4 # update our DNS names using TSIG-GSS
6 # Copyright (C) Andrew Tridgell 2010
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this program. If not, see <http://www.gnu.org/licenses/>.
28 # ensure we get messages out immediately, so they get in the samba logs,
29 # and don't get swallowed by a timeout
30 os.environ['PYTHONUNBUFFERED'] = '1'
32 # forcing GMT avoids a problem in some timezones with kerberos. Both MIT
33 # heimdal can get mutual authentication errors due to the 24 second difference
34 # between UTC and GMT when using some zone files (eg. the PDT zone from
36 os.environ["TZ"] = "GMT"
38 # Find right directory when running from source tree
39 sys.path.insert(0, "bin/python")
43 from samba import getopt as options
44 from ldb import SCOPE_BASE
45 from samba import dsdb
46 from samba.auth import system_session
47 from samba.samdb import SamDB
48 from samba.dcerpc import netlogon, winbind
49 from samba.netcmd.dns import cmd_dns
50 from samba import gensec
51 from samba.kcc import kcc_utils
52 from samba.compat import get_string
53 from samba.compat import text_type
63 parser = optparse.OptionParser("samba_dnsupdate")
64 sambaopts = options.SambaOptions(parser)
65 parser.add_option_group(sambaopts)
66 parser.add_option_group(options.VersionOptions(parser))
67 parser.add_option("--verbose", action="store_true")
68 parser.add_option("--use-samba-tool", action="store_true", help="Use samba-tool to make updates over RPC, rather than over DNS")
69 parser.add_option("--use-nsupdate", action="store_true", help="Use nsupdate command to make updates over DNS (default, if kinit successful)")
70 parser.add_option("--all-names", action="store_true")
71 parser.add_option("--all-interfaces", action="store_true")
72 parser.add_option("--current-ip", action="append", help="IP address to update DNS to match (helpful if behind NAT, valid multiple times, defaults to values from interfaces=)")
73 parser.add_option("--rpc-server-ip", type="string", help="IP address of server to use with samba-tool (defaults to first --current-ip)")
74 parser.add_option("--use-file", type="string", help="Use a file, rather than real DNS calls")
75 parser.add_option("--update-list", type="string", help="Add DNS names from the given file")
76 parser.add_option("--update-cache", type="string", help="Cache database of already registered records")
77 parser.add_option("--fail-immediately", action='store_true', help="Exit on first failure")
78 parser.add_option("--no-credentials", dest='nocreds', action='store_true', help="don't try and get credentials")
79 parser.add_option("--no-substitutions", dest='nosubs', action='store_true', help="don't try and expands variables in file specified by --update-list")
84 opts, args = parser.parse_args()
90 lp = sambaopts.get_loadparm()
92 domain = lp.get("realm")
93 host = lp.get("netbios name")
94 if opts.all_interfaces:
97 all_interfaces = False
100 IPs = opts.current_ip
102 IPs = samba.interface_ips(lp, all_interfaces)
104 nsupdate_cmd = lp.get('nsupdate command')
105 dns_zone_scavenging = lp.get("dns zone scavenging")
108 print("No IP interfaces - skipping DNS updates")
111 if opts.rpc_server_ip:
112 rpc_server_ip = opts.rpc_server_ip
114 rpc_server_ip = IPs[0]
119 if i.find(':') != -1:
124 smb_conf = sambaopts.get_loadparm_path()
127 print("IPs: %s" % IPs)
129 def get_possible_rw_dns_server(creds, domain):
130 """Get a list of possible read-write DNS servers, starting with
131 the SOA. The SOA is the correct answer, but old Samba domains
132 (4.6 and prior) do not maintain this value, so add NS servers
136 ans_soa = check_one_dns_name(domain, 'SOA')
138 # Actually there is only one
139 for i in range(len(ans_soa)):
140 hostnames.append(str(ans_soa[i].mname).rstrip('.'))
142 # This is not strictly legit, but old Samba domains may have an
143 # unmaintained SOA record, so go for any NS that we can get a
145 ans_ns = check_one_dns_name(domain, 'NS')
147 # Actually there is only one
148 for i in range(len(ans_ns)):
149 hostnames.append(str(ans_ns[i].target).rstrip('.'))
153 def get_krb5_rw_dns_server(creds, domain):
154 """Get a list of read-write DNS servers that we can obtain a ticket
155 for, starting with the SOA. The SOA is the correct answer, but
156 old Samba domains (4.6 and prior) do not maintain this value,
157 so continue with the NS servers as well until we get one that
158 the KDC will issue a ticket to.
161 rw_dns_servers = get_possible_rw_dns_server(creds, domain)
162 # Actually there is only one
163 for i in range(len(rw_dns_servers)):
164 target_hostname = str(rw_dns_servers[i])
166 settings["lp_ctx"] = lp
167 settings["target_hostname"] = target_hostname
169 gensec_client = gensec.Security.start_client(settings)
170 gensec_client.set_credentials(creds)
171 gensec_client.set_target_service("DNS")
172 gensec_client.set_target_hostname(target_hostname)
173 gensec_client.want_feature(gensec.FEATURE_SEAL)
174 gensec_client.start_mech_by_sasl_name("GSSAPI")
175 server_to_client = b""
177 (client_finished, client_to_server) = gensec_client.update(server_to_client)
179 print("Successfully obtained Kerberos ticket to DNS/%s as %s" \
180 % (target_hostname, creds.get_username()))
181 return target_hostname
183 # Only raise an exception if they all failed
184 if i != len(rw_dns_servers) - 1:
188 def get_credentials(lp):
189 """# get credentials if we haven't got them already."""
190 from samba import credentials
192 creds = credentials.Credentials()
194 creds.set_machine_account(lp)
195 creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
196 (tmp_fd, ccachename) = tempfile.mkstemp()
198 if opts.use_file is not None:
201 creds.get_named_ccache(lp, ccachename)
203 # Now confirm we can get a ticket to the DNS server
204 get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.')
207 except RuntimeError as e:
208 os.unlink(ccachename)
212 class dnsobj(object):
213 """an object to hold a parsed DNS line"""
215 def __init__(self, string_form):
216 list = string_form.split()
218 raise Exception("Invalid DNS entry %r" % string_form)
222 self.existing_port = None
223 self.existing_weight = None
224 self.existing_cname_target = None
233 self.nameservers = []
234 if self.type == 'SRV':
236 raise Exception("Invalid DNS entry %r" % string_form)
239 elif self.type in ['A', 'AAAA']:
240 self.ip = list[2] # usually $IP, which gets replaced
241 elif self.type == 'CNAME':
243 elif self.type == 'NS':
246 raise Exception("Received unexpected DNS reply of type %s: %s" % (self.type, string_form))
250 return "%s %s %s" % (self.type, self.name, self.ip)
251 if self.type == "AAAA":
252 return "%s %s %s" % (self.type, self.name, self.ip)
253 if self.type == "SRV":
254 return "%s %s %s %s" % (self.type, self.name, self.dest, self.port)
255 if self.type == "CNAME":
256 return "%s %s %s" % (self.type, self.name, self.dest)
257 if self.type == "NS":
258 return "%s %s %s" % (self.type, self.name, self.dest)
261 def parse_dns_line(line, sub_vars):
262 """parse a DNS line from."""
263 if line.startswith("SRV _ldap._tcp.pdc._msdcs.") and not samdb.am_pdc():
264 # We keep this as compat to the dns_update_list of 4.0/4.1
266 print("Skipping PDC entry (%s) as we are not a PDC" % line)
268 subline = samba.substitute_var(line, sub_vars)
269 if subline == '' or subline[0] == "#":
271 return dnsobj(subline)
274 def hostname_match(h1, h2):
275 """see if two hostnames match."""
278 return h1.lower().rstrip('.') == h2.lower().rstrip('.')
280 def get_resolver(d=None):
281 resolv_conf = os.getenv('RESOLV_CONF')
283 resolv_conf = '/etc/resolv.conf'
284 resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True)
286 if d is not None and d.nameservers != []:
287 resolver.nameservers = d.nameservers
291 def check_one_dns_name(name, name_type, d=None):
292 resolver = get_resolver(d)
293 if d is not None and len(d.nameservers) == 0:
294 d.nameservers = resolver.nameservers
296 ans = resolver.query(name, name_type)
299 def check_dns_name(d):
300 """check that a DNS entry exists."""
301 normalised_name = d.name.rstrip('.') + '.'
303 print("Looking for DNS entry %s as %s" % (d, normalised_name))
305 if opts.use_file is not None:
307 dns_file = open(opts.use_file, "r")
311 for line in dns_file:
313 if line == '' or line[0] == "#":
315 if line.lower() == str(d).lower():
320 ans = check_one_dns_name(normalised_name, d.type, d)
321 except dns.exception.Timeout:
322 raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
323 except dns.resolver.NoNameservers:
324 raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
325 except dns.resolver.NXDOMAIN:
327 print("The DNS entry %s, queried as %s does not exist" % (d, normalised_name))
329 except dns.resolver.NoAnswer:
331 print("The DNS entry %s, queried as %s does not hold this record type" % (d, normalised_name))
333 except dns.exception.DNSException:
334 raise Exception("Failure while trying to resolve %s as %s" % (d, normalised_name))
335 if d.type in ['A', 'AAAA']:
336 # we need to be sure that our IP is there
338 if str(rdata) == str(d.ip):
340 elif d.type == 'CNAME':
341 for i in range(len(ans)):
342 if hostname_match(ans[i].target, d.dest):
345 d.existing_cname_target = str(ans[i].target)
347 for i in range(len(ans)):
348 if hostname_match(ans[i].target, d.dest):
350 elif d.type == 'SRV':
353 print("Checking %s against %s" % (rdata, d))
354 if hostname_match(rdata.target, d.dest):
355 if str(rdata.port) == str(d.port):
358 d.existing_port = str(rdata.port)
359 d.existing_weight = str(rdata.weight)
362 print("Lookup of %s succeeded, but we failed to find a matching DNS entry for %s" % (normalised_name, d))
367 def get_subst_vars(samdb):
368 """get the list of substitution vars."""
372 vars['DNSDOMAIN'] = samdb.domain_dns_name()
373 vars['DNSFOREST'] = samdb.forest_dns_name()
374 vars['HOSTNAME'] = samdb.host_dns_name()
375 vars['NTDSGUID'] = samdb.get_ntds_GUID()
376 vars['SITE'] = samdb.server_site_name()
377 res = samdb.search(base=samdb.get_default_basedn(), scope=SCOPE_BASE, attrs=["objectGUID"])
378 guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0])
379 vars['DOMAINGUID'] = get_string(guid)
382 vars['IF_RWDC'] = "# "
383 vars['IF_RODC'] = "# "
384 vars['IF_PDC'] = "# "
386 vars['IF_RWGC'] = "# "
387 vars['IF_ROGC'] = "# "
388 vars['IF_DNS_DOMAIN'] = "# "
389 vars['IF_RWDNS_DOMAIN'] = "# "
390 vars['IF_RODNS_DOMAIN'] = "# "
391 vars['IF_DNS_FOREST'] = "# "
392 vars['IF_RWDNS_FOREST'] = "# "
393 vars['IF_R0DNS_FOREST'] = "# "
395 am_rodc = samdb.am_rodc()
404 # check if we "are DNS server"
405 res = samdb.search(base=samdb.get_config_basedn(),
406 expression='(objectguid=%s)' % vars['NTDSGUID'],
407 attrs=["options", "msDS-hasMasterNCs"])
410 if "options" in res[0]:
411 options = int(res[0]["options"][0])
412 if (options & dsdb.DS_NTDSDSA_OPT_IS_GC) != 0:
419 basedn = str(samdb.get_default_basedn())
420 forestdn = str(samdb.get_root_basedn())
422 if "msDS-hasMasterNCs" in res[0]:
423 for e in res[0]["msDS-hasMasterNCs"]:
424 if str(e) == "DC=DomainDnsZones,%s" % basedn:
425 vars['IF_DNS_DOMAIN'] = ""
427 vars['IF_RODNS_DOMAIN'] = ""
429 vars['IF_RWDNS_DOMAIN'] = ""
430 if str(e) == "DC=ForestDnsZones,%s" % forestdn:
431 vars['IF_DNS_FOREST'] = ""
433 vars['IF_RODNS_FOREST'] = ""
435 vars['IF_RWDNS_FOREST'] = ""
440 def call_nsupdate(d, op="add"):
441 """call nsupdate for an entry."""
442 global ccachename, nsupdate_cmd, krb5conf
444 assert(op in ["add", "delete"])
446 if opts.use_file is not None:
448 print("Use File instead of nsupdate for %s (%s)" % (d, op))
451 rfile = open(opts.use_file, 'r+')
454 rfile = open(opts.use_file, 'w+')
455 # Open it for reading again, in case someone else got to it first
456 rfile = open(opts.use_file, 'r+')
457 fcntl.lockf(rfile, fcntl.LOCK_EX)
458 (file_dir, file_name) = os.path.split(opts.use_file)
459 (tmp_fd, tmpfile) = tempfile.mkstemp(dir=file_dir, prefix=file_name, suffix="XXXXXX")
460 wfile = os.fdopen(tmp_fd, 'a')
464 l = parse_dns_line(line, {})
465 if str(l).lower() == str(d).lower():
469 wfile.write(str(d)+"\n")
470 os.rename(tmpfile, opts.use_file)
471 fcntl.lockf(rfile, fcntl.LOCK_UN)
475 print("Calling nsupdate for %s (%s)" % (d, op))
477 normalised_name = d.name.rstrip('.') + '.'
479 (tmp_fd, tmpfile) = tempfile.mkstemp()
480 f = os.fdopen(tmp_fd, 'w')
482 resolver = get_resolver(d)
484 # Local the zone for this name
485 zone = dns.resolver.zone_for_name(normalised_name,
488 # Now find the SOA, or if we can't get a ticket to the SOA,
489 # any server with an NS record we can get a ticket for.
491 # Thanks to the Kerberos Credentials cache this is not
492 # expensive inside the loop
493 server = get_krb5_rw_dns_server(creds, zone)
494 f.write('server %s\n' % server)
497 f.write("update %s %s %u A %s\n" % (op, normalised_name, default_ttl, d.ip))
499 f.write("update %s %s %u AAAA %s\n" % (op, normalised_name, default_ttl, d.ip))
501 if op == "add" and d.existing_port is not None:
502 f.write("update delete %s SRV 0 %s %s %s\n" % (normalised_name, d.existing_weight,
503 d.existing_port, d.dest))
504 f.write("update %s %s %u SRV 0 100 %s %s\n" % (op, normalised_name, default_ttl, d.port, d.dest))
505 if d.type == "CNAME":
506 f.write("update %s %s %u CNAME %s\n" % (op, normalised_name, default_ttl, d.dest))
508 f.write("update %s %s %u NS %s\n" % (op, normalised_name, default_ttl, d.dest))
514 # Set a bigger MTU size to work around a bug in nsupdate's doio_send()
515 os.environ["SOCKET_WRAPPER_MTU"] = "2000"
519 os.environ["KRB5CCNAME"] = ccachename
521 cmd = nsupdate_cmd[:]
525 env["KRB5_CONFIG"] = krb5conf
527 env["KRB5CCNAME"] = ccachename
528 ret = subprocess.call(cmd, shell=False, env=env)
530 if opts.fail_immediately:
532 print("Failed update with %s" % tmpfile)
534 error_count = error_count + 1
536 print("Failed nsupdate: %d" % ret)
537 except Exception as estr:
538 if opts.fail_immediately:
540 error_count = error_count + 1
542 print("Failed nsupdate: %s : %s" % (str(d), estr))
545 # Let socket_wrapper set the default MTU size
546 os.environ["SOCKET_WRAPPER_MTU"] = "0"
549 def call_samba_tool(d, op="add", zone=None):
550 """call samba-tool dns to update an entry."""
552 assert(op in ["add", "delete"])
554 if (sub_vars['DNSFOREST'] != sub_vars['DNSDOMAIN']) and \
555 sub_vars['DNSFOREST'].endswith('.' + sub_vars['DNSDOMAIN']):
556 print("Refusing to use samba-tool when forest %s is under domain %s" \
557 % (sub_vars['DNSFOREST'], sub_vars['DNSDOMAIN']))
560 print("Calling samba-tool dns for %s (%s)" % (d, op))
562 normalised_name = d.name.rstrip('.') + '.'
564 if normalised_name == (sub_vars['DNSDOMAIN'] + '.'):
566 zone = sub_vars['DNSDOMAIN']
567 elif normalised_name == (sub_vars['DNSFOREST'] + '.'):
569 zone = sub_vars['DNSFOREST']
570 elif normalised_name == ('_msdcs.' + sub_vars['DNSFOREST'] + '.'):
572 zone = '_msdcs.' + sub_vars['DNSFOREST']
574 if not normalised_name.endswith('.' + sub_vars['DNSDOMAIN'] + '.'):
575 print("Not Calling samba-tool dns for %s (%s), %s not in %s" % (d, op, normalised_name, sub_vars['DNSDOMAIN'] + '.'))
577 elif normalised_name.endswith('._msdcs.' + sub_vars['DNSFOREST'] + '.'):
578 zone = '_msdcs.' + sub_vars['DNSFOREST']
580 zone = sub_vars['DNSDOMAIN']
581 len_zone = len(zone)+2
582 short_name = normalised_name[:-len_zone]
584 len_zone = len(zone)+2
585 short_name = normalised_name[:-len_zone]
588 args = [rpc_server_ip, zone, short_name, "A", d.ip]
590 args = [rpc_server_ip, zone, short_name, "AAAA", d.ip]
592 if op == "add" and d.existing_port is not None:
593 print("Not handling modify of exising SRV %s using samba-tool" % d)
596 args = [rpc_server_ip, zone, short_name, "SRV",
597 "%s %s %s %s" % (d.existing_weight,
598 d.existing_port, "0", "100"),
599 "%s %s %s %s" % (d.dest, d.port, "0", "100")]
601 args = [rpc_server_ip, zone, short_name, "SRV", "%s %s %s %s" % (d.dest, d.port, "0", "100")]
602 if d.type == "CNAME":
603 if d.existing_cname_target is None:
604 args = [rpc_server_ip, zone, short_name, "CNAME", d.dest]
607 args = [rpc_server_ip, zone, short_name, "CNAME",
608 d.existing_cname_target.rstrip('.'), d.dest]
611 args = [rpc_server_ip, zone, short_name, "NS", d.dest]
613 if smb_conf and args:
614 args += ["--configfile=" + smb_conf]
620 print("Calling samba-tool dns %s -k no -P %s" % (op, args))
621 ret = cmd._run("dns", op, "-k", "no", "-P", *args)
623 if opts.fail_immediately:
625 error_count = error_count + 1
627 print("Failed 'samba-tool dns' based update of %s" % (str(d)))
628 except Exception as estr:
629 if opts.fail_immediately:
631 error_count = error_count + 1
633 print("Failed 'samba-tool dns' based update: %s : %s" % (str(d), estr))
637 def cached_irpc_wb(lp):
639 if irpc_wb is not None:
641 irpc_wb = winbind.winbind("irpc:winbind_server", lp)
644 def rodc_dns_update(d, t, op):
645 '''a single DNS update via the RODC netlogon call'''
648 assert(op in ["add", "delete"])
651 print("Calling netlogon RODC update for %s" % d)
654 netlogon.NlDnsLdapAtSite : netlogon.NlDnsInfoTypeNone,
655 netlogon.NlDnsGcAtSite : netlogon.NlDnsDomainNameAlias,
656 netlogon.NlDnsDsaCname : netlogon.NlDnsDomainNameAlias,
657 netlogon.NlDnsKdcAtSite : netlogon.NlDnsInfoTypeNone,
658 netlogon.NlDnsDcAtSite : netlogon.NlDnsInfoTypeNone,
659 netlogon.NlDnsRfc1510KdcAtSite : netlogon.NlDnsInfoTypeNone,
660 netlogon.NlDnsGenericGcAtSite : netlogon.NlDnsDomainNameAlias
663 w = cached_irpc_wb(lp)
664 dns_names = netlogon.NL_DNS_NAME_INFO_ARRAY()
666 name = netlogon.NL_DNS_NAME_INFO()
668 name.dns_domain_info_type = typemap[t]
671 if d.port is not None:
672 name.port = int(d.port)
674 name.dns_register = True
676 name.dns_register = False
677 dns_names.names = [ name ]
678 site_name = text_type(sub_vars['SITE'])
683 ret_names = w.DsrUpdateReadOnlyServerDnsRecords(site_name, default_ttl, dns_names)
684 if ret_names.names[0].status != 0:
685 print("Failed to set DNS entry: %s (status %u)" % (d, ret_names.names[0].status))
686 error_count = error_count + 1
687 except RuntimeError as reason:
688 print("Error setting DNS entry of type %u: %s: %s" % (t, d, reason))
689 error_count = error_count + 1
692 print("Called netlogon RODC update for %s" % d)
694 if error_count != 0 and opts.fail_immediately:
698 def call_rodc_update(d, op="add"):
699 '''RODCs need to use the netlogon API for nsupdate'''
702 assert(op in ["add", "delete"])
704 # we expect failure for 3268 if we aren't a GC
705 if d.port is not None and int(d.port) == 3268:
708 # map the DNS request to a netlogon update type
710 netlogon.NlDnsLdapAtSite : '_ldap._tcp.${SITE}._sites.${DNSDOMAIN}',
711 netlogon.NlDnsGcAtSite : '_ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}',
712 netlogon.NlDnsDsaCname : '${NTDSGUID}._msdcs.${DNSFOREST}',
713 netlogon.NlDnsKdcAtSite : '_kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}',
714 netlogon.NlDnsDcAtSite : '_ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}',
715 netlogon.NlDnsRfc1510KdcAtSite : '_kerberos._tcp.${SITE}._sites.${DNSDOMAIN}',
716 netlogon.NlDnsGenericGcAtSite : '_gc._tcp.${SITE}._sites.${DNSFOREST}'
720 subname = samba.substitute_var(map[t], sub_vars)
721 if subname.lower() == d.name.lower():
722 # found a match - do the update
723 rodc_dns_update(d, t, op)
726 print("Unable to map to netlogon DNS update: %s" % d)
729 # get the list of DNS entries we should have
731 dns_update_list = opts.update_list
733 dns_update_list = lp.private_path('dns_update_list')
735 if opts.update_cache:
736 dns_update_cache = opts.update_cache
738 dns_update_cache = lp.private_path('dns_update_cache')
741 # only change the krb5.conf if we are not in selftest
742 if 'SOCKET_WRAPPER_DIR' not in os.environ:
743 # use our private krb5.conf to avoid problems with the wrong domain
744 # bind9 nsupdate wants the default domain set
745 krb5conf = lp.private_path('krb5.conf')
746 os.environ['KRB5_CONFIG'] = krb5conf
748 file = open(dns_update_list, "r")
753 samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), lp=lp)
755 # get the substitution dictionary
756 sub_vars = get_subst_vars(samdb)
758 # build up a list of update commands to pass to nsupdate
767 rebuild_cache = False
769 cfile = open(dns_update_cache, 'r+')
772 cfile = open(dns_update_cache, 'w+')
773 # Open it for reading again, in case someone else got to it first
774 cfile = open(dns_update_cache, 'r+')
775 fcntl.lockf(cfile, fcntl.LOCK_EX)
778 if line == '' or line[0] == "#":
780 c = parse_dns_line(line, {})
783 if str(c) not in cache_set:
785 cache_set.add(str(c))
787 site_specific_rec = []
789 # read each line, and check that the DNS name exists
793 if '${SITE}' in line:
794 site_specific_rec.append(line)
796 if line == '' or line[0] == "#":
798 d = parse_dns_line(line, sub_vars)
801 if d.type == 'A' and len(IP4s) == 0:
803 if d.type == 'AAAA' and len(IP6s) == 0:
805 if str(d) not in dup_set:
809 # Perform automatic site coverage by default
812 if not am_rodc and auto_coverage:
813 site_names = kcc_utils.uncovered_sites_to_cover(samdb,
814 samdb.server_site_name())
816 # Duplicate all site specific records for the uncovered site
817 for site in site_names:
818 to_add = [samba.substitute_var(line, {'SITE': site})
819 for line in site_specific_rec]
821 for site_line in to_add:
822 d = parse_dns_line(site_line,
824 if d is not None and str(d) not in dup_set:
828 # now expand the entries, if any are A record with ip set to $IP
829 # then replace with multiple entries, one for each interface IP
835 for i in range(len(IP4s)-1):
841 for i in range(len(IP6s)-1):
846 # now check if the entries already exist on the DNS server
850 if str(c).lower() == str(d).lower():
856 print("need cache add: %s" % d)
857 if dns_zone_scavenging:
858 update_list.append(d)
860 print("scavenging requires update: %s" % d)
862 update_list.append(d)
864 print("force update: %s" % d)
865 elif not check_dns_name(d):
866 update_list.append(d)
868 print("need update: %s" % d)
873 if str(c).lower() == str(d).lower():
880 print("need cache remove: %s" % c)
881 if not opts.all_names and not check_dns_name(c):
883 delete_list.append(c)
885 print("need delete: %s" % c)
887 if len(delete_list) == 0 and len(update_list) == 0 and not rebuild_cache:
889 print("No DNS updates needed")
893 print("%d DNS updates and %d DNS deletes needed" % (len(update_list), len(delete_list)))
895 use_samba_tool = opts.use_samba_tool
896 use_nsupdate = opts.use_nsupdate
898 if len(delete_list) != 0 or len(update_list) != 0 and not opts.nocreds:
900 creds = get_credentials(lp)
901 except RuntimeError as e:
904 if sub_vars['IF_RWDNS_DOMAIN'] == "# ":
910 print("Failed to get Kerberos credentials, falling back to samba-tool: %s" % e)
911 use_samba_tool = True
914 # ask nsupdate to delete entries as needed
915 for d in delete_list:
916 if d.rpc or (not use_nsupdate and use_samba_tool):
918 print("update (samba-tool): %s" % d)
919 call_samba_tool(d, op="delete", zone=d.zone)
922 if d.name.lower() == domain.lower():
924 print("skip delete (rodc): %s" % d)
926 if not d.type in [ 'A', 'AAAA' ]:
928 print("delete (rodc): %s" % d)
929 call_rodc_update(d, op="delete")
932 print("delete (nsupdate): %s" % d)
933 call_nsupdate(d, op="delete")
936 print("delete (nsupdate): %s" % d)
937 call_nsupdate(d, op="delete")
939 # ask nsupdate to add entries as needed
940 for d in update_list:
941 if d.rpc or (not use_nsupdate and use_samba_tool):
943 print("update (samba-tool): %s" % d)
944 call_samba_tool(d, zone=d.zone)
947 if d.name.lower() == domain.lower():
949 print("skip (rodc): %s" % d)
951 if not d.type in [ 'A', 'AAAA' ]:
953 print("update (rodc): %s" % d)
957 print("update (nsupdate): %s" % d)
961 print("update(nsupdate): %s" % d)
965 print("Rebuilding cache at %s" % dns_update_cache)
966 (file_dir, file_name) = os.path.split(dns_update_cache)
967 (tmp_fd, tmpfile) = tempfile.mkstemp(dir=file_dir, prefix=file_name, suffix="XXXXXX")
968 wfile = os.fdopen(tmp_fd, 'a')
971 print("Adding %s to %s" % (str(d), file_name))
972 wfile.write(str(d)+"\n")
973 os.rename(tmpfile, dns_update_cache)
974 fcntl.lockf(cfile, fcntl.LOCK_UN)
976 # delete the ccache if we created it
977 if ccachename is not None:
978 os.unlink(ccachename)
981 print("Failed update of %u entries" % error_count)
982 sys.exit(error_count)