From d97f4bd2b1823221b6d694f4cdabb91d0cd38983 Mon Sep 17 00:00:00 2001
From: Davide Principi <davide.principi@nethesis.it>
Date: Wed, 11 Dec 2024 16:26:45 +0100
Subject: [PATCH] Inhibit DNS service

If Samba DC is configured on the local node, inhibit our DNS service.
---
 imageroot/actions/configure-module/10validate |  2 +-
 imageroot/actions/get-configuration/10get     | 18 ++++++++++++------
 imageroot/bin/expand-config                   | 11 +++++++++--
 imageroot/pypkg/network.py                    | 18 ++++++++++++++++++
 4 files changed, 40 insertions(+), 9 deletions(-)

diff --git a/imageroot/actions/configure-module/10validate b/imageroot/actions/configure-module/10validate
index 2855957..c84822d 100755
--- a/imageroot/actions/configure-module/10validate
+++ b/imageroot/actions/configure-module/10validate
@@ -65,7 +65,7 @@ if request["dhcp-server"]["enabled"]:
         sys.exit(2)
 
 if request["dns-server"]["enabled"]:
-    is_dns_bound = network.are_ports_53_bound()
+    is_dns_bound = network.are_ports_53_bound() or bool(network.get_local_samba_dcs())
     # read config.json and determine if dns is used for this instance
     config = json.load(open("config.json"))
     is_dns_enabled = config["dns-server"]["enabled"]
diff --git a/imageroot/actions/get-configuration/10get b/imageroot/actions/get-configuration/10get
index 1d14817..cf321c9 100755
--- a/imageroot/actions/get-configuration/10get
+++ b/imageroot/actions/get-configuration/10get
@@ -7,7 +7,7 @@
 
 import json
 import sys
-
+import agent
 import network
 
 config = json.load(open("config.json"))
@@ -18,10 +18,16 @@ if config["interface"] != "" and config["dhcp-server"]["start"] == "" and config
     config["dhcp-server"]["start"] = str(interface["start"])
     config["dhcp-server"]["end"] = str(interface["end"])
 
-# we test if tcp/53 or udp/53 is bound to the interface
-config["is_dns_bound"] = network.are_ports_53_bound()
-# check if dnsmasq is enabled in the configuration, needed to determine in the UI if the DNS server was enabled and used by dnsmasq.
-# the dnsmasq service is always running, we cannot state if it is enabled/active or not.
-config['is_dns_enabled'] = config["dns-server"]["enabled"]
+# we test if tcp/53 or udp/53 is bound to the interface, or local Samba DCs are present
+local_samba_dcs = network.get_local_samba_dcs()
+if len(local_samba_dcs) > 0:
+    config["is_dns_bound"] = True
+    config["is_dns_enabled"] = False
+    config["dns-server"]["enabled"] = False
+else:
+    config["is_dns_bound"] = network.are_ports_53_bound()
+    # check if dnsmasq is enabled in the configuration, needed to determine in the UI if the DNS server was enabled and used by dnsmasq.
+    # the dnsmasq service is always running, we cannot state if it is enabled/active or not.
+    config['is_dns_enabled'] = config["dns-server"]["enabled"]
 
 json.dump(config, sys.stdout)
diff --git a/imageroot/bin/expand-config b/imageroot/bin/expand-config
index 271a68b..d7230a5 100755
--- a/imageroot/bin/expand-config
+++ b/imageroot/bin/expand-config
@@ -8,6 +8,7 @@
 import json
 import sys
 import agent
+import network
 
 # Read configuration from a JSON file or initialize it.
 try:
@@ -31,6 +32,9 @@ except FileNotFoundError:
     json.dump(config, fp=open("config.json", "w"))
 
 
+# Lookup local Samba DCs. They want to bind DNS port 53 like us.
+local_samba_dcs = network.get_local_samba_dcs()
+
 # convert json to configuration file
 with open("dnsmasq.d/00config.conf", "w") as file:
     file.write("# This file is automatically generated by NethServer, manual changes will be lost.\n")
@@ -42,8 +46,11 @@ with open("dnsmasq.d/00config.conf", "w") as file:
     if config["dhcp-server"]["enabled"]:
         file.write("dhcp-range=set:default," + config["dhcp-server"]["start"] + "," + config["dhcp-server"]["end"] + "," + str(config["dhcp-server"]["lease"]) + "h\n")
 
-    # write dns-server configuration
-    if config["dns-server"]["enabled"]:
+    # write dns-server configuration, if no local Samba DC is present
+    if len(local_samba_dcs) > 0:
+        print("Local Active Directory DC found, DNS feature is blocked.", local_samba_dcs, file=sys.stderr)
+        file.write("port=0\n")
+    elif config["dns-server"]["enabled"]:
         file.write("server=" + config["dns-server"]["primary-server"] + "\n")
         if config["dns-server"]["secondary-server"] != "":
             file.write("server=" + config["dns-server"]["secondary-server"] + "\n")
diff --git a/imageroot/pypkg/network.py b/imageroot/pypkg/network.py
index d2c10d2..84be975 100644
--- a/imageroot/pypkg/network.py
+++ b/imageroot/pypkg/network.py
@@ -5,6 +5,9 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 
+import sys
+import os
+import agent
 import ipaddress
 import json
 import subprocess
@@ -78,3 +81,18 @@ def are_ports_53_bound(ip='127.0.0.1'):
     Check if both TCP and UDP ports 53 are bound on a specific IP address.
     """
     return __is_port_bound(53, 'tcp', ip) or __is_port_bound(53, 'udp', ip)
+
+def get_local_samba_dcs():
+    """
+    Lookup Samba modules installed on the local node. Returns an array of
+    Samba module IDs that were installed on the local node. Typically the
+    array has 1 element at most.
+    """
+    rdb = agent.redis_connect(use_replica=True)
+    local_samba_dcs = []
+    for module_id, node_id in rdb.hgetall("cluster/module_node").items():
+        if node_id != os.environ["NODE_ID"]:
+            continue
+        if module_id.startswith('samba'):
+            local_samba_dcs.append(module_id)
+    return local_samba_dcs