3
# update our DNS names using TSIG-GSS
5
# Copyright (C) Andrew Tridgell 2010
7
# This program is free software; you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
9
# the Free Software Foundation; either version 3 of the License, or
10
# (at your option) any later version.
12
# This program is distributed in the hope that it will be useful,
13
# but WITHOUT ANY WARRANTY; without even the implied warranty of
14
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
# GNU General Public License for more details.
17
# You should have received a copy of the GNU General Public License
18
# along with this program. If not, see <http://www.gnu.org/licenses/>.
27
# ensure we get messages out immediately, so they get in the samba logs,
28
# and don't get swallowed by a timeout
29
os.environ['PYTHONUNBUFFERED'] = '1'
31
# forcing GMT avoids a problem in some timezones with kerberos. Both MIT
32
# heimdal can get mutual authentication errors due to the 24 second difference
33
# between UTC and GMT when using some zone files (eg. the PDT zone from
35
os.environ["TZ"] = "GMT"
37
# Find right directory when running from source tree
38
sys.path.insert(0, "bin/python")
42
from samba import getopt as options
43
from ldb import SCOPE_BASE
44
from samba.auth import system_session
45
from samba.samdb import SamDB
46
from samba.dcerpc import netlogon, winbind
48
samba.ensure_external_module("dns", "dnspython")
56
parser = optparse.OptionParser("samba_dnsupdate")
57
sambaopts = options.SambaOptions(parser)
58
parser.add_option_group(sambaopts)
59
parser.add_option_group(options.VersionOptions(parser))
60
parser.add_option("--verbose", action="store_true")
61
parser.add_option("--all-names", action="store_true")
62
parser.add_option("--all-interfaces", action="store_true")
63
parser.add_option("--use-file", type="string", help="Use a file, rather than real DNS calls")
64
parser.add_option("--update-list", type="string", help="Add DNS names from the given file")
65
parser.add_option("--fail-immediately", action='store_true', help="Exit on first failure")
70
opts, args = parser.parse_args()
76
lp = sambaopts.get_loadparm()
78
domain = lp.get("realm")
79
host = lp.get("netbios name")
80
if opts.all_interfaces:
83
all_interfaces = False
85
IPs = samba.interface_ips(lp, all_interfaces)
86
nsupdate_cmd = lp.get('nsupdate command')
89
print "No IP interfaces - skipping DNS updates"
95
########################################################
96
# get credentials if we haven't got them already
97
def get_credentials(lp):
98
from samba import credentials
99
global ccachename, creds
100
if creds is not None:
102
creds = credentials.Credentials()
104
creds.set_machine_account(lp)
105
creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
106
(tmp_fd, ccachename) = tempfile.mkstemp()
107
creds.get_named_ccache(lp, ccachename)
110
#############################################
111
# an object to hold a parsed DNS line
112
class dnsobj(object):
113
def __init__(self, string_form):
114
list = string_form.split()
118
self.existing_port = None
119
self.existing_weight = None
121
self.name = list[1].lower()
122
if self.type == 'SRV':
123
self.dest = list[2].lower()
125
elif self.type == 'A':
126
self.ip = list[2] # usually $IP, which gets replaced
127
elif self.type == 'CNAME':
128
self.dest = list[2].lower()
130
print "Received unexpected DNS reply of type %s" % self.type
134
if d.type == "A": return "%s %s %s" % (self.type, self.name, self.ip)
135
if d.type == "SRV": return "%s %s %s %s" % (self.type, self.name, self.dest, self.port)
136
if d.type == "CNAME": return "%s %s %s" % (self.type, self.name, self.dest)
139
################################################
140
# parse a DNS line from
141
def parse_dns_line(line, sub_vars):
142
subline = samba.substitute_var(line, sub_vars)
146
############################################
147
# see if two hostnames match
148
def hostname_match(h1, h2):
151
return h1.lower().rstrip('.') == h2.lower().rstrip('.')
154
############################################
155
# check that a DNS entry exists
156
def check_dns_name(d):
157
normalised_name = d.name.rstrip('.') + '.'
159
print "Looking for DNS entry %s as %s" % (d, normalised_name)
161
if opts.use_file is not None:
163
dns_file = open(opts.use_file, "r")
167
for line in dns_file:
169
if line == '' or line[0] == "#":
171
if line.lower() == str(d).lower():
176
ans = dns.resolver.query(normalised_name, d.type)
177
except dns.exception.DNSException:
179
print "Failed to find DNS entry %s" % d
182
# we need to be sure that our IP is there
184
if str(rdata) == str(d.ip):
186
if d.type == 'CNAME':
187
for i in range(len(ans)):
188
if hostname_match(ans[i].target, d.dest):
193
print "Checking %s against %s" % (rdata, d)
194
if hostname_match(rdata.target, d.dest):
195
if str(rdata.port) == str(d.port):
198
d.existing_port = str(rdata.port)
199
d.existing_weight = str(rdata.weight)
202
print "Failed to find matching DNS entry %s" % d
207
###########################################
208
# get the list of substitution vars
209
def get_subst_vars():
213
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
216
vars['DNSDOMAIN'] = lp.get('realm').lower()
217
vars['DNSFOREST'] = lp.get('realm').lower()
218
vars['HOSTNAME'] = lp.get('netbios name').lower() + "." + vars['DNSDOMAIN']
219
vars['NTDSGUID'] = samdb.get_ntds_GUID()
220
vars['SITE'] = samdb.server_site_name()
221
res = samdb.search(base=None, scope=SCOPE_BASE, attrs=["objectGUID"])
222
guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0])
223
vars['DOMAINGUID'] = guid
224
am_rodc = samdb.am_rodc()
229
############################################
230
# call nsupdate for an entry
231
def call_nsupdate(d):
232
global ccachename, nsupdate_cmd
235
print "Calling nsupdate for %s" % d
237
if opts.use_file is not None:
238
wfile = open(opts.use_file, 'a')
239
fcntl.lockf(wfile, fcntl.LOCK_EX)
240
wfile.write(str(d)+"\n")
241
fcntl.lockf(wfile, fcntl.LOCK_UN)
244
normalised_name = d.name.rstrip('.') + '.'
246
(tmp_fd, tmpfile) = tempfile.mkstemp()
247
f = os.fdopen(tmp_fd, 'w')
249
f.write("update add %s %u A %s\n" % (normalised_name, default_ttl, d.ip))
251
if d.existing_port is not None:
252
f.write("update delete %s SRV 0 %s %s %s\n" % (normalised_name, d.existing_weight,
253
d.existing_port, d.dest))
254
f.write("update add %s %u SRV 0 100 %s %s\n" % (normalised_name, default_ttl, d.port, d.dest))
255
if d.type == "CNAME":
256
f.write("update add %s %u CNAME %s\n" % (normalised_name, default_ttl, d.dest))
262
os.environ["KRB5CCNAME"] = ccachename
264
cmd = nsupdate_cmd[:]
266
subprocess.check_call(cmd, shell=False)
267
except Exception, estr:
269
if opts.fail_immediately:
271
error_count = error_count + 1
273
print("Failed nsupdate: %s : %s" % (str(d), estr))
278
def rodc_dns_update(d, t):
279
'''a single DNS update via the RODC netlogon call'''
283
print "Calling netlogon RODC update for %s" % d
286
netlogon.NlDnsLdapAtSite : netlogon.NlDnsInfoTypeNone,
287
netlogon.NlDnsGcAtSite : netlogon.NlDnsDomainNameAlias,
288
netlogon.NlDnsDsaCname : netlogon.NlDnsDomainNameAlias,
289
netlogon.NlDnsKdcAtSite : netlogon.NlDnsInfoTypeNone,
290
netlogon.NlDnsDcAtSite : netlogon.NlDnsInfoTypeNone,
291
netlogon.NlDnsRfc1510KdcAtSite : netlogon.NlDnsInfoTypeNone,
292
netlogon.NlDnsGenericGcAtSite : netlogon.NlDnsDomainNameAlias
295
w = winbind.winbind("irpc:winbind_server", lp)
296
dns_names = netlogon.NL_DNS_NAME_INFO_ARRAY()
298
name = netlogon.NL_DNS_NAME_INFO()
300
name.dns_domain_info_type = typemap[t]
303
if d.port is not None:
304
name.port = int(d.port)
305
name.dns_register = True
306
dns_names.names = [ name ]
307
site_name = sub_vars['SITE'].decode('utf-8')
312
ret_names = w.DsrUpdateReadOnlyServerDnsRecords(site_name, default_ttl, dns_names)
313
if ret_names.names[0].status != 0:
314
print("Failed to set DNS entry: %s (status %u)" % (d, ret_names.names[0].status))
315
error_count = error_count + 1
316
except RuntimeError, reason:
317
print("Error setting DNS entry of type %u: %s: %s" % (t, d, reason))
318
error_count = error_count + 1
320
if error_count != 0 and opts.fail_immediately:
324
def call_rodc_update(d):
325
'''RODCs need to use the netlogon API for nsupdate'''
328
# we expect failure for 3268 if we aren't a GC
329
if d.port is not None and int(d.port) == 3268:
332
# map the DNS request to a netlogon update type
334
netlogon.NlDnsLdapAtSite : '_ldap._tcp.${SITE}._sites.${DNSDOMAIN}',
335
netlogon.NlDnsGcAtSite : '_ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}',
336
netlogon.NlDnsDsaCname : '${NTDSGUID}._msdcs.${DNSFOREST}',
337
netlogon.NlDnsKdcAtSite : '_kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}',
338
netlogon.NlDnsDcAtSite : '_ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}',
339
netlogon.NlDnsRfc1510KdcAtSite : '_kerberos._tcp.${SITE}._sites.${DNSDOMAIN}',
340
netlogon.NlDnsGenericGcAtSite : '_gc._tcp.${SITE}._sites.${DNSFOREST}'
344
subname = samba.substitute_var(map[t], sub_vars)
345
if subname.lower() == d.name.lower():
346
# found a match - do the update
347
rodc_dns_update(d, t)
350
print("Unable to map to netlogon DNS update: %s" % d)
353
# get the list of DNS entries we should have
355
dns_update_list = opts.update_list
357
dns_update_list = lp.private_path('dns_update_list')
359
# use our private krb5.conf to avoid problems with the wrong domain
360
# bind9 nsupdate wants the default domain set
361
krb5conf = lp.private_path('krb5.conf')
362
os.environ['KRB5_CONFIG'] = krb5conf
364
file = open(dns_update_list, "r")
366
# get the substitution dictionary
367
sub_vars = get_subst_vars()
369
# build up a list of update commands to pass to nsupdate
373
# read each line, and check that the DNS name exists
376
if line == '' or line[0] == "#":
378
d = parse_dns_line(line, sub_vars)
381
# now expand the entries, if any are A record with ip set to $IP
382
# then replace with multiple entries, one for each interface IP
384
if d.type == 'A' and d.ip == "$IP":
386
for i in range(len(IPs)-1):
391
# now check if the entries already exist on the DNS server
393
if opts.all_names or not check_dns_name(d):
394
update_list.append(d)
396
if len(update_list) == 0:
398
print "No DNS updates needed"
404
# ask nsupdate to add entries as needed
405
for d in update_list:
407
if d.name.lower() == domain.lower():
416
# delete the ccache if we created it
417
if ccachename is not None:
418
os.unlink(ccachename)
421
print("Failed update of %u entries" % error_count)
422
sys.exit(error_count)