From e7a025d52e706c3819a4865364f45759565b381e Mon Sep 17 00:00:00 2001
From: Rowland Penny <rpenny@samba.org>
Date: Sat, 24 Oct 2020 14:01:05 +0100
Subject: [PATCH] sambadns.py: create dns.keytab in binddns dir during a DC
 join

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14535

Signed-off-by: Rowland Penny <rpenny@samba.org>
---
 python/samba/provision/sambadns.py | 39 ++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 8a5d8a93442..bcec015c5aa 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -1273,6 +1273,45 @@ def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
                      dnsname="%s.%s" % (names.hostname, names.dnsdomain),
                      binddns_dir=paths.binddns_dir,
                      keytab_name=paths.dns_keytab)
+
+    private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
+    bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
+
+    if os.path.isfile(private_dns_keytab_path):
+        if os.path.isfile(bind_dns_keytab_path):
+            try:
+                os.unlink(bind_dns_keytab_path)
+            except OSError as e:
+                logger.error("Failed to remove %s: %s" %
+                             (bind_dns_keytab_path, e.strerror))
+
+        # link the dns.keytab to the bind-dns directory
+        try:
+            os.link(private_dns_keytab_path, bind_dns_keytab_path)
+        except OSError as e:
+            logger.error("Failed to create link %s -> %s: %s" %
+                         (private_dns_keytab_path,
+                          bind_dns_keytab_path,
+                          e.strerror))
+
+        # chown the dns.keytab in the bind-dns directory
+        if paths.bind_gid is not None:
+            try:
+                os.chmod(paths.binddns_dir, 0o770)
+                os.chown(paths.binddns_dir, -1, paths.bind_gid)
+            except OSError:
+                if 'SAMBA_SELFTEST' not in os.environ:
+                    logger.info("Failed to chown %s to bind gid %u",
+                                paths.binddns_dir, paths.bind_gid)
+
+            try:
+                os.chmod(bind_dns_keytab_path, 0o640)
+                os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
+            except OSError:
+                if 'SAMBA_SELFTEST' not in os.environ:
+                    logger.info("Failed to chown %s to bind gid %u",
+                                bind_dns_keytab_path, paths.bind_gid)
+
     logger.info("See %s for an example configuration include file for BIND",
                 paths.namedconf)
     logger.info("and %s for further documentation required for secure DNS "
-- 
GitLab