From d8c89ecc2817c847d2af9571298d4259d8398990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20ROP=C3=89?= Date: Fri, 23 Nov 2018 15:56:59 +0100 Subject: [PATCH 1/2] Fix for https://bugzilla.samba.org/show_bug.cgi?id=9634 - add an option to smb.conf to list authorized zone transfer clients - implement restriction in dlz_bind9 module to allow transfers only to selected IPs --- .../domain/dnszonetransferclients.xml | 19 ++++++++++++ source4/dns_server/dlz_bind9.c | 29 +++++++++++++++++-- 2 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 docs-xml/smbdotconf/domain/dnszonetransferclients.xml diff --git a/docs-xml/smbdotconf/domain/dnszonetransferclients.xml b/docs-xml/smbdotconf/domain/dnszonetransferclients.xml new file mode 100644 index 00000000000..6e069bc32bb --- /dev/null +++ b/docs-xml/smbdotconf/domain/dnszonetransferclients.xml @@ -0,0 +1,19 @@ + + + This option specifies the list IPs authorized to ask for dns zone + transfer. + + + The content is a comma-separated list of IP addresses. + + + Default is "none", meaning no transfer will be authorized. + + + +none +192.168.0.1 + diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 5f9a71dd741..ea851d0d23d 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -912,6 +912,7 @@ static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state, return ISC_R_SUCCESS; } + /* lookup one record */ @@ -929,16 +930,38 @@ _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name, return dlz_lookup_types(state, zone, name, lookup, NULL); } - /* see if a zone transfer is allowed */ _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { - /* just say yes for all our zones for now */ struct dlz_bind9_data *state = talloc_get_type( dbdata, struct dlz_bind9_data); - return b9_find_zone_dn(state, name, NULL, NULL); + isc_result_t ret ; + const char **authorized_clients ; + unsigned int i ; + + /* check that the zone is known */ + ret = b9_find_zone_dn(state, name, NULL, NULL); + if (ret == ISC_R_SUCCESS) { + authorized_clients = lpcfg_dns_zone_transfer_clients(state->lp) ; + if (authorized_clients) { + state->log(ISC_LOG_INFO, "samba_dlz: checking if client is authorized for zone transfer") ; + + /* if the option is not set, default is to accept all transfers + if the option is set, default is to accept only the selected IPs */ + ret = ISC_R_NOPERM ; + for (i = 0; authorized_clients && authorized_clients[i] ; i++) { + state->log(ISC_LOG_INFO, "samba_dlz: comparing to %s", authorized_clients[i]) ; + if (strcmp(authorized_clients[i], client) == 0) { + state->log(ISC_LOG_INFO, "samba_dlz: accepting IP %s", client) ; + ret = ISC_R_SUCCESS ; + break ; + } + } + } + } + return ret ; } /* From 4551046f4ff3ab36265daf8b2b904b1ca75818d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20ROP=C3=89?= Date: Fri, 23 Nov 2018 15:56:59 +0100 Subject: [PATCH 2/2] Fix for https://bugzilla.samba.org/show_bug.cgi?id=9634 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - add an option to smb.conf to list authorized zone transfer clients - implement restriction in dlz_bind9 module to allow transfers only to selected IPs Signed-off-by: Julien ROPÉ --- .../domain/dnszonetransferclients.xml | 19 ++++++++++++ source4/dns_server/dlz_bind9.c | 29 +++++++++++++++++-- 2 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 docs-xml/smbdotconf/domain/dnszonetransferclients.xml diff --git a/docs-xml/smbdotconf/domain/dnszonetransferclients.xml b/docs-xml/smbdotconf/domain/dnszonetransferclients.xml new file mode 100644 index 00000000000..6e069bc32bb --- /dev/null +++ b/docs-xml/smbdotconf/domain/dnszonetransferclients.xml @@ -0,0 +1,19 @@ + + + This option specifies the list IPs authorized to ask for dns zone + transfer. + + + The content is a comma-separated list of IP addresses. + + + Default is "none", meaning no transfer will be authorized. + + + +none +192.168.0.1 + diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 5f9a71dd741..ea851d0d23d 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -912,6 +912,7 @@ static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state, return ISC_R_SUCCESS; } + /* lookup one record */ @@ -929,16 +930,38 @@ _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name, return dlz_lookup_types(state, zone, name, lookup, NULL); } - /* see if a zone transfer is allowed */ _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { - /* just say yes for all our zones for now */ struct dlz_bind9_data *state = talloc_get_type( dbdata, struct dlz_bind9_data); - return b9_find_zone_dn(state, name, NULL, NULL); + isc_result_t ret ; + const char **authorized_clients ; + unsigned int i ; + + /* check that the zone is known */ + ret = b9_find_zone_dn(state, name, NULL, NULL); + if (ret == ISC_R_SUCCESS) { + authorized_clients = lpcfg_dns_zone_transfer_clients(state->lp) ; + if (authorized_clients) { + state->log(ISC_LOG_INFO, "samba_dlz: checking if client is authorized for zone transfer") ; + + /* if the option is not set, default is to accept all transfers + if the option is set, default is to accept only the selected IPs */ + ret = ISC_R_NOPERM ; + for (i = 0; authorized_clients && authorized_clients[i] ; i++) { + state->log(ISC_LOG_INFO, "samba_dlz: comparing to %s", authorized_clients[i]) ; + if (strcmp(authorized_clients[i], client) == 0) { + state->log(ISC_LOG_INFO, "samba_dlz: accepting IP %s", client) ; + ret = ISC_R_SUCCESS ; + break ; + } + } + } + } + return ret ; } /*