Attachment 7796 Details for Bug 35453 – patch

[patch] patch

0001-ad-correctly-update-DNS-record-of-the-newly-joined-h.patch (text/plain), 3.24 KB, created by Alexey Sheplyakov on 2018-10-02 16:51:02 MSK

(hide)

Description:

Filename:

MIME Type:

Creator: Alexey Sheplyakov

Created: 2018-10-02 16:51:02 MSK

Size: 3.24 KB

patch

obsolete

>From db23756cab162b3fea6ca16053ad26f34b93e137 Mon Sep 17 00:00:00 2001
>From: Alexey Sheplyakov <asheplyakov@altlinux.org>
>Date: Tue, 2 Oct 2018 16:44:44 +0400
>Subject: [PATCH] ad: correctly update DNS record of the newly joined host
>
>After joining the domain net_ads_join tries to update the A DNS record
>of the newly joined host [1]. The call stack looks like this
>
>net_update_dns_ext /* iplist = NULL, num_addrs = 0, remove_host = false */
>net_update_dns /* hostname = NULL */
>_net_ads_join_dns_updates
>net_ads_join
>
>net_update_dns_ext guesses the (DNS) hostname from its netbios name [2].
>Typically netbios name matches the short (DNS) hostname (maximal length
>of a netbios name is 15 bytes, which might be too short for a FQDN).
>Thus net_update_dns_ext calls name_to_fqdn [3] to guess the FQDN.
>However name_to_fqdn makes use of getaddrinfo to obtain the FQDN, which
>is deemed to fail since the (A) DNS record hasn't been created yet.
>Thus net_update_dns_ext tries to proceed with the short hostname,
>however net_update_dns_internal bails out [4] with
>NT_STATUS_INVALID_PARAMETER for it can't figure out the (DNS) domain name.
>
>Thus an attempt to create the A DNS record on the (very first) join
>is deemed to fail (and `net ads join` does not accept the DNS domain
>name as an argument).
>
>There are two possible approaches to solve the problem:
>
>1) Use `net ads join --no-dns-updates` to join the domain, and make (A)
>   DNS record with `net ads dns register`
>2) Teach `net ads join` to use the name of the Kerberos domain (in lower
>   case) as the DNS domain name, if guessing the FQDN failed.
>
>Option 2) is definitely more complicated and most likely will be rejected
>by the upstream (they don't quite like changing `source3` unless that
>fixes a serious problem). Hence this patch.
>
>[1] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/utils/net_ads.c;h=c83aced9f812380df85682c08e29de48a1794d6b;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1632
>[2] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/utils/net_ads.c;h=c83aced9f812380df85682c08e29de48a1794d6b;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1296
>[3] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/lib/util.c;h=5f786f95d3e2eccd113a39eec585d195713c5747;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1682
>[4] http://git.altlinux.org/gears/s/samba-DC.git?p=samba-DC.git;a=blob;f=source3/utils/net_ads.c;h=c83aced9f812380df85682c08e29de48a1794d6b;hb=ec86b464b83e7e5d6163f54fca6869d855a32910#l1156
>---
> alterator-auth/sbin/system-auth | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/alterator-auth/sbin/system-auth b/alterator-auth/sbin/system-auth
>index b63066a..81d5b33 100755
>--- a/alterator-auth/sbin/system-auth
>+++ b/alterator-auth/sbin/system-auth
>@@ -515,13 +515,13 @@ join_ad_domain()
> 	set_hostname "$host_name.$ldomain"
> 
> 	# Join to domain
>-	$net_cmd ads join -U"$user%$password" | grep -v '^Using short domain name'
>+	$net_cmd ads join -U"$user%$password" --no-dns-updates
> 
> 	[ "$?" -ne 0 ] && return 1
> 
> 	# Register machine in domain DNS
> 	if [ -n "$host_name" ]; then
>-		$net_cmd ads dns register -U"$user%$password" "$FQDN"
>+		$net_cmd ads dns register -U"$user%$password" "$host_name.$ldomain"
> 	fi
> 
> 	# Destroy ticket
>-- 
>2.10.2
>

Actions: View | Diff

Attachments on bug 35453: 7796