[SCM] Samba Shared Repository - branch master updated
Matthieu Patou
mat at samba.org
Fri Oct 21 16:04:55 MDT 2011
The branch, master has been updated
via 950f121 s4-cldap: fix cldap_socket_init to always specify the dest if local is NULL
via 4d2d33e libcli-cldap: avoid the case local == remote == NULL
via 66530e9 libcli/cldap: make sure the local and remote address family matches
via e38d97e s4-resolv: fix resolution of SRV records pointing to A and AAAA records
from 6bd49ea Deprecate "acl check permissions".
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 950f1218b3b5b85d95190083985632a4e1046f10
Author: Matthieu Patou <mat at matws.net>
Date: Fri Oct 21 20:09:37 2011 +0200
s4-cldap: fix cldap_socket_init to always specify the dest if local is NULL
Autobuild-User: Matthieu Patou <mat at samba.org>
Autobuild-Date: Sat Oct 22 00:02:00 CEST 2011 on sn-devel-104
commit 4d2d33ee09941ddb211e21788c01d886730224c2
Author: Matthieu Patou <mat at matws.net>
Date: Fri Oct 21 16:11:41 2011 +0200
libcli-cldap: avoid the case local == remote == NULL
commit 66530e91498cfa77a9d2e3a031f8a2e1c5ee6804
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 21 09:49:30 2011 +0200
libcli/cldap: make sure the local and remote address family matches
metze
Signed-off-by: Matthieu Patou <mat at matws.net>
commit e38d97e0424f7e5b21c8b7ac0b1f1bac33f19d69
Author: Matthieu Patou <mat at matws.net>
Date: Fri Oct 21 16:05:53 2011 +0200
s4-resolv: fix resolution of SRV records pointing to A and AAAA records
-----------------------------------------------------------------------
Summary of changes:
libcli/cldap/cldap.c | 34 +++-
source4/libcli/finddcs_cldap.c | 35 ++--
source4/libcli/resolve/dns_ex.c | 399 +++++++++++++++++++++++----------------
3 files changed, 285 insertions(+), 183 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c
index 219b343..b7df9d2 100644
--- a/libcli/cldap/cldap.c
+++ b/libcli/cldap/cldap.c
@@ -312,6 +312,27 @@ NTSTATUS cldap_socket_init(TALLOC_CTX *mem_ctx,
struct tsocket_address *any = NULL;
NTSTATUS status;
int ret;
+ const char *fam = NULL;
+
+ if (local_addr == NULL && remote_addr == NULL) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ if (remote_addr) {
+ bool is_ipv4;
+ bool is_ipv6;
+
+ is_ipv4 = tsocket_address_is_inet(remote_addr, "ipv4");
+ is_ipv6 = tsocket_address_is_inet(remote_addr, "ipv6");
+
+ if (is_ipv4) {
+ fam = "ipv4";
+ } else if (is_ipv6) {
+ fam = "ipv6";
+ } else {
+ return NT_STATUS_INVALID_ADDRESS;
+ }
+ }
c = talloc_zero(mem_ctx, struct cldap_socket);
if (!c) {
@@ -319,11 +340,14 @@ NTSTATUS cldap_socket_init(TALLOC_CTX *mem_ctx,
}
if (!local_addr) {
- /* we use ipv4 here instead of ip, as otherwise we end
- up with a PF_INET6 socket, and sendto() for ipv4
- addresses will fail. That breaks cldap name
- resolution for winbind to IPv4 hosts. */
- ret = tsocket_address_inet_from_strings(c, "ipv4",
+ /*
+ * Here we know the address family of the remote address.
+ */
+ if (fam == NULL) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ ret = tsocket_address_inet_from_strings(c, fam,
NULL, 0,
&any);
if (ret != 0) {
diff --git a/source4/libcli/finddcs_cldap.c b/source4/libcli/finddcs_cldap.c
index 0643135..6df15a9 100644
--- a/source4/libcli/finddcs_cldap.c
+++ b/source4/libcli/finddcs_cldap.c
@@ -27,6 +27,7 @@
#include "libcli/finddc.h"
#include "libcli/security/security.h"
#include "lib/util/tevent_ntstatus.h"
+#include "lib/tsocket/tsocket.h"
#include "libcli/composite/composite.h"
struct finddcs_cldap_state {
@@ -131,10 +132,6 @@ static bool finddcs_cldap_ipaddress(struct finddcs_cldap_state *state, struct fi
}
state->srv_addresses[1] = NULL;
state->srv_address_index = 0;
- status = cldap_socket_init(state, NULL, NULL, &state->cldap);
- if (tevent_req_nterror(state->req, status)) {
- return false;
- }
finddcs_cldap_next_server(state);
return tevent_req_is_nterror(state->req, &status);
@@ -201,6 +198,9 @@ static bool finddcs_cldap_nbt_lookup(struct finddcs_cldap_state *state,
static void finddcs_cldap_next_server(struct finddcs_cldap_state *state)
{
struct tevent_req *subreq;
+ struct tsocket_address *dest;
+ int ret;
+ NTSTATUS status;
if (state->srv_addresses[state->srv_address_index] == NULL) {
tevent_req_nterror(state->req, NT_STATUS_OBJECT_NAME_NOT_FOUND);
@@ -208,14 +208,25 @@ static void finddcs_cldap_next_server(struct finddcs_cldap_state *state)
return;
}
+ /* we should get the port from the SRV response */
+ ret = tsocket_address_inet_from_strings(state, "ip",
+ state->srv_addresses[state->srv_address_index],
+ 389,
+ &dest);
+ if (tevent_req_error(state->req, ret)) {
+ return;
+ }
+
+ status = cldap_socket_init(state, NULL, dest, &state->cldap);
+ if (tevent_req_nterror(state->req, status)) {
+ return;
+ }
+
state->netlogon = talloc_zero(state, struct cldap_netlogon);
if (tevent_req_nomem(state->netlogon, state->req)) {
return;
}
- state->netlogon->in.dest_address = state->srv_addresses[state->srv_address_index];
- /* we should get the port from the SRV response */
- state->netlogon->in.dest_port = 389;
if (strchr(state->domain_name, '.')) {
state->netlogon->in.realm = state->domain_name;
}
@@ -307,11 +318,6 @@ static void finddcs_cldap_name_resolved(struct composite_context *ctx)
state->srv_address_index = 0;
- status = cldap_socket_init(state, NULL, NULL, &state->cldap);
- if (tevent_req_nterror(state->req, status)) {
- return;
- }
-
finddcs_cldap_next_server(state);
}
@@ -338,11 +344,6 @@ static void finddcs_cldap_srv_resolved(struct composite_context *ctx)
state->srv_address_index = 0;
- status = cldap_socket_init(state, NULL, NULL, &state->cldap);
- if (tevent_req_nterror(state->req, status)) {
- return;
- }
-
finddcs_cldap_next_server(state);
}
diff --git a/source4/libcli/resolve/dns_ex.c b/source4/libcli/resolve/dns_ex.c
index 8f21b7f..60e9afd 100644
--- a/source4/libcli/resolve/dns_ex.c
+++ b/source4/libcli/resolve/dns_ex.c
@@ -5,6 +5,7 @@
Copyright (C) Andrew Tridgell 2005
Copyright (C) Stefan Metzmacher 2008
+ Copyright (C) Matthieu Patou 2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -76,68 +77,153 @@ static int dns_ex_destructor(struct dns_ex_state *state)
return 0;
}
-/*
- the blocking child
-*/
-static void run_child_dns_lookup(struct dns_ex_state *state, int fd)
+static uint32_t count_dns_rr(struct rk_resource_record *head, unsigned record_type)
{
- struct rk_dns_reply *reply;
- struct rk_resource_record *rr;
uint32_t count = 0;
- uint32_t srv_valid = 0;
- struct rk_resource_record **srv_rr;
- uint32_t addrs_valid = 0;
- struct rk_resource_record **addrs_rr;
- struct rk_dns_reply **srv_replies = NULL;
- char *addrs;
- bool first;
- uint32_t i;
- bool do_srv = (state->flags & RESOLVE_NAME_FLAG_DNS_SRV);
+ struct rk_resource_record *rr;
- if (strchr(state->name.name, '.') && state->name.name[strlen(state->name.name)-1] != '.') {
- /* we are asking for a fully qualified name, but the
- name doesn't end in a '.'. We need to prevent the
- DNS library trying the search domains configured in
- resolv.conf */
- state->name.name = talloc_strdup_append(discard_const_p(char, state->name.name),
- ".");
+ for (rr=head; rr; rr=rr->next) {
+
+ /* we are only interested in the IN class */
+ if (rr->class != rk_ns_c_in) {
+ continue;
+ }
+
+ /* we are only interested by requested record */
+ if (rr->type != record_type) {
+ continue;
+ }
+
+ switch(record_type) {
+ case rk_ns_t_srv:
+
+ /* verify we actually have a SRV record here */
+ if (!rr->u.srv) {
+ continue;
+ }
+
+ /* Verify we got a port */
+ if (rr->u.srv->port == 0) {
+ continue;
+ }
+ count++;
+ break;
+ case rk_ns_t_a:
+ case rk_ns_t_aaaa:
+ /* verify we actually have a record here */
+ if (!rr->u.data) {
+ continue;
+ }
+ count++;
+ break;
+ default:
+ count++;
+ break;
+ }
+ }
+
+ return count;
+}
+
+struct dns_records_container {
+ char **list;
+ uint32_t count;
+};
+
+static char* rr_to_string(TALLOC_CTX *mem_ctx,
+ struct rk_resource_record *rr,
+ uint16_t port)
+{
+ char addrstr[INET6_ADDRSTRLEN];
+ char *addr;
+
+ switch (rr->type) {
+ case rk_ns_t_a:
+ if (inet_ntop(AF_INET, rr->u.a,
+ addrstr, sizeof(addrstr)) == NULL) {
+ return NULL;
+ }
+ break;
+#ifdef HAVE_IPV6
+ case rk_ns_t_aaaa:
+ if (inet_ntop(AF_INET6, (struct in6_addr *)rr->u.data,
+ addrstr, sizeof(addrstr)) == NULL) {
+ return NULL;
+ }
+ break;
+#endif
+ default:
+ return NULL;
}
+ addr = talloc_asprintf(mem_ctx, "%s@%u/%s", addrstr,
+ port, rr->domain);
+
+ return addr;
+}
+
+static struct dns_records_container get_a_aaaa_records(TALLOC_CTX *mem_ctx,
+ const char* name,
+ int port)
+{
+ struct rk_dns_reply *reply, *reply2, *rep, *tmp[3];
+ struct rk_resource_record *rr;
+ struct dns_records_container ret;
+ char **addrs = NULL;
+ uint32_t count, count2, total;
+ uint32_t i;
+
+ memset(&ret, 0, sizeof(struct dns_records_container));
/* this is the blocking call we are going to lots of trouble
- to avoid in the parent */
- reply = rk_dns_lookup(state->name.name, do_srv?"SRV":"A");
+ to avoid them in the parent */
+ reply = rk_dns_lookup(name, "AAAA");
+
if (!reply) {
- goto done;
+ return ret;
}
- if (do_srv) {
- rk_dns_srv_order(reply);
- }
+ count = count_dns_rr(reply->head, rk_ns_t_aaaa);
+ count2 = count_dns_rr(reply->head, rk_ns_t_a);
- /* Loop over all returned records and pick the "srv" records */
- for (rr=reply->head; rr; rr=rr->next) {
- /* we are only interested in the IN class */
- if (rr->class != rk_ns_c_in) {
- continue;
+ if (!count2) {
+ /*
+ * DNS server didn't returned A when asked for AAAA records.
+ * Most of the server do it, let's ask for A specificaly.
+ */
+ reply2 = rk_dns_lookup(name, "A");
+
+ if (!reply2) {
+ return ret;
}
- if (do_srv) {
- /* we are only interested in SRV records */
- if (rr->type != rk_ns_t_srv) {
- continue;
- }
+ count2 = count_dns_rr(reply2->head, rk_ns_t_a);
+ } else {
+ reply2 = NULL;
+ }
- /* verify we actually have a SRV record here */
- if (!rr->u.srv) {
- continue;
- }
+ count += count2;
- /* Verify we got a port */
- if (rr->u.srv->port == 0) {
+ if (count == 0) {
+ goto done;
+ }
+
+ addrs = talloc_zero_array(mem_ctx, char*, count);
+ total = 0;
+
+ tmp[0] = reply;
+ tmp[1] = reply2;
+ tmp[2] = NULL;
+
+ /* Loop over all returned records and pick the records */
+ for (i=0; tmp[i] != NULL; i++) {
+ rep = tmp[i];
+ for (rr=rep->head; rr; rr=rr->next) {
+ /* we are only interested in the IN class */
+ if (rr->class != rk_ns_c_in) {
continue;
}
- } else {
- /* we are only interested in A or AAAA records */
+
+ /* we are only interested in A and AAAA records */
if (rr->type != rk_ns_t_a && rr->type != rk_ns_t_aaaa) {
continue;
}
@@ -146,105 +232,138 @@ static void run_child_dns_lookup(struct dns_ex_state *state, int fd)
if (!rr->u.data) {
continue;
}
+ rr_to_string(mem_ctx, rr, port);
+ addrs[total] = rr_to_string(mem_ctx, rr, port);
+ if (addrs[total]) {
+ total++;
+ }
}
- count++;
}
-
- if (count == 0) {
- goto done;
+ if (total) {
+ ret.count = total;
+ ret.list = addrs;
}
- srv_rr = talloc_zero_array(state,
- struct rk_resource_record *,
- count);
- if (!srv_rr) {
- goto done;
- }
+done:
+ if (reply != NULL)
+ rk_dns_free_data(reply);
- addrs_rr = talloc_zero_array(state,
- struct rk_resource_record *,
- count);
- if (!addrs_rr) {
- goto done;
+ if (reply2 != NULL)
+ rk_dns_free_data(reply2);
+
+ return ret;
+}
+
+static struct dns_records_container get_srv_records(TALLOC_CTX *mem_ctx,
+ const char* name)
+{
+ struct rk_dns_reply *reply;
+ struct rk_resource_record *rr;
+ struct dns_records_container ret;
+ char **addrs = NULL;
+ uint32_t count, total;
+
+ memset(&ret, 0, sizeof(struct dns_records_container));
+ /* this is the blocking call we are going to lots of trouble
+ to avoid them in the parent */
+ reply = rk_dns_lookup(name, "SRV");
+
+ if (!reply) {
+ return ret;
}
- srv_replies = talloc_zero_array(state,
- struct rk_dns_reply *,
- count);
- if (!srv_replies) {
+ rk_dns_srv_order(reply);
+ count = count_dns_rr(reply->head, rk_ns_t_srv);
+
+ total = 0;
+ if (count == 0) {
goto done;
}
/* Loop over all returned records and pick the records */
- for (rr=reply->head;rr;rr=rr->next) {
+ for (rr=reply->head; rr; rr=rr->next) {
+ struct dns_records_container c;
+ char* tmp_str;
/* we are only interested in the IN class */
if (rr->class != rk_ns_c_in) {
continue;
}
- if (do_srv) {
- /* we are only interested in SRV records */
- if (rr->type != rk_ns_t_srv) {
- continue;
- }
+ /* we are only interested in SRV records */
+ if (rr->type != rk_ns_t_srv) {
+ continue;
+ }
- /* verify we actually have a srv record here */
- if (!rr->u.srv) {
- continue;
- }
+ /* verify we actually have a srv record here */
+ if (!rr->u.srv) {
+ continue;
+ }
- /* Verify we got a port */
- if (rr->u.srv->port == 0) {
- continue;
- }
+ /* Verify we got a port */
+ if (rr->u.srv->port == 0) {
+ continue;
+ }
+
+ tmp_str = rr->u.srv->target;
+ if (strchr(tmp_str, '.') && tmp_str[strlen(tmp_str)-1] != '.') {
+ /* we are asking for a fully qualified name, but the
+ name doesn't end in a '.'. We need to prevent the
+ DNS library trying the search domains configured in
+ resolv.conf */
+ tmp_str = talloc_asprintf(mem_ctx, "%s.", tmp_str);
+ }
- srv_rr[srv_valid] = rr;
- srv_valid++;
+ c = get_a_aaaa_records(mem_ctx, tmp_str, rr->u.srv->port);
+ total += c.count;
+ if (addrs == NULL) {
+ addrs = c.list;
} else {
- /* we are only interested in A or AAAA records */
- if (rr->type != rk_ns_t_a && rr->type != rk_ns_t_aaaa) {
- continue;
- }
+ unsigned j;
- /* verify we actually have a record record here */
- if (!rr->u.data) {
- continue;
+ addrs = talloc_realloc(mem_ctx, addrs, char*, total);
+ for (j=0; j < c.count; j++) {
+ addrs[total - j] = talloc_steal(addrs, c.list[j]);
}
-
- addrs_rr[addrs_valid] = rr;
- addrs_valid++;
}
}
- for (i=0; i < srv_valid; i++) {
- srv_replies[i] = rk_dns_lookup(srv_rr[i]->u.srv->target, "A");
- if (srv_replies[i] == NULL)
- continue;
+ if (total) {
+ ret.count = total;
--
Samba Shared Repository
More information about the samba-cvs
mailing list