s4-samba_upgradedns: Do not set DNS account for internal server

The internal DNS server does not need the samba-only NAME-dns
account.

Andrew Bartlett

diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index 831b81d06d3dc89129bfac6c46098ff0b94a1cfc..c1220bcc264d2c242e4f091b73c057aba5a452b7 100755 (executable)
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -421,41 +421,41 @@ if __name__ == '__main__':
     except Exception:
         raise
 
-    # Check if dns-HOSTNAME account exists and create it if required
-    try:
-        dn = 'samAccountName=dns-%s,CN=Principals' % hostname
-        msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret'])
-        dnssecret = msg[0]['secret'][0]
-    except Exception:
-        logger.info("Adding dns-%s account" % hostname)
-
+    # Special stuff for DLZ backend
+    if opts.dns_backend == "BIND9_DLZ":
+        # Check if dns-HOSTNAME account exists and create it if required
         try:
-            msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
-                                  expression='(sAMAccountName=dns-%s)' % (hostname),
-                                  attrs=['clearTextPassword'])
-            dn = msg[0].dn
-            ldbs.sam.delete(dn)
+            dn = 'samAccountName=dns-%s,CN=Principals' % hostname
+            msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret'])
+            dnssecret = msg[0]['secret'][0]
         except Exception:
-            pass
-
-        dnspass = samba.generate_random_password(128, 255)
-        setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), {
-                       "DNSDOMAIN": dnsdomain,
-                       "DOMAINDN": domaindn,
-                       "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
-                       "HOSTNAME" : hostname,
-                       "DNSNAME" : dnsname }
-                       )
-
-        secretsdb_setup_dns(ldbs.secrets, names,
-                            paths.private_dir, realm=names.realm,
-                            dnsdomain=names.dnsdomain,
-                            dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
-    else:
-        logger.info("dns-%s account already exists" % hostname)
+            logger.info("Adding dns-%s account" % hostname)
+
+            try:
+                msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
+                                      expression='(sAMAccountName=dns-%s)' % (hostname),
+                                      attrs=['clearTextPassword'])
+                dn = msg[0].dn
+                ldbs.sam.delete(dn)
+            except Exception:
+                pass
+
+            dnspass = samba.generate_random_password(128, 255)
+            setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), {
+                    "DNSDOMAIN": dnsdomain,
+                    "DOMAINDN": domaindn,
+                    "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
+                    "HOSTNAME" : hostname,
+                    "DNSNAME" : dnsname }
+                           )
+
+            secretsdb_setup_dns(ldbs.secrets, names,
+                                paths.private_dir, realm=names.realm,
+                                dnsdomain=names.dnsdomain,
+                                dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+        else:
+            logger.info("dns-%s account already exists" % hostname)
 
-    # Special stuff for DLZ backend
-    if opts.dns_backend == "BIND9_DLZ":
         # This forces a re-creation of dns directory and all the files within
         # It's an overkill, but it's easier to re-create a samdb copy, rather
         # than trying to fix a broken copy.