4 # update our DNS names using TSIG-GSS
6 # Copyright (C) Andrew Tridgell 2010
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this program. If not, see <http://www.gnu.org/licenses/>.
28 # ensure we get messages out immediately, so they get in the samba logs,
29 # and don't get swallowed by a timeout
30 os.environ['PYTHONUNBUFFERED'] = '1'
32 # forcing GMT avoids a problem in some timezones with kerberos. Both MIT
33 # heimdal can get mutual authentication errors due to the 24 second difference
34 # between UTC and GMT when using some zone files (eg. the PDT zone from
36 os.environ["TZ"] = "GMT"
38 # Find right directory when running from source tree
39 sys.path.insert(0, "bin/python")
43 from samba import getopt as options
44 from ldb import SCOPE_BASE
45 from samba import dsdb
46 from samba.auth import system_session
47 from samba.samdb import SamDB
48 from samba.dcerpc import netlogon, winbind
49 from samba.netcmd.dns import cmd_dns
50 from samba import gensec
51 from samba.kcc import kcc_utils
52 from samba.compat import get_string
53 from samba.compat import text_type
63 parser = optparse.OptionParser("samba_dnsupdate")
64 sambaopts = options.SambaOptions(parser)
65 parser.add_option_group(sambaopts)
66 parser.add_option_group(options.VersionOptions(parser))
67 parser.add_option("--verbose", action="store_true")
68 parser.add_option("--use-samba-tool", action="store_true", help="Use samba-tool to make updates over RPC, rather than over DNS")
69 parser.add_option("--use-nsupdate", action="store_true", help="Use nsupdate command to make updates over DNS (default, if kinit successful)")
70 parser.add_option("--all-names", action="store_true")
71 parser.add_option("--all-interfaces", action="store_true")
72 parser.add_option("--current-ip", action="append", help="IP address to update DNS to match (helpful if behind NAT, valid multiple times, defaults to values from interfaces=)")
73 parser.add_option("--rpc-server-ip", type="string", help="IP address of server to use with samba-tool (defaults to first --current-ip)")
74 parser.add_option("--use-file", type="string", help="Use a file, rather than real DNS calls")
75 parser.add_option("--update-list", type="string", help="Add DNS names from the given file")
76 parser.add_option("--update-cache", type="string", help="Cache database of already registered records")
77 parser.add_option("--fail-immediately", action='store_true', help="Exit on first failure")
78 parser.add_option("--no-credentials", dest='nocreds', action='store_true', help="don't try and get credentials")
79 parser.add_option("--no-substitutions", dest='nosubs', action='store_true', help="don't try and expands variables in file specified by --update-list")
84 opts, args = parser.parse_args()
90 lp = sambaopts.get_loadparm()
92 domain = lp.get("realm")
93 host = lp.get("netbios name")
94 if opts.all_interfaces:
97 all_interfaces = False
100 IPs = opts.current_ip
102 IPs = samba.interface_ips(lp, all_interfaces)
104 nsupdate_cmd = lp.get('nsupdate command')
105 dns_zone_scavenging = lp.get("dns zone scavenging")
108 print("No IP interfaces - skipping DNS updates")
111 if opts.rpc_server_ip:
112 rpc_server_ip = opts.rpc_server_ip
114 rpc_server_ip = IPs[0]
119 if i.find(':') != -1:
124 smb_conf = sambaopts.get_loadparm_path()
127 print("IPs: %s" % IPs)
129 def get_possible_rw_dns_server(creds, domain):
130 """Get a list of possible read-write DNS servers, starting with
131 the SOA. The SOA is the correct answer, but old Samba domains
132 (4.6 and prior) do not maintain this value, so add NS servers
136 ans_soa = check_one_dns_name(domain, 'SOA')
138 # Actually there is only one
139 for i in range(len(ans_soa)):
140 hostnames.append(str(ans_soa[i].mname).rstrip('.'))
142 # This is not strictly legit, but old Samba domains may have an
143 # unmaintained SOA record, so go for any NS that we can get a
145 ans_ns = check_one_dns_name(domain, 'NS')
147 # Actually there is only one
148 for i in range(len(ans_ns)):
149 hostnames.append(str(ans_ns[i].target).rstrip('.'))
153 def get_krb5_rw_dns_server(creds, domain):
154 """Get a list of read-write DNS servers that we can obtain a ticket
155 for, starting with the SOA. The SOA is the correct answer, but
156 old Samba domains (4.6 and prior) do not maintain this value,
157 so continue with the NS servers as well until we get one that
158 the KDC will issue a ticket to.
161 rw_dns_servers = get_possible_rw_dns_server(creds, domain)
162 # Actually there is only one
163 for i in range(len(rw_dns_servers)):
164 target_hostname = str(rw_dns_servers[i])
166 settings["lp_ctx"] = lp
167 settings["target_hostname"] = target_hostname
169 gensec_client = gensec.Security.start_client(settings)
170 gensec_client.set_credentials(creds)
171 gensec_client.set_target_service("DNS")
172 gensec_client.set_target_hostname(target_hostname)
173 gensec_client.want_feature(gensec.FEATURE_SEAL)
174 gensec_client.start_mech_by_sasl_name("GSSAPI")
175 server_to_client = b""
177 (client_finished, client_to_server) = gensec_client.update(server_to_client)
179 print("Successfully obtained Kerberos ticket to DNS/%s as %s" \
180 % (target_hostname, creds.get_username()))
181 return target_hostname
183 # Only raise an exception if they all failed
184 if i != len(rw_dns_servers) - 1:
188 def get_credentials(lp):
189 """# get credentials if we haven't got them already."""
190 from samba import credentials
192 creds = credentials.Credentials()
194 creds.set_machine_account(lp)
195 creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
196 (tmp_fd, ccachename) = tempfile.mkstemp()
198 if opts.use_file is not None:
201 creds.get_named_ccache(lp, ccachename)
203 # Now confirm we can get a ticket to the DNS server
204 get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.')
207 except RuntimeError as e:
208 os.unlink(ccachename)
212 class dnsobj(object):
213 """an object to hold a parsed DNS line"""
215 def __init__(self, string_form):
216 list = string_form.split()
218 raise Exception("Invalid DNS entry %r" % string_form)
222 self.existing_port = None
223 self.existing_weight = None
224 self.existing_cname_target = None
233 self.nameservers = []
234 if self.type == 'SRV':
236 raise Exception("Invalid DNS entry %r" % string_form)
239 elif self.type in ['A', 'AAAA']:
240 self.ip = list[2] # usually $IP, which gets replaced
241 elif self.type == 'CNAME':
243 elif self.type == 'NS':
246 raise Exception("Received unexpected DNS reply of type %s: %s" % (self.type, string_form))
250 return "%s %s %s" % (self.type, self.name, self.ip)
251 if self.type == "AAAA":
252 return "%s %s %s" % (self.type, self.name, self.ip)
253 if self.type == "SRV":
254 return "%s %s %s %s" % (self.type, self.name, self.dest, self.port)
255 if self.type == "CNAME":
256 return "%s %s %s" % (self.type, self.name, self.dest)
257 if self.type == "NS":
258 return "%s %s %s" % (self.type, self.name, self.dest)
261 def parse_dns_line(line, sub_vars):
262 """parse a DNS line from."""
263 if line.startswith("SRV _ldap._tcp.pdc._msdcs.") and not samdb.am_pdc():
264 # We keep this as compat to the dns_update_list of 4.0/4.1
266 print("Skipping PDC entry (%s) as we are not a PDC" % line)
268 subline = samba.substitute_var(line, sub_vars)
269 if subline == '' or subline[0] == "#":
271 return dnsobj(subline)
274 def hostname_match(h1, h2):
275 """see if two hostnames match."""
278 return h1.lower().rstrip('.') == h2.lower().rstrip('.')
280 def get_resolver(d=None):
281 resolv_conf = os.getenv('RESOLV_CONF')
283 resolv_conf = '/etc/resolv.conf'
284 resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True)
286 if d is not None and d.nameservers != []:
287 resolver.nameservers = d.nameservers
291 def check_one_dns_name(name, name_type, d=None):
292 resolver = get_resolver(d)
293 if d is not None and len(d.nameservers) == 0:
294 d.nameservers = resolver.nameservers
296 ans = resolver.query(name, name_type)
299 def check_dns_name(d):
300 """check that a DNS entry exists."""
301 normalised_name = d.name.rstrip('.') + '.'
303 print("Looking for DNS entry %s as %s" % (d, normalised_name))
305 if opts.use_file is not None:
307 dns_file = open(opts.use_file, "r")
311 for line in dns_file:
313 if line == '' or line[0] == "#":
315 if line.lower() == str(d).lower():
320 ans = check_one_dns_name(normalised_name, d.type, d)
321 except dns.exception.Timeout:
322 raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
323 except dns.resolver.NoNameservers:
324 raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
325 except dns.resolver.NXDOMAIN:
327 print("The DNS entry %s, queried as %s does not exist" % (d, normalised_name))
329 except dns.resolver.NoAnswer:
331 print("The DNS entry %s, queried as %s does not hold this record type" % (d, normalised_name))
333 except dns.exception.DNSException:
334 raise Exception("Failure while trying to resolve %s as %s" % (d, normalised_name))
335 if d.type in ['A', 'AAAA']:
336 # we need to be sure that our IP is there
338 if str(rdata) == str(d.ip):
340 elif d.type == 'CNAME':
341 for i in range(len(ans)):
342 if hostname_match(ans[i].target, d.dest):
345 d.existing_cname_target = str(ans[i].target)
347 for i in range(len(ans)):
348 if hostname_match(ans[i].target, d.dest):
350 elif d.type == 'SRV':
353 print("Checking %s against %s" % (rdata, d))
354 if hostname_match(rdata.target, d.dest):
355 if str(rdata.port) == str(d.port):
358 d.existing_port = str(rdata.port)
359 d.existing_weight = str(rdata.weight)
362 print("Lookup of %s succeeded, but we failed to find a matching DNS entry for %s" % (normalised_name, d))
367 def get_subst_vars(samdb):
368 """get the list of substitution vars."""
372 vars['DNSDOMAIN'] = samdb.domain_dns_name()
373 vars['DNSFOREST'] = samdb.forest_dns_name()
374 vars['HOSTNAME'] = samdb.host_dns_name()
375 vars['NTDSGUID'] = samdb.get_ntds_GUID()
376 vars['SITE'] = samdb.server_site_name()
377 res = samdb.search(base=samdb.get_default_basedn(), scope=SCOPE_BASE, attrs=["objectGUID"])
378 guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0])
379 vars['DOMAINGUID'] = get_string(guid)
382 vars['IF_RWDC'] = "# "
383 vars['IF_RODC'] = "# "
384 vars['IF_PDC'] = "# "
386 vars['IF_RWGC'] = "# "
387 vars['IF_ROGC'] = "# "
388 vars['IF_DNS_DOMAIN'] = "# "
389 vars['IF_RWDNS_DOMAIN'] = "# "
390 vars['IF_RODNS_DOMAIN'] = "# "
391 vars['IF_DNS_FOREST'] = "# "
392 vars['IF_RWDNS_FOREST'] = "# "
393 vars['IF_R0DNS_FOREST'] = "# "
395 am_rodc = samdb.am_rodc()
404 # check if we "are DNS server"
405 res = samdb.search(base=samdb.get_config_basedn(),
406 expression='(objectguid=%s)' % vars['NTDSGUID'],
407 attrs=["options", "msDS-hasMasterNCs"])
410 if "options" in res[0]:
411 options = int(res[0]["options"][0])
412 if (options & dsdb.DS_NTDSDSA_OPT_IS_GC) != 0:
419 basedn = str(samdb.get_default_basedn())
420 forestdn = str(samdb.get_root_basedn())
422 if "msDS-hasMasterNCs" in res[0]:
423 for e in res[0]["msDS-hasMasterNCs"]:
424 if str(e) == "DC=DomainDnsZones,%s" % basedn:
425 vars['IF_DNS_DOMAIN'] = ""
427 vars['IF_RODNS_DOMAIN'] = ""
429 vars['IF_RWDNS_DOMAIN'] = ""
430 if str(e) == "DC=ForestDnsZones,%s" % forestdn:
431 vars['IF_DNS_FOREST'] = ""
433 vars['IF_RODNS_FOREST'] = ""
435 vars['IF_RWDNS_FOREST'] = ""
440 def call_nsupdate(d, op="add"):
441 """call nsupdate for an entry."""
442 global ccachename, nsupdate_cmd, krb5conf
444 assert(op in ["add", "delete"])
447 print("Calling nsupdate for %s (%s)" % (d, op))
449 if opts.use_file is not None:
451 rfile = open(opts.use_file, 'r+')
454 rfile = open(opts.use_file, 'w+')
455 # Open it for reading again, in case someone else got to it first
456 rfile = open(opts.use_file, 'r+')
457 fcntl.lockf(rfile, fcntl.LOCK_EX)
458 (file_dir, file_name) = os.path.split(opts.use_file)
459 (tmp_fd, tmpfile) = tempfile.mkstemp(dir=file_dir, prefix=file_name, suffix="XXXXXX")
460 wfile = os.fdopen(tmp_fd, 'a')
464 l = parse_dns_line(line, {})
465 if str(l).lower() == str(d).lower():
469 wfile.write(str(d)+"\n")
470 os.rename(tmpfile, opts.use_file)
471 fcntl.lockf(rfile, fcntl.LOCK_UN)
474 normalised_name = d.name.rstrip('.') + '.'
476 (tmp_fd, tmpfile) = tempfile.mkstemp()
477 f = os.fdopen(tmp_fd, 'w')
479 resolver = get_resolver(d)
481 # Local the zone for this name
482 zone = dns.resolver.zone_for_name(normalised_name,
485 # Now find the SOA, or if we can't get a ticket to the SOA,
486 # any server with an NS record we can get a ticket for.
488 # Thanks to the Kerberos Credentials cache this is not
489 # expensive inside the loop
490 server = get_krb5_rw_dns_server(creds, zone)
491 f.write('server %s\n' % server)
494 f.write("update %s %s %u A %s\n" % (op, normalised_name, default_ttl, d.ip))
496 f.write("update %s %s %u AAAA %s\n" % (op, normalised_name, default_ttl, d.ip))
498 if op == "add" and d.existing_port is not None:
499 f.write("update delete %s SRV 0 %s %s %s\n" % (normalised_name, d.existing_weight,
500 d.existing_port, d.dest))
501 f.write("update %s %s %u SRV 0 100 %s %s\n" % (op, normalised_name, default_ttl, d.port, d.dest))
502 if d.type == "CNAME":
503 f.write("update %s %s %u CNAME %s\n" % (op, normalised_name, default_ttl, d.dest))
505 f.write("update %s %s %u NS %s\n" % (op, normalised_name, default_ttl, d.dest))
511 # Set a bigger MTU size to work around a bug in nsupdate's doio_send()
512 os.environ["SOCKET_WRAPPER_MTU"] = "2000"
516 os.environ["KRB5CCNAME"] = ccachename
518 cmd = nsupdate_cmd[:]
522 env["KRB5_CONFIG"] = krb5conf
524 env["KRB5CCNAME"] = ccachename
525 ret = subprocess.call(cmd, shell=False, env=env)
527 if opts.fail_immediately:
529 print("Failed update with %s" % tmpfile)
531 error_count = error_count + 1
533 print("Failed nsupdate: %d" % ret)
534 except Exception as estr:
535 if opts.fail_immediately:
537 error_count = error_count + 1
539 print("Failed nsupdate: %s : %s" % (str(d), estr))
542 # Let socket_wrapper set the default MTU size
543 os.environ["SOCKET_WRAPPER_MTU"] = "0"
546 def call_samba_tool(d, op="add", zone=None):
547 """call samba-tool dns to update an entry."""
549 assert(op in ["add", "delete"])
551 if (sub_vars['DNSFOREST'] != sub_vars['DNSDOMAIN']) and \
552 sub_vars['DNSFOREST'].endswith('.' + sub_vars['DNSDOMAIN']):
553 print("Refusing to use samba-tool when forest %s is under domain %s" \
554 % (sub_vars['DNSFOREST'], sub_vars['DNSDOMAIN']))
557 print("Calling samba-tool dns for %s (%s)" % (d, op))
559 normalised_name = d.name.rstrip('.') + '.'
561 if normalised_name == (sub_vars['DNSDOMAIN'] + '.'):
563 zone = sub_vars['DNSDOMAIN']
564 elif normalised_name == (sub_vars['DNSFOREST'] + '.'):
566 zone = sub_vars['DNSFOREST']
567 elif normalised_name == ('_msdcs.' + sub_vars['DNSFOREST'] + '.'):
569 zone = '_msdcs.' + sub_vars['DNSFOREST']
571 if not normalised_name.endswith('.' + sub_vars['DNSDOMAIN'] + '.'):
572 print("Not Calling samba-tool dns for %s (%s), %s not in %s" % (d, op, normalised_name, sub_vars['DNSDOMAIN'] + '.'))
574 elif normalised_name.endswith('._msdcs.' + sub_vars['DNSFOREST'] + '.'):
575 zone = '_msdcs.' + sub_vars['DNSFOREST']
577 zone = sub_vars['DNSDOMAIN']
578 len_zone = len(zone)+2
579 short_name = normalised_name[:-len_zone]
581 len_zone = len(zone)+2
582 short_name = normalised_name[:-len_zone]
585 args = [rpc_server_ip, zone, short_name, "A", d.ip]
587 args = [rpc_server_ip, zone, short_name, "AAAA", d.ip]
589 if op == "add" and d.existing_port is not None:
590 print("Not handling modify of exising SRV %s using samba-tool" % d)
593 args = [rpc_server_ip, zone, short_name, "SRV",
594 "%s %s %s %s" % (d.existing_weight,
595 d.existing_port, "0", "100"),
596 "%s %s %s %s" % (d.dest, d.port, "0", "100")]
598 args = [rpc_server_ip, zone, short_name, "SRV", "%s %s %s %s" % (d.dest, d.port, "0", "100")]
599 if d.type == "CNAME":
600 if d.existing_cname_target is None:
601 args = [rpc_server_ip, zone, short_name, "CNAME", d.dest]
604 args = [rpc_server_ip, zone, short_name, "CNAME",
605 d.existing_cname_target.rstrip('.'), d.dest]
608 args = [rpc_server_ip, zone, short_name, "NS", d.dest]
610 if smb_conf and args:
611 args += ["--configfile=" + smb_conf]
617 print("Calling samba-tool dns %s -k no -P %s" % (op, args))
618 ret = cmd._run("dns", op, "-k", "no", "-P", *args)
620 if opts.fail_immediately:
622 error_count = error_count + 1
624 print("Failed 'samba-tool dns' based update of %s" % (str(d)))
625 except Exception as estr:
626 if opts.fail_immediately:
628 error_count = error_count + 1
630 print("Failed 'samba-tool dns' based update: %s : %s" % (str(d), estr))
633 def rodc_dns_update(d, t, op):
634 '''a single DNS update via the RODC netlogon call'''
637 assert(op in ["add", "delete"])
640 print("Calling netlogon RODC update for %s" % d)
643 netlogon.NlDnsLdapAtSite : netlogon.NlDnsInfoTypeNone,
644 netlogon.NlDnsGcAtSite : netlogon.NlDnsDomainNameAlias,
645 netlogon.NlDnsDsaCname : netlogon.NlDnsDomainNameAlias,
646 netlogon.NlDnsKdcAtSite : netlogon.NlDnsInfoTypeNone,
647 netlogon.NlDnsDcAtSite : netlogon.NlDnsInfoTypeNone,
648 netlogon.NlDnsRfc1510KdcAtSite : netlogon.NlDnsInfoTypeNone,
649 netlogon.NlDnsGenericGcAtSite : netlogon.NlDnsDomainNameAlias
652 w = winbind.winbind("irpc:winbind_server", lp)
653 dns_names = netlogon.NL_DNS_NAME_INFO_ARRAY()
655 name = netlogon.NL_DNS_NAME_INFO()
657 name.dns_domain_info_type = typemap[t]
660 if d.port is not None:
661 name.port = int(d.port)
663 name.dns_register = True
665 name.dns_register = False
666 dns_names.names = [ name ]
667 site_name = text_type(sub_vars['SITE'])
672 ret_names = w.DsrUpdateReadOnlyServerDnsRecords(site_name, default_ttl, dns_names)
673 if ret_names.names[0].status != 0:
674 print("Failed to set DNS entry: %s (status %u)" % (d, ret_names.names[0].status))
675 error_count = error_count + 1
676 except RuntimeError as reason:
677 print("Error setting DNS entry of type %u: %s: %s" % (t, d, reason))
678 error_count = error_count + 1
680 if error_count != 0 and opts.fail_immediately:
684 def call_rodc_update(d, op="add"):
685 '''RODCs need to use the netlogon API for nsupdate'''
688 assert(op in ["add", "delete"])
690 # we expect failure for 3268 if we aren't a GC
691 if d.port is not None and int(d.port) == 3268:
694 # map the DNS request to a netlogon update type
696 netlogon.NlDnsLdapAtSite : '_ldap._tcp.${SITE}._sites.${DNSDOMAIN}',
697 netlogon.NlDnsGcAtSite : '_ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}',
698 netlogon.NlDnsDsaCname : '${NTDSGUID}._msdcs.${DNSFOREST}',
699 netlogon.NlDnsKdcAtSite : '_kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}',
700 netlogon.NlDnsDcAtSite : '_ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}',
701 netlogon.NlDnsRfc1510KdcAtSite : '_kerberos._tcp.${SITE}._sites.${DNSDOMAIN}',
702 netlogon.NlDnsGenericGcAtSite : '_gc._tcp.${SITE}._sites.${DNSFOREST}'
706 subname = samba.substitute_var(map[t], sub_vars)
707 if subname.lower() == d.name.lower():
708 # found a match - do the update
709 rodc_dns_update(d, t, op)
712 print("Unable to map to netlogon DNS update: %s" % d)
715 # get the list of DNS entries we should have
717 dns_update_list = opts.update_list
719 dns_update_list = lp.private_path('dns_update_list')
721 if opts.update_cache:
722 dns_update_cache = opts.update_cache
724 dns_update_cache = lp.private_path('dns_update_cache')
727 # only change the krb5.conf if we are not in selftest
728 if 'SOCKET_WRAPPER_DIR' not in os.environ:
729 # use our private krb5.conf to avoid problems with the wrong domain
730 # bind9 nsupdate wants the default domain set
731 krb5conf = lp.private_path('krb5.conf')
732 os.environ['KRB5_CONFIG'] = krb5conf
734 file = open(dns_update_list, "r")
739 samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), lp=lp)
741 # get the substitution dictionary
742 sub_vars = get_subst_vars(samdb)
744 # build up a list of update commands to pass to nsupdate
753 rebuild_cache = False
755 cfile = open(dns_update_cache, 'r+')
758 cfile = open(dns_update_cache, 'w+')
759 # Open it for reading again, in case someone else got to it first
760 cfile = open(dns_update_cache, 'r+')
761 fcntl.lockf(cfile, fcntl.LOCK_EX)
764 if line == '' or line[0] == "#":
766 c = parse_dns_line(line, {})
769 if str(c) not in cache_set:
771 cache_set.add(str(c))
773 site_specific_rec = []
775 # read each line, and check that the DNS name exists
779 if '${SITE}' in line:
780 site_specific_rec.append(line)
782 if line == '' or line[0] == "#":
784 d = parse_dns_line(line, sub_vars)
787 if d.type == 'A' and len(IP4s) == 0:
789 if d.type == 'AAAA' and len(IP6s) == 0:
791 if str(d) not in dup_set:
795 # Perform automatic site coverage by default
798 if not am_rodc and auto_coverage:
799 site_names = kcc_utils.uncovered_sites_to_cover(samdb,
800 samdb.server_site_name())
802 # Duplicate all site specific records for the uncovered site
803 for site in site_names:
804 to_add = [samba.substitute_var(line, {'SITE': site})
805 for line in site_specific_rec]
807 for site_line in to_add:
808 d = parse_dns_line(site_line,
810 if d is not None and str(d) not in dup_set:
814 # now expand the entries, if any are A record with ip set to $IP
815 # then replace with multiple entries, one for each interface IP
821 for i in range(len(IP4s)-1):
827 for i in range(len(IP6s)-1):
832 # now check if the entries already exist on the DNS server
836 if str(c).lower() == str(d).lower():
842 print("need cache add: %s" % d)
843 if dns_zone_scavenging:
844 update_list.append(d)
846 print("scavenging requires update: %s" % d)
848 update_list.append(d)
850 print("force update: %s" % d)
851 elif not check_dns_name(d):
852 update_list.append(d)
854 print("need update: %s" % d)
859 if str(c).lower() == str(d).lower():
866 print("need cache remove: %s" % c)
867 if not opts.all_names and not check_dns_name(c):
869 delete_list.append(c)
871 print("need delete: %s" % c)
873 if len(delete_list) == 0 and len(update_list) == 0 and not rebuild_cache:
875 print("No DNS updates needed")
879 print("%d DNS updates and %d DNS deletes needed" % (len(update_list), len(delete_list)))
881 use_samba_tool = opts.use_samba_tool
882 use_nsupdate = opts.use_nsupdate
884 if len(delete_list) != 0 or len(update_list) != 0 and not opts.nocreds:
886 creds = get_credentials(lp)
887 except RuntimeError as e:
890 if sub_vars['IF_RWDNS_DOMAIN'] == "# ":
896 print("Failed to get Kerberos credentials, falling back to samba-tool: %s" % e)
897 use_samba_tool = True
900 # ask nsupdate to delete entries as needed
901 for d in delete_list:
902 if d.rpc or (not use_nsupdate and use_samba_tool):
904 print("update (samba-tool): %s" % d)
905 call_samba_tool(d, op="delete", zone=d.zone)
908 if d.name.lower() == domain.lower():
910 print("skip delete (rodc): %s" % d)
912 if not d.type in [ 'A', 'AAAA' ]:
914 print("delete (rodc): %s" % d)
915 call_rodc_update(d, op="delete")
918 print("delete (nsupdate): %s" % d)
919 call_nsupdate(d, op="delete")
922 print("delete (nsupdate): %s" % d)
923 call_nsupdate(d, op="delete")
925 # ask nsupdate to add entries as needed
926 for d in update_list:
927 if d.rpc or (not use_nsupdate and use_samba_tool):
929 print("update (samba-tool): %s" % d)
930 call_samba_tool(d, zone=d.zone)
933 if d.name.lower() == domain.lower():
935 print("skip (rodc): %s" % d)
937 if not d.type in [ 'A', 'AAAA' ]:
939 print("update (rodc): %s" % d)
943 print("update (nsupdate): %s" % d)
947 print("update(nsupdate): %s" % d)
951 print("Rebuilding cache at %s" % dns_update_cache)
952 (file_dir, file_name) = os.path.split(dns_update_cache)
953 (tmp_fd, tmpfile) = tempfile.mkstemp(dir=file_dir, prefix=file_name, suffix="XXXXXX")
954 wfile = os.fdopen(tmp_fd, 'a')
957 print("Adding %s to %s" % (str(d), file_name))
958 wfile.write(str(d)+"\n")
959 os.rename(tmpfile, dns_update_cache)
960 fcntl.lockf(cfile, fcntl.LOCK_UN)
962 # delete the ccache if we created it
963 if ccachename is not None:
964 os.unlink(ccachename)
967 print("Failed update of %u entries" % error_count)
968 sys.exit(error_count)