[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Apr 26 02:07:02 MDT 2011
The branch, master has been updated
via 0840d5b libcli/auth Allow parsing of a PAC that is already verified.
via ccb6294 s3-libads Remove KRB5_DNS_HACK
via c189547 libcli/dns Improve dns_hosts_file, using Samba3's struct dns_rr_srv
via 3a88d49 waf: introduce reverse logic for allowing unknown symbols
from 0ffc4c5 build: Invert --enable-s3build into --disable-s3build
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0840d5bb8b84fd6221d64a1992708fd3a135e5b7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Apr 20 17:37:45 2011 +1000
libcli/auth Allow parsing of a PAC that is already verified.
By making the verification parameters optional, we can parse a PAC
that is already verified.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Tue Apr 26 10:06:59 CEST 2011 on sn-devel-104
commit ccb62947e9e25e2a00ae2bb0ba411671ee4a00e7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 26 11:41:26 2011 +1000
s3-libads Remove KRB5_DNS_HACK
We have winbindd write a custom krb5.conf or use a kdc locator plugin
to do this properly now.
Andrew Bartlett
commit c18954775e53a0f4dec4e36234dc45559055f96d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 26 09:49:08 2011 +1000
libcli/dns Improve dns_hosts_file, using Samba3's struct dns_rr_srv
By reworking the 'fake DNS' file to use struct dns_rr_srv it should be
possible to emulate that resolver layer as well as the Samba4
sockaddr_storage* based layer. This will then give us a common DNS
emulation for 'make test'.
Andrew Bartlett
commit 3a88d49d12fe6c74dffe3e8d82235c71511cc07c
Author: Matthieu Patou <mat at matws.net>
Date: Sat Apr 16 01:15:51 2011 +0400
waf: introduce reverse logic for allowing unknown symbols
Some os (ie OSX 10.6) forbids by default unknown symbols so in order to
allow them (for special case) we have no to remove linker option *but*
to add options to ask the linker to be more relax.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/samba_deps.py | 4 +
libcli/auth/kerberos_pac.c | 94 ++++++++-------
{source3/libads => libcli/dns}/dns.h | 64 ++++-------
libcli/{nbt => dns}/dns_hosts_file.c | 212 +++++++++++++++++++++++++--------
libcli/nbt/wscript_build | 4 +-
selftest/target/Samba3.pm | 4 +
source3/libads/dns.h | 37 +------
source3/libads/ldap.c | 12 --
wscript | 5 +
9 files changed, 247 insertions(+), 189 deletions(-)
copy {source3/libads => libcli/dns}/dns.h (50%)
rename libcli/{nbt => dns}/dns_hosts_file.c (58%)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_deps.py b/buildtools/wafsamba/samba_deps.py
index adeb364..0bd2c6c 100644
--- a/buildtools/wafsamba/samba_deps.py
+++ b/buildtools/wafsamba/samba_deps.py
@@ -89,6 +89,10 @@ def build_dependencies(self):
for f in self.env.undefined_ldflags:
self.ldflags.remove(f)
+ if getattr(self, 'allow_undefined_symbols', False) and self.env.undefined_ignore_ldflags:
+ for f in self.env.undefined_ignore_ldflags:
+ self.ldflags.append(f)
+
debug('deps: computed dependencies for target %s: uselib=%s uselib_local=%s add_objects=%s',
self.sname, self.uselib, self.uselib_local, self.add_objects)
diff --git a/libcli/auth/kerberos_pac.c b/libcli/auth/kerberos_pac.c
index 6a41eb1..79d51b2 100644
--- a/libcli/auth/kerberos_pac.c
+++ b/libcli/auth/kerberos_pac.c
@@ -279,61 +279,67 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
return status;
}
- /* verify by service_key */
- ret = check_pac_checksum(mem_ctx,
- modified_pac_blob, srv_sig_ptr,
- context,
- service_keyblock);
- if (ret) {
- DEBUG(1, ("PAC Decode: Failed to verify the service "
- "signature: %s\n", error_message(ret)));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (krbtgt_keyblock) {
- /* verify the service key checksum by krbtgt_key */
+ if (service_keyblock) {
+ /* verify by service_key */
ret = check_pac_checksum(mem_ctx,
- srv_sig_ptr->signature, kdc_sig_ptr,
- context, krbtgt_keyblock);
+ modified_pac_blob, srv_sig_ptr,
+ context,
+ service_keyblock);
if (ret) {
- DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
- smb_get_krb5_error_message(context, ret, mem_ctx)));
+ DEBUG(1, ("PAC Decode: Failed to verify the service "
+ "signature: %s\n", error_message(ret)));
return NT_STATUS_ACCESS_DENIED;
}
- }
- /* Convert to NT time, so as not to loose accuracy in comparison */
- unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
-
- if (tgs_authtime_nttime != logon_name->logon_time) {
- DEBUG(2, ("PAC Decode: "
- "Logon time mismatch between ticket and PAC!\n"));
- DEBUG(2, ("PAC Decode: PAC: %s\n",
- nt_time_string(mem_ctx, logon_name->logon_time)));
- DEBUG(2, ("PAC Decode: Ticket: %s\n",
- nt_time_string(mem_ctx, tgs_authtime_nttime)));
- return NT_STATUS_ACCESS_DENIED;
+ if (krbtgt_keyblock) {
+ /* verify the service key checksum by krbtgt_key */
+ ret = check_pac_checksum(mem_ctx,
+ srv_sig_ptr->signature, kdc_sig_ptr,
+ context, krbtgt_keyblock);
+ if (ret) {
+ DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
}
- ret = smb_krb5_parse_name_norealm(context,
- logon_name->account_name,
- &client_principal_pac);
- if (ret) {
- DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
- logon_name->account_name, error_message(ret)));
- return NT_STATUS_INVALID_PARAMETER;
+ if (tgs_authtime) {
+ /* Convert to NT time, so as not to loose accuracy in comparison */
+ unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
+
+ if (tgs_authtime_nttime != logon_name->logon_time) {
+ DEBUG(2, ("PAC Decode: "
+ "Logon time mismatch between ticket and PAC!\n"));
+ DEBUG(2, ("PAC Decode: PAC: %s\n",
+ nt_time_string(mem_ctx, logon_name->logon_time)));
+ DEBUG(2, ("PAC Decode: Ticket: %s\n",
+ nt_time_string(mem_ctx, tgs_authtime_nttime)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
- bool_ret = smb_krb5_principal_compare_any_realm(context,
- client_principal,
- client_principal_pac);
+ if (client_principal) {
+ ret = smb_krb5_parse_name_norealm(context,
+ logon_name->account_name,
+ &client_principal_pac);
+ if (ret) {
+ DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
+ logon_name->account_name, error_message(ret)));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ bool_ret = smb_krb5_principal_compare_any_realm(context,
+ client_principal,
+ client_principal_pac);
- krb5_free_principal(context, client_principal_pac);
+ krb5_free_principal(context, client_principal_pac);
- if (!bool_ret) {
- DEBUG(2, ("Name in PAC [%s] does not match principal name "
- "in ticket\n", logon_name->account_name));
- return NT_STATUS_ACCESS_DENIED;
+ if (!bool_ret) {
+ DEBUG(2, ("Name in PAC [%s] does not match principal name "
+ "in ticket\n", logon_name->account_name));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
DEBUG(3,("Found account name from PAC: %s [%s]\n",
diff --git a/source3/libads/dns.h b/libcli/dns/dns.h
similarity index 50%
copy from source3/libads/dns.h
copy to libcli/dns/dns.h
index b747e97..01aa6c4 100644
--- a/source3/libads/dns.h
+++ b/libcli/dns/dns.h
@@ -2,6 +2,7 @@
* Unix SMB/CIFS implementation.
* Internal DNS query structures
* Copyright (C) Gerald Carter 2006.
+ * Copyright (C) Andrew Bartlett 2011
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -17,35 +18,32 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _ADS_DNS_H
-#define _ADS_DNS_H
-
/* DNS query section in replies */
struct dns_query {
const char *hostname;
- uint16 type;
- uint16 in_class;
+ uint16_t type;
+ uint16_t in_class;
};
/* DNS RR record in reply */
struct dns_rr {
const char *hostname;
- uint16 type;
- uint16 in_class;
- uint32 ttl;
- uint16 rdatalen;
- uint8 *rdata;
+ uint16_t type;
+ uint16_t in_class;
+ uint32_t ttl;
+ uint16_t rdatalen;
+ uint8_t *rdata;
};
/* SRV records */
struct dns_rr_srv {
const char *hostname;
- uint16 priority;
- uint16 weight;
- uint16 port;
+ uint16_t priority;
+ uint16_t weight;
+ uint16_t port;
size_t num_ips;
struct sockaddr_storage *ss_s; /* support multi-homed hosts */
};
@@ -57,34 +55,14 @@ struct dns_rr_ns {
struct sockaddr_storage ss;
};
-/* The following definitions come from libads/dns.c */
+NTSTATUS resolve_dns_hosts_file_as_sockaddr(const char *dns_hosts_file,
+ const char *name, bool srv_lookup,
+ TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage **return_iplist,
+ int *return_count);
-NTSTATUS ads_dns_lookup_ns(TALLOC_CTX *ctx,
- const char *dnsdomain,
- struct dns_rr_ns **nslist,
- int *numns);
-NTSTATUS ads_dns_query_dcs(TALLOC_CTX *ctx,
- const char *realm,
- const char *sitename,
- struct dns_rr_srv **dclist,
- int *numdcs );
-NTSTATUS ads_dns_query_gcs(TALLOC_CTX *ctx,
- const char *realm,
- const char *sitename,
- struct dns_rr_srv **dclist,
- int *numdcs );
-NTSTATUS ads_dns_query_kdcs(TALLOC_CTX *ctx,
- const char *dns_forest_name,
- const char *sitename,
- struct dns_rr_srv **dclist,
- int *numdcs );
-NTSTATUS ads_dns_query_pdc(TALLOC_CTX *ctx,
- const char *dns_domain_name,
- struct dns_rr_srv **dclist,
- int *numdcs );
-NTSTATUS ads_dns_query_dcs_guid(TALLOC_CTX *ctx,
- const char *dns_forest_name,
- const struct GUID *domain_guid,
- struct dns_rr_srv **dclist,
- int *numdcs );
-#endif /* _ADS_DNS_H */
+NTSTATUS resolve_dns_hosts_file_as_dns_rr(const char *dns_hosts_file,
+ const char *name, bool srv_lookup,
+ TALLOC_CTX *mem_ctx,
+ struct dns_rr_srv **return_rr,
+ int *return_count);
diff --git a/libcli/nbt/dns_hosts_file.c b/libcli/dns/dns_hosts_file.c
similarity index 58%
rename from libcli/nbt/dns_hosts_file.c
rename to libcli/dns/dns_hosts_file.c
index 8013936..94d1d97 100644
--- a/libcli/nbt/dns_hosts_file.c
+++ b/libcli/dns/dns_hosts_file.c
@@ -5,7 +5,7 @@
Copyright (C) Andrew Tridgell 1994-1998
Copyright (C) Jeremy Allison 2007
- Copyright (C) Andrew Bartlett 2009.
+ Copyright (C) Andrew Bartlett 2009-2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -29,6 +29,11 @@
#include "system/filesys.h"
#include "system/network.h"
#include "libcli/nbt/libnbt.h"
+#include "libcli/dns/dns.h"
+
+#ifdef strcasecmp
+#undef strcasecmp
+#endif
/********************************************************
Start parsing the dns_hosts_file file.
@@ -51,7 +56,7 @@ static XFILE *startdns_hosts_file(const char *fname)
*********************************************************/
static bool getdns_hosts_fileent(TALLOC_CTX *ctx, XFILE *fp, char **pp_name, char **pp_name_type,
- char **pp_next_name,
+ char **pp_next_name,
struct sockaddr_storage *pss, uint32_t *p_port)
{
char line[1024];
@@ -176,12 +181,12 @@ static void enddns_hosts_file(XFILE *fp)
Resolve via "dns_hosts" method.
*********************************************************/
-static NTSTATUS resolve_dns_hosts_file_as_sockaddr_recurse(const char *dns_hosts_file,
- const char *name, bool srv_lookup,
- int level, uint32_t port,
- TALLOC_CTX *mem_ctx,
- struct sockaddr_storage **return_iplist,
- int *return_count)
+static NTSTATUS resolve_dns_hosts_file_as_dns_rr_recurse(const char *dns_hosts_file,
+ const char *name, bool srv_lookup,
+ int level, uint32_t port,
+ TALLOC_CTX *mem_ctx,
+ struct dns_rr_srv **return_rr,
+ int *return_count)
{
/*
* "dns_hosts" means parse the local dns_hosts file.
@@ -196,18 +201,21 @@ static NTSTATUS resolve_dns_hosts_file_as_sockaddr_recurse(const char *dns_hosts
NTSTATUS status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
TALLOC_CTX *ctx = NULL;
TALLOC_CTX *ip_list_ctx = NULL;
+ struct dns_rr_srv *rr = NULL;
+
+ *return_rr = NULL;
/* Don't recurse forever, even on our own flat files */
if (level > 11) {
-
+ DEBUG(0, ("resolve_dns_hosts_file recursion limit reached looking up %s!\n", name));
+ return status;
}
- *return_iplist = NULL;
*return_count = 0;
- DEBUG(3,("resolve_dns_hosts: "
- "Attempting dns_hosts lookup for name %s\n",
- name));
+ DEBUG(3,("resolve_dns_hosts: (%d) "
+ "Attempting %s dns_hosts lookup for name %s\n",
+ level, srv_lookup ? "SRV" : "A", name));
fp = startdns_hosts_file(dns_hosts_file);
@@ -229,79 +237,179 @@ static NTSTATUS resolve_dns_hosts_file_as_sockaddr_recurse(const char *dns_hosts
while (getdns_hosts_fileent(ctx, fp, &host_name, &name_type, &next_name, &return_ss, &srv_port)) {
if (!strequal(name, host_name)) {
- TALLOC_FREE(ctx);
- ctx = talloc_new(mem_ctx);
- if (!ctx) {
- enddns_hosts_file(fp);
- return NT_STATUS_NO_MEMORY;
- }
-
- continue;
- }
-
- if (srv_lookup) {
+ /* continue at the bottom of the loop */
+ } else if (srv_lookup) {
if (strcasecmp(name_type, "SRV") == 0) {
+ NTSTATUS status_recurse;
+ struct dns_rr_srv *tmp_rr;
+ int tmp_count = 0;
/* we only accept one host name per SRV entry */
- enddns_hosts_file(fp);
- status = resolve_dns_hosts_file_as_sockaddr_recurse(dns_hosts_file, next_name,
- false,
- level + 1, srv_port,
- mem_ctx, return_iplist,
- return_count);
- talloc_free(ip_list_ctx);
- return status;
- } else {
- continue;
+ status_recurse
+ = resolve_dns_hosts_file_as_dns_rr_recurse(dns_hosts_file, next_name,
+ false,
+ level + 1, srv_port,
+ ip_list_ctx, &tmp_rr,
+ &tmp_count);
+ if (NT_STATUS_EQUAL(status_recurse, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ /* Don't fail on a dangling SRV record */
+ } else if (!NT_STATUS_IS_OK(status_recurse)) {
+ enddns_hosts_file(fp);
+ talloc_free(ip_list_ctx);
+ return status_recurse;
+ } else if (tmp_count != 1) {
+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ } else {
+ status = status_recurse;
+ rr = talloc_realloc(ip_list_ctx, rr, struct dns_rr_srv, (*return_count) + 1);
+ if (!rr) {
+ enddns_hosts_file(fp);
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_steal(rr, tmp_rr);
+ rr[*return_count] = *tmp_rr;
+ *return_count = (*return_count) + 1;
+ }
}
} else if (strcasecmp(name_type, "CNAME") == 0) {
/* we only accept one host name per CNAME */
enddns_hosts_file(fp);
- status = resolve_dns_hosts_file_as_sockaddr_recurse(dns_hosts_file, next_name, false,
- level + 1, port,
- mem_ctx, return_iplist, return_count);
+ status = resolve_dns_hosts_file_as_dns_rr_recurse(dns_hosts_file, next_name, false,
+ level + 1, port,
+ mem_ctx, return_rr, return_count);
talloc_free(ip_list_ctx);
return status;
} else if (strcasecmp(name_type, "A") == 0) {
+ if (*return_count == 0) {
+ /* We are happy to keep looking for other possible A record matches */
+ rr = talloc_zero(ip_list_ctx,
+ struct dns_rr_srv);
+
+ if (rr == NULL) {
+ TALLOC_FREE(ctx);
+ enddns_hosts_file(fp);
+ DEBUG(3,("resolve_dns_hosts: talloc_realloc fail !\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ rr->hostname = talloc_strdup(rr, host_name);
+
+ if (rr->hostname == NULL) {
+ TALLOC_FREE(ctx);
+ enddns_hosts_file(fp);
+ DEBUG(3,("resolve_dns_hosts: talloc_realloc fail !\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ rr->port = port;
+
+ *return_count = 1;
+ }
+
/* Set the specified port (possibly from a SRV lookup) into the structure we return */
set_sockaddr_port((struct sockaddr *)&return_ss, port);
/* We are happy to keep looking for other possible A record matches */
- *return_iplist = talloc_realloc(ip_list_ctx, (*return_iplist),
- struct sockaddr_storage,
- (*return_count)+1);
+ rr->ss_s = talloc_realloc(rr, rr->ss_s,
+ struct sockaddr_storage,
+ rr->num_ips + 1);
- if ((*return_iplist) == NULL) {
+ if (rr->ss_s == NULL) {
TALLOC_FREE(ctx);
enddns_hosts_file(fp);
DEBUG(3,("resolve_dns_hosts: talloc_realloc fail !\n"));
return NT_STATUS_NO_MEMORY;
}
-
- (*return_iplist)[*return_count] = return_ss;
- *return_count += 1;
-
+
+ rr->ss_s[rr->num_ips] = return_ss;
+ rr->num_ips += 1;
+
/* we found something */
status = NT_STATUS_OK;
}
+
+ TALLOC_FREE(ctx);
+ ctx = talloc_new(mem_ctx);
+ if (!ctx) {
+ enddns_hosts_file(fp);
+ return NT_STATUS_NO_MEMORY;
+ }
}
- talloc_steal(mem_ctx, *return_iplist);
+ *return_rr = talloc_steal(mem_ctx, rr);
TALLOC_FREE(ip_list_ctx);
enddns_hosts_file(fp);
return status;
}
/********************************************************
- Resolve via "dns_hosts" method.
+ Resolve via "dns_hosts_file" method, returning a list of sockaddr_storage values
*********************************************************/
-NTSTATUS resolve_dns_hosts_file_as_sockaddr(const char *dns_hosts_file,
+NTSTATUS resolve_dns_hosts_file_as_sockaddr(const char *dns_hosts_file,
const char *name, bool srv_lookup,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct sockaddr_storage **return_iplist,
int *return_count)
{
- return resolve_dns_hosts_file_as_sockaddr_recurse(dns_hosts_file, name, srv_lookup,
- 0, 0,
- mem_ctx, return_iplist, return_count);
+ NTSTATUS status;
+ struct dns_rr_srv *dns_rr = NULL;
+ int i, j, rr_count = 0;
+
+ *return_iplist = NULL;
+ *return_count = 0;
+
+ status = resolve_dns_hosts_file_as_dns_rr_recurse(dns_hosts_file, name, srv_lookup,
+ 0, 0,
+ mem_ctx, &dns_rr, &rr_count);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3,("resolve_dns_hosts (sockaddr): "
+ "failed to obtain %s result records for for name %s: %s\n",
+ srv_lookup ? "SRV" : "A", name, nt_errstr(status)));
+ return status;
+ }
+
+ for (i=0; i < rr_count; i++) {
+ *return_iplist = talloc_realloc(mem_ctx, *return_iplist, struct sockaddr_storage, *return_count + dns_rr[i].num_ips);
+ if (!*return_iplist) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ for (j=0; j < dns_rr[i].num_ips; j++) {
+ (*return_iplist)[*return_count] = dns_rr[i].ss_s[j];
--
Samba Shared Repository
More information about the samba-cvs
mailing list