From 92693f66e9562c3d1e5a037f1a695393a63fc893 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 25 Oct 2020 09:54:45 +0200 Subject: [PATCH] Fix Samba AD DC operations on F33 or later - Report 'samba' daemon status back to systemd - Support dnspython 2.0.0 or later in samba_dnsupdate --- samba-dnspython-2.0.0-v4.13.patch | 143 ++++++++++++++++++++++++++++++ samba-systemd-notification.patch | 118 ++++++++++++++++++++++++ samba.spec | 10 ++- 3 files changed, 270 insertions(+), 1 deletion(-) create mode 100644 samba-dnspython-2.0.0-v4.13.patch create mode 100644 samba-systemd-notification.patch diff --git a/samba-dnspython-2.0.0-v4.13.patch b/samba-dnspython-2.0.0-v4.13.patch new file mode 100644 index 0000000..88aead2 --- /dev/null +++ b/samba-dnspython-2.0.0-v4.13.patch @@ -0,0 +1,143 @@ +From 12b51be8633689763080f2eb1e0b13487e3e71e1 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 24 Oct 2020 12:17:44 +0300 +Subject: [PATCH] DNS Resolver: support both dnspython before and after 2.0.0 + +`dnspython` 2.0.0 has many changes and several deprecations like: + +``` +> dns.resolver.resolve() has been added, allowing control of whether +search lists are used. dns.resolver.query() is retained for backwards +compatibility, but deprecated. The default for search list behavior can +be set at in the resolver object with the use_search_by_default +parameter. The default is False. + +> dns.resolver.resolve_address() has been added, allowing easy +address-to-name lookups. +``` + +The new class `DNSResolver`: +- provides the compatibility layer +- defaults the previous behavior (the search list configured in the + system's resolver configuration is used for relative names) +- defaults lifetime to 15sec (determines the number of seconds + to spend trying to get an answer to the question) + +The compatibility shim was developed by Stanislav Levin for FreeIPA and +adopted for Samba by Alexander Bokovoy. + +Signed-off-by: Stanislav Levin +Signed-off-by: Alexander Bokovoy +--- + python/samba/dnsresolver.py | 68 +++++++++++++++++++++++++++ + source4/scripting/bin/samba_dnsupdate | 5 +- + 2 files changed, 71 insertions(+), 2 deletions(-) + create mode 100644 python/samba/dnsresolver.py + +diff --git a/python/samba/dnsresolver.py b/python/samba/dnsresolver.py +new file mode 100644 +index 00000000000..a627555a855 +--- /dev/null ++++ b/python/samba/dnsresolver.py +@@ -0,0 +1,68 @@ ++# Samba wrapper for DNS resolvers ++# ++# Copyright (C) Stanislav Levin ++# Copyright (C) Alexander Bokovoy ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++import dns.resolver ++import dns.rdatatype ++import dns.reversename ++ ++class DNSResolver(dns.resolver.Resolver): ++ """DNS stub resolver compatible with both dnspython < 2.0.0 ++ and dnspython >= 2.0.0. ++ ++ Set `use_search_by_default` attribute to `True`, which ++ determines the default for whether the search list configured ++ in the system's resolver configuration is used for relative ++ names, and whether the resolver's domain may be added to relative ++ names. ++ ++ Increase the default lifetime which determines the number of seconds ++ to spend trying to get an answer to the question. dnspython 2.0.0 ++ changes this to 5sec, while the previous one was 30sec. ++ """ ++ def __init__(self, *args, **kwargs): ++ super().__init__(*args, **kwargs) ++ self.reset_defaults() ++ self.resolve = getattr(super(), "resolve", self.query) ++ self.resolve_address = getattr( ++ super(), ++ "resolve_address", ++ self._resolve_address ++ ) ++ ++ def reset_defaults(self): ++ self.use_search_by_default = True ++ # the default is 5sec ++ self.lifetime = 15 ++ ++ def reset(self): ++ super().reset() ++ self.reset_defaults() ++ ++ def _resolve_address(self, ip_address, *args, **kwargs): ++ """Query nameservers for PTR records. ++ ++ :param ip_address: IPv4 or IPv6 address ++ :type ip_address: str ++ """ ++ return self.resolve( ++ dns.reversename.from_address(ip_address), ++ rdtype=dns.rdatatype.PTR, ++ *args, ++ **kwargs, ++ ) +diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate +index 44eb1cadd27..fe04ce71338 100755 +--- a/source4/scripting/bin/samba_dnsupdate ++++ b/source4/scripting/bin/samba_dnsupdate +@@ -53,6 +53,7 @@ from samba.compat import get_string + from samba.compat import text_type + import ldb + ++from samba.dnsresolver import DNSResolver + import dns.resolver + import dns.exception + +@@ -259,7 +260,7 @@ def hostname_match(h1, h2): + + def get_resolver(d=None): + resolv_conf = os.getenv('RESOLV_CONF', default='/etc/resolv.conf') +- resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True) ++ resolver = DNSResolver(filename=resolv_conf, configure=True) + + if d is not None and d.nameservers != []: + resolver.nameservers = d.nameservers +@@ -271,7 +272,7 @@ def check_one_dns_name(name, name_type, d=None): + if d and not d.nameservers: + d.nameservers = resolver.nameservers + # dns.resolver.Answer +- return resolver.query(name, name_type) ++ return resolver.resolve(name, name_type) + + def check_dns_name(d): + """check that a DNS entry exists.""" +-- +2.28.0 + diff --git a/samba-systemd-notification.patch b/samba-systemd-notification.patch new file mode 100644 index 0000000..1011460 --- /dev/null +++ b/samba-systemd-notification.patch @@ -0,0 +1,118 @@ +From 9dd1a4809b1b6d65bfb2258b443b0fe36e0a32f7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 24 Oct 2020 16:52:43 +0300 +Subject: [PATCH] daemons: report status to systemd even when running in + foreground + +When systemd launches samba services, the configuration we have in +systemd service files expects that the main process (/usr/sbin/*) +would use sd_notify() to report back its status. However, we only use +sd_notify() when running become_daemon(). + +As a result, samba/smbd/winbindd/nmbd processes never report back its +status and the status updates from other childs (smbd, winbindd, etc) +are not accepted as we now have implied NotifyAccess=main since commit +d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc + +This leads to a timeout and killing samba process by systemd. Situation +is reproducible in Fedora 33, for example. + +Make sure that we have required status updates for all daemons in case +we aren't runnning in interactive mode. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552 + +Signed-off-by: Alexander Bokovoy +--- + source3/nmbd/nmbd.c | 4 +++- + source3/smbd/server.c | 4 +++- + source3/winbindd/winbindd.c | 5 ++++- + source4/smbd/server.c | 4 +++- + 4 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c +index 0b881d13f7b..f6aeba1f714 100644 +--- a/source3/nmbd/nmbd.c ++++ b/source3/nmbd/nmbd.c +@@ -1009,6 +1009,8 @@ static bool open_sockets(bool isdaemon, int port) + if (is_daemon && !opt_interactive) { + DEBUG(3, ("Becoming a daemon.\n")); + become_daemon(Fork, no_process_group, log_stdout); ++ } else if (!opt_interactive) { ++ daemon_status("nmbd", "Starting process..."); + } + + #ifdef HAVE_SETPGID +@@ -1135,7 +1137,7 @@ static bool open_sockets(bool isdaemon, int port) + exit_daemon( "NMBD failed to setup packet server.", EACCES); + } + +- if (is_daemon && !opt_interactive) { ++ if (!opt_interactive) { + daemon_ready("nmbd"); + } + +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index 153dd3c9323..3d9db5d8407 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -1893,6 +1893,8 @@ extern void build_options(bool screen); + if (is_daemon && !interactive) { + DEBUG(3, ("Becoming a daemon.\n")); + become_daemon(Fork, no_process_group, log_stdout); ++ } else { ++ daemon_status("smbd", "Starting process ..."); + } + + #ifdef HAVE_SETPGID +@@ -2100,7 +2102,7 @@ extern void build_options(bool screen); + exit_daemon("Samba cannot setup ep pipe", EACCES); + } + +- if (is_daemon && !interactive) { ++ if (!interactive) { + daemon_ready("smbd"); + } + +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 4397a1bc0d1..1e08237905a 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -1880,8 +1880,11 @@ int main(int argc, const char **argv) + BlockSignals(False, SIGHUP); + BlockSignals(False, SIGCHLD); + +- if (!interactive) ++ if (!interactive) { + become_daemon(Fork, no_process_group, log_stdout); ++ } else { ++ daemon_status("winbindd", "Starting process ..."); ++ } + + pidfile_create(lp_pid_directory(), "winbindd"); + +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index 95acb99b86c..ee2e7508bb3 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -648,6 +648,8 @@ static int binary_smbd_main(const char *binary_name, + if (opt_daemon) { + DBG_NOTICE("Becoming a daemon.\n"); + become_daemon(opt_fork, opt_no_process_group, false); ++ } else if (!opt_interactive) { ++ daemon_status("samba", "Starting process..."); + } + + /* Create the memory context to hang everything off. */ +@@ -931,7 +933,7 @@ static int binary_smbd_main(const char *binary_name, + } + } + +- if (opt_daemon) { ++ if (!opt_interactive) { + daemon_ready("samba"); + } + +-- +2.28.0 + diff --git a/samba.spec b/samba.spec index 16edcd2..2a8bab3 100644 --- a/samba.spec +++ b/samba.spec @@ -8,7 +8,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%define main_release 12 +%define main_release 13 %define samba_version 4.13.0 %define talloc_version 2.3.1 @@ -132,6 +132,8 @@ Source14: samba.pamd Source201: README.downgrade Patch1: samba-s4u.patch Patch2: samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch +Patch3: samba-dnspython-2.0.0-v4.13.patch +Patch4: samba-systemd-notification.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -1984,6 +1986,7 @@ fi %{python3_sitearch}/samba/__pycache__/compat.*.pyc %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc +%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc @@ -2061,6 +2064,7 @@ fi %{python3_sitearch}/samba/dcerpc/wkssvc.*.so %{python3_sitearch}/samba/dcerpc/xattr.*.so %{python3_sitearch}/samba/descriptor.py +%{python3_sitearch}/samba/dnsresolver.py %{python3_sitearch}/samba/drs_utils.py %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py @@ -3621,6 +3625,10 @@ fi %endif %changelog +* Sun Oct 25 2020 Alexander Bokovoy - 4.13.0-13 +- Report 'samba' daemon status back to systemd +- Support dnspython 2.0.0 or later in samba_dnsupdate + * Thu Oct 22 2020 Alexander Bokovoy - 4.13.0-12 - Add preliminary support for S4U operations in Samba AD DC resolves: #1836630 - Samba DC: Remote Desktop cannot access files