From a9c430bdd2e07e8111d1073238059de6c6f478d5 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Tue, 26 Oct 2010 16:37:50 +0400
Subject: [PATCH] upgradeprovision: fix pb with dns-hostname, regenerate a
 correct keytab

---
 source4/scripting/bin/upgradeprovision        | 28 ++++++++++-
 .../scripting/python/samba/upgradehelpers.py  | 48 +++++++++++++++++++
 2 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index e1ef57193d6..d2cc7abae72 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -60,7 +60,7 @@ from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
                                  delta_update_basesamdb, update_policyids,
                                  update_machine_account_password,
                                  search_constructed_attrs_stored,
-                                 int64range2str,
+                                 int64range2str, update_dns_account_password,
                                  increment_calculated_keyversion_number)
 
 replace=2**FLAG_MOD_REPLACE
@@ -1723,8 +1723,34 @@ if __name__ == '__main__':
             # as the delta_upgrade
             schemareloadclosure()
             sync_calculated_attributes(ldbs.sam, names)
+            res = ldbs.sam.search(expression="(samaccountname=dns)",
+                                scope=SCOPE_SUBTREE, attrs=["dn"],
+                                controls=["search_options:1:2"])
+            if len(res) > 0:
+                message(SIMPLE, "You still have the old dns object for managing"
+                                "dynamic DNS, but you didn't supply --full so "
+                                "correct update can't be done")
+                ldbs.groupedRollback()
+                new_ldbs.groupedRollback()
+                shutil.rmtree(provisiondir)
+                sys.exit(1)
         # 14)
         update_secrets(new_ldbs.secrets, ldbs.secrets, message)
+        # 14bis)
+        res = ldbs.sam.search(expression="(samaccountname=dns)",
+                                  scope=SCOPE_SUBTREE, attrs=["dn"],
+                                  controls=["search_options:1:2"])
+
+        if (len(res) == 1):
+            ldbs.sam.delete(res[0]["dn"])
+            res2 = ldbs.secrets.search(expression="(samaccountname=dns)",
+                                  scope=SCOPE_SUBTREE, attrs=["dn"])
+            update_dns_account_password(ldbs.sam, ldbs.secrets, names)
+            message(SIMPLE, "IMPORTANT !!! "
+                            "If you were using Dynmaic DNS before you need"
+                            " to update your configuration, so that the "
+                            "tkey-gssapi-credential has the following value:"
+                            "DNS/%s.%s" % (names.netbiosname.lower(), names.realm.lower()))
         # 15)
         message(SIMPLE, "Update machine account")
         update_machine_account_password(ldbs.sam, ldbs.secrets, names)
diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
index b1258d2a533..b2bb66c5ea3 100755
--- a/source4/scripting/python/samba/upgradehelpers.py
+++ b/source4/scripting/python/samba/upgradehelpers.py
@@ -632,6 +632,13 @@ def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
         delta.dn = current[0].dn
         secrets_ldb.modify(delta)
 
+    res2 = secrets_ldb.search(expression="(samaccountname=dns)",
+                                scope=SCOPE_SUBTREE, attrs=["dn"])
+
+    if (len(res2) == 1):
+            messagefunc(SIMPLE, "Remove old dns account")
+            secrets_ldb.delete(res2[0]["dn"])
+
 def getOEMInfo(samdb, rootdn):
     """Return OEM Information on the top level
     Samba4 use to store version info in this field
@@ -855,6 +862,47 @@ clearTextPassword:: """ + base64.b64encode(machinepass.encode('utf-16-le')) + ""
         raise ProvisioningError("Unable to find a Secure Channel"
                                 "of type SEC_CHAN_BDC")
 
+def update_dns_account_password(samdb, secrets_ldb, names):
+    """Update (change) the password of the dns both in the SAM db and in
+       secret one
+
+    :param samdb: An LDB object related to the sam.ldb file of a given provision
+    :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
+                        provision
+    :param names: List of key provision parameters"""
+
+    expression = "samAccountName=dns-%s" % names.netbiosname
+    secrets_msg = secrets_ldb.search(expression=expression)
+    if len(secrets_msg) == 1:
+        res = samdb.search(expression=expression, attrs=[])
+        assert(len(res) == 1)
+
+        msg = ldb.Message(res[0].dn)
+        machinepass = samba.generate_random_password(128, 255)
+        mputf16 = machinepass.encode('utf-16-le')
+        msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+                                                ldb.FLAG_MOD_REPLACE,
+                                                "clearTextPassword")
+
+        samdb.modify(msg)
+
+        res = samdb.search(expression=expression,
+                     attrs=["msDs-keyVersionNumber"])
+        assert(len(res) == 1)
+        kvno = str(res[0]["msDs-keyVersionNumber"])
+
+        msg = ldb.Message(secrets_msg[0].dn)
+        msg["secret"] = ldb.MessageElement(machinepass,
+                                                ldb.FLAG_MOD_REPLACE,
+                                                "secret")
+        msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno,
+                                                ldb.FLAG_MOD_REPLACE,
+                                                "msDS-KeyVersionNumber")
+
+        secrets_ldb.modify(msg)
+    else:
+        raise ProvisioningError("Unable to find an object"
+                                " with %s" % expression )
 
 def search_constructed_attrs_stored(samdb, rootdn, attrs):
     """Search a given sam DB for calculated attributes that are
-- 
2.34.1