svn commit: samba r20170 - in branches/SAMBA_3_0/source: libaddns utils

jerry at samba.org jerry at samba.org
Thu Dec 14 16:27:45 GMT 2006 

Author: jerry
Date: 2006-12-14 16:27:45 +0000 (Thu, 14 Dec 2006)
New Revision: 20170

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20170

Log:
Fix secure DNS updates to work against 
Wnidows 2000 DNS which expects the TKEY payload to 
be in the answer section and not in the additional
set of records (like Windows 2003 and the RFC).


Modified:
   branches/SAMBA_3_0/source/libaddns/dns.h
   branches/SAMBA_3_0/source/libaddns/dnsgss.c
   branches/SAMBA_3_0/source/libaddns/dnsrecord.c
   branches/SAMBA_3_0/source/utils/net_dns.c


Changeset:
Modified: branches/SAMBA_3_0/source/libaddns/dns.h
===================================================================
--- branches/SAMBA_3_0/source/libaddns/dns.h	2006-12-14 15:30:54 UTC (rev 20169)
+++ branches/SAMBA_3_0/source/libaddns/dns.h	2006-12-14 16:27:45 UTC (rev 20170)
@@ -280,6 +280,8 @@
 #endif
 
 
+enum dns_ServerType { DNS_SRV_ANY, DNS_SRV_WIN2000, DNS_SRV_WIN2003 };
+
 struct dns_domain_label {
 	struct dns_domain_label *next;
 	char *label;
@@ -405,9 +407,6 @@
 					const char *name,
 					const in_addr_t *ip,
 					struct dns_rrec **prec);
-DNS_ERROR dns_create_name_not_in_use_record(TALLOC_CTX *mem_ctx,
-					const char *name, uint32 type,
-					struct dns_rrec **prec);
 DNS_ERROR dns_create_delete_record(TALLOC_CTX *mem_ctx, const char *name,
 				   uint16 type, uint16 r_class,
 				   struct dns_rrec **prec);
@@ -484,7 +483,8 @@
 DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm,
 				 const char *servername,
 				 const char *keyname,
-				 gss_ctx_id_t *gss_ctx );
+				 gss_ctx_id_t *gss_ctx,
+				 enum dns_ServerType srv_type );
 DNS_ERROR dns_sign_update(struct dns_update_request *req,
 			  gss_ctx_id_t gss_ctx,
 			  const char *keyname,
@@ -493,7 +493,8 @@
 DNS_ERROR dns_create_update_request(TALLOC_CTX *mem_ctx,
 				    const char *domainname,
 				    const char *hostname,
-				    in_addr_t ip_addr,
+				    const in_addr_t *ip_addr,
+				    size_t num_adds,
 				    struct dns_update_request **preq);
 
 #endif	/* HAVE_GSSAPI_SUPPORT */

Modified: branches/SAMBA_3_0/source/libaddns/dnsgss.c
===================================================================
--- branches/SAMBA_3_0/source/libaddns/dnsgss.c	2006-12-14 15:30:54 UTC (rev 20169)
+++ branches/SAMBA_3_0/source/libaddns/dnsgss.c	2006-12-14 16:27:45 UTC (rev 20170)
@@ -45,6 +45,7 @@
 	return ( 0 );
 }
 
+#if 0
 /*********************************************************************
 *********************************************************************/
 
@@ -76,12 +77,14 @@
 	display_status_1( msg, maj_stat, GSS_C_GSS_CODE );
 	display_status_1( msg, min_stat, GSS_C_MECH_CODE );
 }
+#endif
 
 static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx,
 					    struct dns_connection *conn,
 					    const char *keyname,
 					    const gss_name_t target_name,
-					    gss_ctx_id_t *ctx )
+					    gss_ctx_id_t *ctx, 
+					    enum dns_ServerType srv_type )
 {
 	struct gss_buffer_desc_struct input_desc, *input_ptr, output_desc;
 	OM_uint32 major, minor;
@@ -123,11 +126,21 @@
 				req, keyname, "gss.microsoft.com", t,
 				t + 86400, DNS_TKEY_MODE_GSSAPI, 0,
 				output_desc.length, (uint8 *)output_desc.value,
-				&rec);
+				&rec );
 			if (!ERR_DNS_IS_OK(err)) goto error;
 
-			err = dns_add_rrec(req, rec, &req->num_additionals,
-					   &req->additionals);
+			/* Windows 2000 DNS is broken and requires the
+			   TKEY payload in the Answer section instead
+			   of the Additional seciton like Windows 2003 */
+
+			if ( srv_type == DNS_SRV_WIN2000 ) {
+				err = dns_add_rrec(req, rec, &req->num_answers,
+						   &req->answers);
+			} else {
+				err = dns_add_rrec(req, rec, &req->num_additionals,
+						   &req->additionals);
+			}
+			
 			if (!ERR_DNS_IS_OK(err)) goto error;
 
 			err = dns_marshall_request(req, req, &buf);
@@ -163,6 +176,7 @@
 			 */
 			
 			if ((resp->num_additionals != 1) ||
+			    (resp->num_answers == 0) ||
 			    (resp->answers[0]->type != QTYPE_TKEY)) {
 				err = ERROR_DNS_INVALID_MESSAGE;
 				goto error;
@@ -194,7 +208,8 @@
 DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm,
 				 const char *servername,
 				 const char *keyname,
-				 gss_ctx_id_t *gss_ctx )
+				 gss_ctx_id_t *gss_ctx,
+				 enum dns_ServerType srv_type )
 {
 	OM_uint32 major, minor;
 
@@ -250,12 +265,12 @@
 		goto error;
 	}
 
-	err = dns_negotiate_gss_ctx_int(mem_ctx, conn, keyname, targ_name,
-					gss_ctx);
+	err = dns_negotiate_gss_ctx_int(mem_ctx, conn, keyname, 
+					targ_name, gss_ctx, srv_type );
 
+	gss_release_name( &minor, &targ_name );
 	krb5_free_principal( krb_ctx, host_principal );
 	krb5_free_context( krb_ctx );
-	gss_release_name( &minor, &targ_name );
 
  error:
 	TALLOC_FREE(mem_ctx);

Modified: branches/SAMBA_3_0/source/libaddns/dnsrecord.c
===================================================================
--- branches/SAMBA_3_0/source/libaddns/dnsrecord.c	2006-12-14 15:30:54 UTC (rev 20169)
+++ branches/SAMBA_3_0/source/libaddns/dnsrecord.c	2006-12-14 16:27:45 UTC (rev 20170)
@@ -356,12 +356,14 @@
 DNS_ERROR dns_create_update_request(TALLOC_CTX *mem_ctx,
 				    const char *domainname,
 				    const char *hostname,
-				    in_addr_t ip_addr,
+				    const in_addr_t *ip_addr,
+				    size_t num_addrs,
 				    struct dns_update_request **preq)
 {
 	struct dns_update_request *req;
 	struct dns_rrec *rec;
 	DNS_ERROR err;
+	size_t i;	
 
 	err = dns_create_update(mem_ctx, domainname, &req);
 	if (!ERR_DNS_IS_OK(err)) return err;
@@ -389,14 +391,18 @@
 	if (!ERR_DNS_IS_OK(err)) goto error;
 
 	/*
-	 * .. and add our IP
+	 * .. and add our IPs
 	 */
 
-	err = dns_create_a_record(req, hostname, 3600, ip_addr, &rec);
-	if (!ERR_DNS_IS_OK(err)) goto error;
+	for ( i=0; i<num_addrs; i++ ) {		
+		err = dns_create_a_record(req, hostname, 3600, ip_addr[i], &rec);
+		if (!ERR_DNS_IS_OK(err)) 
+			goto error;
 
-	err = dns_add_rrec(req, rec, &req->num_updates, &req->updates);
-	if (!ERR_DNS_IS_OK(err)) goto error;
+		err = dns_add_rrec(req, rec, &req->num_updates, &req->updates);
+		if (!ERR_DNS_IS_OK(err)) 
+			goto error;
+	}	
 
 	*preq = req;
 	return ERROR_DNS_SUCCESS;

Modified: branches/SAMBA_3_0/source/utils/net_dns.c
===================================================================
--- branches/SAMBA_3_0/source/utils/net_dns.c	2006-12-14 15:30:54 UTC (rev 20169)
+++ branches/SAMBA_3_0/source/utils/net_dns.c	2006-12-14 16:27:45 UTC (rev 20170)
@@ -118,9 +118,19 @@
 		}
 
 		err = dns_negotiate_sec_ctx( pszDomainName, pszServerName,
-					     keyname, &gss_context );
-		if (!ERR_DNS_IS_OK(err)) goto error;
+					     keyname, &gss_context, DNS_SRV_ANY );
 
+		/* retry using the Windows 2000 DNS hack */
+		if (!ERR_DNS_IS_OK(err)) {
+			err = dns_negotiate_sec_ctx( pszDomainName, pszServerName,
+						     keyname, &gss_context, 
+						     DNS_SRV_WIN2000 );
+		}
+		
+		if (!ERR_DNS_IS_OK(err))
+			goto error;
+		
+
 		err = dns_sign_update(req, gss_context, keyname,
 				      "gss.microsoft.com", time(NULL), 3600);

More information about the samba-cvs mailing list