path, paths.bind_gid)
-
+        create_dns_dir_keytab_link(logger, paths)
 
         # This forces a re-creation of dns directory and all the files within
         # It's an overkill, but it's easier to re-create a samdb copy, rather
-- 
2.47.3