samba_upgradedns: Set correct permissions on secrets.keytab for BIND9

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index f57ff7296300dbd1d333fa0dd12b84678119c85e..596371226ae52fd9968209e3d12791a3ebde3aee 100755 (executable)
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -446,9 +446,20 @@ if __name__ == '__main__':
                                 dnsdomain=names.dnsdomain,
                                 dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
                                 key_version_number=dns_key_version_number)
+
         else:
             logger.info("dns-%s account already exists" % hostname)
 
+        dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
+        if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
+            try:
+                os.chmod(dns_keytab_path, 0640)
+                os.chown(dns_keytab_path, -1, paths.bind_gid)
+            except OSError:
+                if not os.environ.has_key('SAMBA_SELFTEST'):
+                    logger.info("Failed to chown %s to bind gid %u",
+                                dns_keytab_path, paths.bind_gid)
+
         # This forces a re-creation of dns directory and all the files within
         # It's an overkill, but it's easier to re-create a samdb copy, rather
         # than trying to fix a broken copy.