From db23756cab162b3fea6ca16053ad26f34b93e137 Mon Sep 17 00:00:00 2001
From: Alexey Sheplyakov <asheplyakov@altlinux.org>
Date: Tue, 2 Oct 2018 16:44:44 +0400
Subject: [PATCH] ad: correctly update DNS record of the newly joined host

After joining the domain net_ads_join tries to update the A DNS record
of the newly joined host [1]. The call stack looks like this

net_update_dns_ext /* iplist = NULL, num_addrs = 0, remove_host = false */
net_update_dns /* hostname = NULL */
_net_ads_join_dns_updates
net_ads_join

net_update_dns_ext guesses the (DNS) hostname from its netbios name [2].
Typically netbios name matches the short (DNS) hostname (maximal length
of a netbios name is 15 bytes, which might be too short for a FQDN).
Thus net_update_dns_ext calls name_to_fqdn [3] to guess the FQDN.
However name_to_fqdn makes use of getaddrinfo to obtain the FQDN, which
is deemed to fail since the (A) DNS record hasn't been created yet.
Thus net_update_dns_ext tries to proceed with the short hostname,
however net_update_dns_internal bails out [4] with
NT_STATUS_INVALID_PARAMETER for it can't figure out the (DNS) domain name.

Thus an attempt to create the A DNS record on the (very first) join
is deemed to fail (and `net ads join` does not accept the DNS domain
name as an argument).

There are two possible approaches to solve the problem:

1) Use `net ads join --no-dns-updates` to join the domain, and make (A)
   DNS record with `net ads dns register`
2) Teach `net ads join` to use the name of the Kerberos domain (in lower
   case) as the DNS domain name, if guessing the FQDN failed.

Option 2) is definitely more complicated and most likely will be rejected
by the upstream (they don't quite like changing `source3` unless that
fixes a serious problem). Hence this patch.

[1] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/utils/net_ads.c;h=c83aced9f812380df85682c08e29de48a1794d6b;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1632
[2] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/utils/net_ads.c;h=c83aced9f812380df85682c08e29de48a1794d6b;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1296
[3] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/lib/util.c;h=5f786f95d3e2eccd113a39eec585d195713c5747;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1682
[4] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/utils/net_ads.c;h=c83aced9f812380df85682c08e29de48a1794d6b;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1156
---
 alterator-auth/sbin/system-auth | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/alterator-auth/sbin/system-auth b/alterator-auth/sbin/system-auth
index b63066a..81d5b33 100755
--- a/alterator-auth/sbin/system-auth
+++ b/alterator-auth/sbin/system-auth
@@ -515,13 +515,13 @@ join_ad_domain()
 	set_hostname "$host_name.$ldomain"
 
 	# Join to domain
-	$net_cmd ads join -U"$user%$password" | grep -v '^Using short domain name'
+	$net_cmd ads join -U"$user%$password" --no-dns-updates
 
 	[ "$?" -ne 0 ] && return 1
 
 	# Register machine in domain DNS
 	if [ -n "$host_name" ]; then
-		$net_cmd ads dns register -U"$user%$password" "$FQDN"
+		$net_cmd ads dns register -U"$user%$password" "$host_name.$ldomain"
 	fi
 
 	# Destroy ticket
-- 
2.10.2