Fix Samba AD DC operations on F33 or later

- Report 'samba' daemon status back to systemd
- Support dnspython 2.0.0 or later in samba_dnsupdate

samba-dnspython-2.0.0-v4.13.patch

@@ -0,0 +1,143 @@
+From 12b51be8633689763080f2eb1e0b13487e3e71e1 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Sat, 24 Oct 2020 12:17:44 +0300
+Subject: [PATCH] DNS Resolver: support both dnspython before and after 2.0.0
+
+`dnspython` 2.0.0 has many changes and several deprecations like:
+
+```
+> dns.resolver.resolve() has been added, allowing control of whether
+search lists are used. dns.resolver.query() is retained for backwards
+compatibility, but deprecated. The default for search list behavior can
+be set at in the resolver object with the use_search_by_default
+parameter. The default is False.
+
+> dns.resolver.resolve_address() has been added, allowing easy
+address-to-name lookups.
+```
+
+The new class `DNSResolver`:
+- provides the compatibility layer
+- defaults the previous behavior (the search list configured in the
+  system's resolver configuration is used for relative names)
+- defaults lifetime to 15sec (determines the number of seconds
+  to spend trying to get an answer to the question)
+
+The compatibility shim was developed by Stanislav Levin for FreeIPA and
+adopted for Samba by Alexander Bokovoy.
+
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ python/samba/dnsresolver.py           | 68 +++++++++++++++++++++++++++
+ source4/scripting/bin/samba_dnsupdate |  5 +-
+ 2 files changed, 71 insertions(+), 2 deletions(-)
+ create mode 100644 python/samba/dnsresolver.py
+
+diff --git a/python/samba/dnsresolver.py b/python/samba/dnsresolver.py
+new file mode 100644
+index 00000000000..a627555a855
+--- /dev/null
++++ b/python/samba/dnsresolver.py
+@@ -0,0 +1,68 @@
++# Samba wrapper for DNS resolvers
++#
++# Copyright (C) Stanislav Levin <slev@altlinux.org>
++# Copyright (C) Alexander Bokovoy <ab@samba.org>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++import dns.resolver
++import dns.rdatatype
++import dns.reversename
++
++class DNSResolver(dns.resolver.Resolver):
++    """DNS stub resolver compatible with both dnspython < 2.0.0
++    and dnspython >= 2.0.0.
++
++    Set `use_search_by_default` attribute to `True`, which
++    determines the default for whether the search list configured
++    in the system's resolver configuration is used for relative
++    names, and whether the resolver's domain may be added to relative
++    names.
++
++    Increase the default lifetime which determines the number of seconds
++    to spend trying to get an answer to the question. dnspython 2.0.0
++    changes this to 5sec, while the previous one was 30sec.
++    """
++    def __init__(self, *args, **kwargs):
++        super().__init__(*args, **kwargs)
++        self.reset_defaults()
++        self.resolve = getattr(super(), "resolve", self.query)
++        self.resolve_address = getattr(
++            super(),
++            "resolve_address",
++            self._resolve_address
++        )
++
++    def reset_defaults(self):
++        self.use_search_by_default = True
++        # the default is 5sec
++        self.lifetime = 15
++
++    def reset(self):
++        super().reset()
++        self.reset_defaults()
++
++    def _resolve_address(self, ip_address, *args, **kwargs):
++        """Query nameservers for PTR records.
++
++        :param ip_address: IPv4 or IPv6 address
++        :type ip_address: str
++        """
++        return self.resolve(
++            dns.reversename.from_address(ip_address),
++            rdtype=dns.rdatatype.PTR,
++            *args,
++            **kwargs,
++        )
+diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
+index 44eb1cadd27..fe04ce71338 100755
+--- a/source4/scripting/bin/samba_dnsupdate
++++ b/source4/scripting/bin/samba_dnsupdate
+@@ -53,6 +53,7 @@ from samba.compat import get_string
+ from samba.compat import text_type
+ import ldb
+ 
++from samba.dnsresolver import DNSResolver
+ import dns.resolver
+ import dns.exception
+ 
+@@ -259,7 +260,7 @@ def hostname_match(h1, h2):
+ 
+ def get_resolver(d=None):
+     resolv_conf = os.getenv('RESOLV_CONF', default='/etc/resolv.conf')
+-    resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True)
++    resolver = DNSResolver(filename=resolv_conf, configure=True)
+ 
+     if d is not None and d.nameservers != []:
+         resolver.nameservers = d.nameservers
+@@ -271,7 +272,7 @@ def check_one_dns_name(name, name_type, d=None):
+     if d and not d.nameservers:
+         d.nameservers = resolver.nameservers
+     # dns.resolver.Answer
+-    return resolver.query(name, name_type)
++    return resolver.resolve(name, name_type)
+ 
+ def check_dns_name(d):
+     """check that a DNS entry exists."""
+-- 
+2.28.0
+

samba-systemd-notification.patch

@@ -0,0 +1,118 @@
+From 9dd1a4809b1b6d65bfb2258b443b0fe36e0a32f7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Sat, 24 Oct 2020 16:52:43 +0300
+Subject: [PATCH] daemons: report status to systemd even when running in
+ foreground
+
+When systemd launches samba services, the configuration we have in
+systemd service files expects that the main process (/usr/sbin/*)
+would use sd_notify() to report back its status. However, we only use
+sd_notify() when running become_daemon().
+
+As a result, samba/smbd/winbindd/nmbd processes never report back its
+status and the status updates from other childs (smbd, winbindd, etc)
+are not accepted as we now have implied NotifyAccess=main since commit
+d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc
+
+This leads to a timeout and killing samba process by systemd. Situation
+is reproducible in Fedora 33, for example.
+
+Make sure that we have required status updates for all daemons in case
+we aren't runnning in interactive mode.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/nmbd/nmbd.c         | 4 +++-
+ source3/smbd/server.c       | 4 +++-
+ source3/winbindd/winbindd.c | 5 ++++-
+ source4/smbd/server.c       | 4 +++-
+ 4 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
+index 0b881d13f7b..f6aeba1f714 100644
+--- a/source3/nmbd/nmbd.c
++++ b/source3/nmbd/nmbd.c
+@@ -1009,6 +1009,8 @@ static bool open_sockets(bool isdaemon, int port)
+ 	if (is_daemon && !opt_interactive) {
+ 		DEBUG(3, ("Becoming a daemon.\n"));
+ 		become_daemon(Fork, no_process_group, log_stdout);
++	} else if (!opt_interactive) {
++		daemon_status("nmbd", "Starting process...");
+ 	}
+ 
+ #ifdef HAVE_SETPGID
+@@ -1135,7 +1137,7 @@ static bool open_sockets(bool isdaemon, int port)
+ 		exit_daemon( "NMBD failed to setup packet server.", EACCES);
+ 	}
+ 
+-	if (is_daemon && !opt_interactive) {
++	if (!opt_interactive) {
+ 		daemon_ready("nmbd");
+ 	}
+ 
+diff --git a/source3/smbd/server.c b/source3/smbd/server.c
+index 153dd3c9323..3d9db5d8407 100644
+--- a/source3/smbd/server.c
++++ b/source3/smbd/server.c
+@@ -1893,6 +1893,8 @@ extern void build_options(bool screen);
+ 	if (is_daemon && !interactive) {
+ 		DEBUG(3, ("Becoming a daemon.\n"));
+ 		become_daemon(Fork, no_process_group, log_stdout);
++	} else {
++		daemon_status("smbd", "Starting process ...");
+ 	}
+ 
+ #ifdef HAVE_SETPGID
+@@ -2100,7 +2102,7 @@ extern void build_options(bool screen);
+ 		exit_daemon("Samba cannot setup ep pipe", EACCES);
+ 	}
+ 
+-	if (is_daemon && !interactive) {
++	if (!interactive) {
+ 		daemon_ready("smbd");
+ 	}
+ 
+diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
+index 4397a1bc0d1..1e08237905a 100644
+--- a/source3/winbindd/winbindd.c
++++ b/source3/winbindd/winbindd.c
+@@ -1880,8 +1880,11 @@ int main(int argc, const char **argv)
+ 	BlockSignals(False, SIGHUP);
+ 	BlockSignals(False, SIGCHLD);
+ 
+-	if (!interactive)
++	if (!interactive) {
+ 		become_daemon(Fork, no_process_group, log_stdout);
++	} else {
++		daemon_status("winbindd", "Starting process ...");
++	}
+ 
+ 	pidfile_create(lp_pid_directory(), "winbindd");
+ 
+diff --git a/source4/smbd/server.c b/source4/smbd/server.c
+index 95acb99b86c..ee2e7508bb3 100644
+--- a/source4/smbd/server.c
++++ b/source4/smbd/server.c
+@@ -648,6 +648,8 @@ static int binary_smbd_main(const char *binary_name,
+ 	if (opt_daemon) {
+ 		DBG_NOTICE("Becoming a daemon.\n");
+ 		become_daemon(opt_fork, opt_no_process_group, false);
++	} else if (!opt_interactive) {
++		daemon_status("samba", "Starting process...");
+ 	}
+ 
+ 	/* Create the memory context to hang everything off. */
+@@ -931,7 +933,7 @@ static int binary_smbd_main(const char *binary_name,
+ 		}
+ 	}
+ 
+-	if (opt_daemon) {
++	if (!opt_interactive) {
+ 		daemon_ready("samba");
+ 	}
+ 
+-- 
+2.28.0
+

samba.spec

@@ -8,7 +8,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%define main_release 12
+%define main_release 13
 
 %define samba_version 4.13.0
 %define talloc_version 2.3.1
@@ -132,6 +132,8 @@ Source14:       samba.pamd
 Source201:      README.downgrade
 Patch1:         samba-s4u.patch
 Patch2:         samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch
+Patch3:         samba-dnspython-2.0.0-v4.13.patch
+Patch4:         samba-systemd-notification.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -1984,6 +1986,7 @@ fi
 %{python3_sitearch}/samba/__pycache__/compat.*.pyc
 %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc
 %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc
+%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc
 %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/getopt.*.pyc
 %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
@@ -2061,6 +2064,7 @@ fi
 %{python3_sitearch}/samba/dcerpc/wkssvc.*.so
 %{python3_sitearch}/samba/dcerpc/xattr.*.so
 %{python3_sitearch}/samba/descriptor.py
+%{python3_sitearch}/samba/dnsresolver.py
 %{python3_sitearch}/samba/drs_utils.py
 %{python3_sitearch}/samba/gensec.*.so
 %{python3_sitearch}/samba/getopt.py
@@ -3621,6 +3625,10 @@ fi
 %endif
 
 %changelog
+* Sun Oct 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-13
+- Report 'samba' daemon status back to systemd
+- Support dnspython 2.0.0 or later in samba_dnsupdate
+
 * Thu Oct 22 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-12
 - Add preliminary support for S4U operations in Samba AD DC
   resolves: #1836630 - Samba DC: Remote Desktop cannot access files