samba_dnsupdate: Ensure we only force "server" under resolv_wrapper

This ensures that nsupdate can use a namserver in /etc/resolv.conf that is a
cache or forwarder, rather than the AD DC directly.

This avoids a regression from forcing the nameservers to the
/etc/resolv.conf nameservers in
e85ef1dbfef4b16c35cac80c0efc563d8cd1ba3e

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index d382758168b68e645db2548ad820a87a6a2f2dac..ba167da2876c3aae9b96419ef8d6706bf5fd3e54 100755 (executable)
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -430,8 +430,19 @@ def call_nsupdate(d, op="add"):
 
     (tmp_fd, tmpfile) = tempfile.mkstemp()
     f = os.fdopen(tmp_fd, 'w')
-    if d.nameservers != []:
+
+    # Getting this line right is really important.  When we are under
+    # resolv_wrapper, then we want to use RESOLV_CONF and the
+    # nameserver therein. The issue is that this parameter forces us
+    # to only ever use that server, and not some other server that the
+    # NS record may point to, even as we get a ticket to that other
+    # server.
+    #
+    # Therefore we must not set this in production.
+
+    if os.getenv('RESOLV_CONF') and d.nameservers != []:
         f.write('server %s\n' % d.nameservers[0])
+
     if d.type == "A":
         f.write("update %s %s %u A %s\n" % (op, normalised_name, default_ttl, d.ip))
     if d.type == "AAAA":