[SCM] Samba Shared Repository - branch master updated

Alexander Bokovoy ab at samba.org
Wed May 23 10:47:02 MDT 2012


The branch, master has been updated
       via  dcfb34f blackbox: fix samba4.blackbox.kinit test
       via  2b14453 gse: Use the smb_gss_oid_equal wrapper.
       via  0a6e568 krb5samba: Add smb_gss_oid_equal wrapper.
       via  c1444c3 s3-autoconf: fix typo after migrating DNS resolver code to lib/addns
       via  77a6c81 wafsamba: ensure TO_LIST does not fail with empty string
       via  744f991 libcli/dns: make 'clidns' private library out of DNS code in WAF build
       via  2ddf89a Introduce system MIT krb5 build with --with-system-mitkrb5 option. System MIT krb5 build also enabled by specifying --without-ad-dc
       via  2fc96e6 s4: samba-tool is usable without export-keytab command, make sure it does not break
       via  ec989e7 auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
       via  2d9a0d8 s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API
       via  f32d437 dns: fix comments and make s4/libcli/resolve dns resolver working
       via  1feb312 lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos
       via  ad945bc gensec_gssapi: Make it possible to build with MIT krb5
       via  302abe6 auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build
       via  c54fe86 s4-resolve: Remove dependency on libroken
       via  a8ee6f2 addns: Make ads_dns_lookup_srv pulic
       via  34a6573 Move source3/libads/dns.c to lib/addns
       via  cc3321c s3-ads-dns: Avoid unnecessary dependencies
       via  a7e94fc s3-ads-dns: Break dependency on lp_parm
       via  4a335e9 s3-ad-dns: Use more standard uint and booleans defs
       via  9c5aa0b addns: Fix talloc hiereachy
      from  37866df s3:smbd: use reply_force_doserror(req, ERRSRV, ERRbaduid) on SMBulogoff

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit dcfb34fbb4b7484bdaa70fbe9ae9fd84738ab469
Author: Alexander Bokovoy <ab at samba.org>
Date:   Wed May 23 17:34:24 2012 +0300

    blackbox: fix samba4.blackbox.kinit test
    
    This deserves some explanation.
    
    With commit 518232d4578d700f5f5ea1609275a6cd1de3a1e7 samba4.blackbox.kinit test set
    was wrapped with password settings reset before and after the tests with an idea to
    maintain reliable state for the tests. As result, the resetting of the password
    settings was done after the test that tried to use smbclient with a Kerberos ticket
    obtained with machine account credentials.
    
    However, the code in credentials_krb5.c, function cli_credentials_get_client_gss_creds(),
    never worked correctly when credentials were already in ccache. Instead, gensec_gssapi module
    always re-kinited even if existing credentials were available in the ccache. This had an effect
    on 'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' test equal to
    never having initialized ccache at all, as if 'rm -f $KRB5CCNAME' was run before the test.
    
    When the issue of not using already initialized credentials from ccache was fixed with
    d0aae88f1290e6a7a6d4bfc24aa62795e4892a31 'auth-credentials: Support using pre-fetched ccache
    when obtaining kerberos credentials' commit, Samba 4 credentials library started to correctly
    re-used already obtained credentials from ccaches. This caused failure of the test
    'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' because machine account
    has no permissions to modify password settings.
    
    Thus, the correct fix is to reset ccache state before performing the test.
    
    Autobuild-User: Alexander Bokovoy <ab at samba.org>
    Autobuild-Date: Wed May 23 18:46:12 CEST 2012 on sn-devel-104

commit 2b144531f1a760514f217012e9dab01359b7a0d7
Author: Andreas Schneider <asn at samba.org>
Date:   Mon May 21 18:25:28 2012 +0200

    gse: Use the smb_gss_oid_equal wrapper.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>

commit 0a6e568344adb66e5f20ce61f106d791886fcb35
Author: Andreas Schneider <asn at samba.org>
Date:   Mon May 21 18:24:31 2012 +0200

    krb5samba: Add smb_gss_oid_equal wrapper.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>

commit c1444c3839573793c24244da8572e6c8468c927f
Author: Alexander Bokovoy <ab at samba.org>
Date:   Tue May 22 13:52:48 2012 +0300

    s3-autoconf: fix typo after migrating DNS resolver code to lib/addns

commit 77a6c8134763dc0b50ad33e1b4419441220c47a9
Author: Alexander Bokovoy <ab at samba.org>
Date:   Mon May 21 18:38:56 2012 +0300

    wafsamba: ensure TO_LIST does not fail with empty string

commit 744f9910c81cee13228165db4e46200c41c69221
Author: Alexander Bokovoy <ab at samba.org>
Date:   Mon May 21 17:54:13 2012 +0300

    libcli/dns: make 'clidns' private library out of DNS code in WAF build
    
    After consolidating DNS resolver code to lib/addns, there is one piece
    that still needs to be moved into a common DNS resolver library: DNS_HOSTS_FILE
    subsystem. Unfortunately, direct move would require lib/addns to depend on
    libcli/util/{ntstatus.h,werror.h} (provided by errors subsystem).
    
    In addition, moving libcli/dns/* code to lib/addns/ would make conflicting
    the dns_tkey_record struct. The conflict comes from source4/dns_server/ and is due
    to use of IDL to define the struct. lib/addns/ library also provides its own definition
    so we either need to keep them in sync (rewrite code in lib/addns/ a bit) or
    depend on generated IDL headers.
    
    Thus, making a private library and subsystem clidns is an intermediate step
    that allows to buy some time fore refactoring.

commit 2ddf89a2bc3c00b71dec230f071416e594f89113
Author: Alexander Bokovoy <ab at samba.org>
Date:   Mon May 21 12:45:12 2012 +0300

    Introduce system MIT krb5 build with --with-system-mitkrb5 option.
    System MIT krb5 build also enabled by specifying --without-ad-dc
    
    When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
    configure in WAF build we are trying to detect and use system-wide MIT krb5
    libraries. As result, Samba 4 DC functionality will be disabled due to the fact
    that it is currently impossible to implement embedded KDC server with MIT krb5.
    
    Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
      * Samba 4 client libraries and their Python bindings
      * Samba 3 server (smbd, nmbd, winbindd from source3/)
      * Samba 3 client libraries
    
    In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
    This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.

commit 2fc96e695599312c26576b5d0a0f6a86852131c4
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri May 18 15:24:38 2012 +0300

    s4: samba-tool is usable without export-keytab command, make sure it does not break
    
    When export_keytab is not compiled in (pure client-side Samba 4 build as with
    system MIT krb5), export-keytab command of samba-tool will not be available.
    Make sure it is not provided but its absence does not break the Python tool.

commit ec989e7c402e9868d45d7764175f2b44d85bb244
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri May 18 10:05:38 2012 +0300

    auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
    
    When credentials API is used by a client-side program that already as fetched required
    tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
    when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
    already.

commit 2d9a0d8d0c2587fcfdbab83c0a241830d2fcaafb
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri May 18 10:00:58 2012 +0300

    s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API
    
    struct unixid is defined in idmap.idl and therefore to use it one
    would need generated headers from librpc/gen_ndr. Not all of these
    files are installed and available as public headers. Also, they
    pull in some support headers which requires them to be available
    via specific locations like <librpc/gen_ndr/*> or <libcli/util>.
    
    Instead of pulling the headers to get structure and enum definitions,
    introduce three simple helpers to fill in 'struct unixid' based on
    the type of id. This is sufficient for PASSDB users and does not
    require exposing generated headers or code.

commit f32d43763d35fe386bfa1e9f7997b7eb1014b20c
Author: Alexander Bokovoy <ab at samba.org>
Date:   Tue May 15 16:28:44 2012 +0300

    dns: fix comments and make s4/libcli/resolve dns resolver working
    
    After migrating to use libaddns, reply_to_addrs() needed to change the
    way answers are iterated through. Originally libroken implementation
    gave all answers as separate records with last one being explicitly NULL.
    libaddns unmarshalling code gives all non-NULL answers and should be
    iterated with explicit reply->num_answers in use.

commit 1feb31246d00cdadf7624925a324f7f591c26b82
Author: Alexander Bokovoy <ab at samba.org>
Date:   Thu May 10 00:00:03 2012 +0300

    lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos
    
    In case krb5_cc_get_lifetime is not available, iterate over
    existing tickets in the keytab, find the one marked as TKT_FLAG_INITIAL,
    and use its lifetime. This is how it is implemented in Heimdal and
    how it was suggested to be done by MIT Kerberos developers.

commit ad945bc68f6b1e73a47bc0a33b35fcbf182f8137
Author: Simo Sorce <idra at samba.org>
Date:   Tue May 8 12:38:20 2012 -0400

    gensec_gssapi: Make it possible to build with MIT krb5
    
    We need to ifdef out some minor things here because there is no available API
    to set these options in MIT.
    The realm and canonicalize options should be not interesting in the client
    case. Same for the send_to_kdc hacks.
    Also the OLD DES3 enctype is not at all interesting. I am not aware that
    Windows will ever use DES3 and no modern implementation relies on that enctype
    anymore as it has been fully deprecated long ago, so we can simply ignore it.

commit 302abe61900af3bd9b4fffe1b9e9d7e39cac599a
Author: Simo Sorce <idra at samba.org>
Date:   Wed May 2 12:53:34 2012 -0400

    auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build

commit c54fe86a63f73543eaf9b031e146d5f647c05830
Author: Simo Sorce <idra at samba.org>
Date:   Fri May 4 23:11:19 2012 -0400

    s4-resolve: Remove dependency on libroken
    
    Use available native samba resolver functions

commit a8ee6f2ca588aae1220f8b6a257e6dd43eacd46b
Author: Simo Sorce <idra at samba.org>
Date:   Fri May 4 23:07:14 2012 -0400

    addns: Make ads_dns_lookup_srv pulic

commit 34a65739d32d7e895e71b2b81298fab82dfd11fe
Author: Simo Sorce <idra at samba.org>
Date:   Fri May 4 16:47:27 2012 -0400

    Move source3/libads/dns.c to lib/addns

commit cc3321c9ffee9e1688af724b7286fe548ff28793
Author: Simo Sorce <idra at samba.org>
Date:   Fri May 4 22:32:47 2012 -0400

    s3-ads-dns: Avoid unnecessary dependencies

commit a7e94fce3f86b99c328669d45dd685fc70026378
Author: Simo Sorce <idra at samba.org>
Date:   Fri May 4 17:27:36 2012 -0400

    s3-ads-dns: Break dependency on lp_parm
    
    In preparation of making this code common to s3 and s4

commit 4a335e9632282d92c8d9c5fdae59114540ed0803
Author: Simo Sorce <idra at samba.org>
Date:   Fri May 4 16:49:05 2012 -0400

    s3-ad-dns: Use more standard uint and booleans defs
    
    In preparation of making this code common to s3 and s4

commit 9c5aa0bef43e1b8db1c322e578b861eae486bd95
Author: Simo Sorce <idra at samba.org>
Date:   Mon May 7 16:14:07 2012 -0400

    addns: Fix talloc hiereachy
    
    Attach request to local memory context not to potentially long lived connection

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials_krb5.c                |   19 +-
 auth/kerberos/pac_utils.h                          |    2 +-
 buildtools/wafsamba/samba_utils.py                 |   13 +-
 buildtools/wafsamba/wafsamba.py                    |    7 +
 lib/addns/dns.h                                    |    4 +-
 lib/addns/dnsgss.c                                 |    4 +-
 lib/addns/dnsquery.c                               |  910 ++++++++++++++++++++
 lib/addns/dnsquery.h                               |   66 ++
 lib/addns/dnssock.c                                |    2 +-
 lib/addns/wscript_build                            |    4 +-
 lib/krb5_wrap/gss_samba.c                          |   51 ++
 lib/krb5_wrap/gss_samba.h                          |   36 +
 lib/krb5_wrap/krb5_samba.c                         |   41 +-
 lib/krb5_wrap/krb5_samba.h                         |    3 +
 lib/krb5_wrap/wscript_build                        |   12 +-
 lib/replace/system/gssapi.h                        |    2 +-
 libcli/dns/wscript_build                           |    8 +-
 libcli/nbt/wscript_build                           |    4 +-
 source3/Makefile.in                                |    3 +-
 source3/auth/wscript_build                         |    4 +-
 source3/configure.in                               |    2 +-
 source3/include/passdb.h                           |    5 +
 source3/include/smb_krb5.h                         |    1 +
 source3/libads/dns.c                               |  909 -------------------
 source3/libads/dns.h                               |   55 --
 source3/libads/ldap.c                              |    7 +-
 source3/librpc/crypto/gse.c                        |   23 +-
 source3/librpc/wscript_build                       |    2 +-
 source3/libsmb/dsgetdcname.c                       |   32 +-
 source3/libsmb/namequery.c                         |   13 +-
 source3/modules/getdate.h                          |    2 +-
 source3/modules/wscript_build                      |    8 +-
 source3/passdb/pdb_unixid.c                        |   47 +
 source3/passdb/wscript_build                       |    4 +-
 source3/utils/net_ads.c                            |   10 +-
 source3/utils/net_lookup.c                         |   10 +-
 source3/winbindd/wscript_build                     |    4 +-
 source3/wscript                                    |    4 +-
 source3/wscript_build                              |   18 +-
 source4/auth/gensec/gensec_gssapi.c                |   36 +-
 source4/auth/gensec/wscript_build                  |    1 +
 source4/auth/kerberos/kerberos.h                   |    1 +
 source4/auth/kerberos/wscript_build                |    2 +-
 source4/dns_server/wscript_build                   |    9 +-
 source4/dsdb/samdb/cracknames.c                    |    1 -
 source4/dsdb/samdb/ldb_modules/wscript_build       |  357 +--------
 .../dsdb/samdb/ldb_modules/wscript_build_server    |  357 ++++++++
 source4/dsdb/wscript_build                         |    6 +-
 source4/echo_server/wscript_build                  |    3 +-
 source4/heimdal_build/wscript_configure            |    4 +-
 source4/ldap_server/wscript_build                  |    1 +
 source4/libcli/resolve/dns_ex.c                    |  349 ++++-----
 source4/libcli/wscript_build                       |    2 +-
 source4/libnet/wscript_build                       |    3 +-
 source4/nbt_server/wscript_build                   |   14 +-
 source4/ntp_signd/wscript_build                    |    1 +
 source4/ntptr/wscript_build                        |    6 +-
 source4/ntvfs/posix/wscript_build                  |    2 +-
 source4/ntvfs/wscript_build                        |   24 +-
 source4/param/loadparm.c                           |   13 -
 source4/rpc_server/common/loadparm.c               |   45 +
 source4/rpc_server/lsa/dcesrv_lsa.c                |    6 +
 source4/rpc_server/wscript_build                   |   27 +-
 source4/scripting/bin/wscript_build                |    9 +-
 source4/scripting/python/samba/netcmd/domain.py    |   41 +-
 source4/scripting/wscript_build                    |   15 +-
 source4/smb_server/smb/wscript_build               |    3 +-
 source4/smb_server/smb2/wscript_build              |    3 +-
 source4/smb_server/wscript_build                   |    4 +-
 source4/smbd/wscript_build                         |   23 +-
 source4/torture/rpc/remote_pac.c                   |    5 +
 source4/torture/rpc/rpc.c                          |    2 +
 source4/torture/wscript_build                      |    7 +-
 source4/web_server/wscript_build                   |    2 +
 testprogs/blackbox/test_kinit.sh                   |    1 +
 utils/wscript_build                                |    2 +-
 wscript                                            |   15 +-
 wscript_build                                      |    3 +-
 wscript_configure_krb5                             |  192 ----
 wscript_configure_system_mitkrb5                   |  224 +++++
 80 files changed, 2242 insertions(+), 1930 deletions(-)
 create mode 100644 lib/addns/dnsquery.c
 create mode 100644 lib/addns/dnsquery.h
 mode change 100644 => 100755 lib/addns/wscript_build
 create mode 100644 lib/krb5_wrap/gss_samba.c
 create mode 100644 lib/krb5_wrap/gss_samba.h
 mode change 100644 => 100755 libcli/dns/wscript_build
 mode change 100644 => 100755 libcli/nbt/wscript_build
 delete mode 100644 source3/libads/dns.c
 delete mode 100644 source3/libads/dns.h
 create mode 100644 source3/passdb/pdb_unixid.c
 create mode 100755 source4/dsdb/samdb/ldb_modules/wscript_build_server
 mode change 100644 => 100755 source4/libcli/wscript_build
 create mode 100644 source4/rpc_server/common/loadparm.c
 delete mode 100644 wscript_configure_krb5
 create mode 100644 wscript_configure_system_mitkrb5


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 684f244..2c93a8f 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		}
 	}
 
-	ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
-					 &ccache, error_string);
+
+	if (cred->ccache_obtained == CRED_UNINITIALISED) {
+		/* Only attempt to re-acquire ccache if it is not already in place.
+		 * this is important for client-side use within frameworks with already acquired tickets
+		 * like Apache+mod_auth_kerb+Python
+		 */
+		ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+						 &ccache, error_string);
+	} else {
+		ccache = cred->ccache;
+	}
+
 	if (ret) {
 		if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
 			DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
@@ -533,6 +543,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ret;
 	}
 
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks krb5_get_default_in_tkt_etypes */
 	/*
 	 * transfer the enctypes from the smb_krb5_context to the gssapi layer
 	 *
@@ -567,6 +578,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 			return ret;
 		}
 	}
+#endif
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
 
 	/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
 	maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
@@ -582,7 +595,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		(*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret));
 		return ret;
 	}
-
+#endif
 	cred->client_gss_creds_obtained = cred->ccache_obtained;
 	talloc_set_destructor(gcc, free_gssapi_creds);
 	cred->client_gss_creds = gcc;
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index 7726f52..d654bec 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -22,7 +22,7 @@
 #define _PAC_UTILS_H
 
 #include "lib/krb5_wrap/krb5_samba.h"
-#include "system/gssapi.h"
+#include "lib/krb5_wrap/gss_samba.h"
 
 struct PAC_SIGNATURE_DATA;
 struct PAC_DATA;
diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py
index 477e0b4..c252663 100644
--- a/buildtools/wafsamba/samba_utils.py
+++ b/buildtools/wafsamba/samba_utils.py
@@ -215,6 +215,8 @@ def TO_LIST(str, delimiter=None):
         return []
     if isinstance(str, list):
         return str
+    if len(str) == 0:
+        return []
     lst = str.split(delimiter)
     # the string may have had quotes in it, now we
     # check if we did have quotes, and use the slower shlex
@@ -642,8 +644,17 @@ def PROCESS_SEPARATE_RULE(self, rule):
     if txt:
         dc = {'ctx': self}
         if getattr(self.__class__, 'pre_recurse', None):
-            dc = self.pre_recurse(txt, file_path, [])
+            dc = self.pre_recurse(txt, file_path, self.curdir)
         exec(compile(txt, file_path, 'exec'), dc)
+        if getattr(self.__class__, 'post_recurse', None):
+            dc = self.post_recurse(txt, file_path, self.curdir)
 
 Build.BuildContext.PROCESS_SEPARATE_RULE = PROCESS_SEPARATE_RULE
 ConfigurationContext.PROCESS_SEPARATE_RULE = PROCESS_SEPARATE_RULE
+
+def AD_DC_BUILD_IS_ENABLED(self):
+    if self.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
+        return True
+    return False
+
+Build.BuildContext.AD_DC_BUILD_IS_ENABLED = AD_DC_BUILD_IS_ENABLED
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 534bace..f1e7aff 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -413,6 +413,9 @@ def SAMBA_MODULE(bld, modname, source,
         source = bld.SUBDIR(subdir, source)
 
     if internal_module or BUILTIN_LIBRARY(bld, modname):
+        # Do not create modules for disabled subsystems
+        if subsystem and GET_TARGET_TYPE(bld, subsystem) == 'DISABLED':
+            return
         bld.SAMBA_SUBSYSTEM(modname, source,
                     deps=deps,
                     includes=includes,
@@ -430,6 +433,10 @@ def SAMBA_MODULE(bld, modname, source,
         SET_TARGET_TYPE(bld, modname, 'DISABLED')
         return
 
+    # Do not create modules for disabled subsystems
+    if subsystem and GET_TARGET_TYPE(bld, subsystem) == 'DISABLED':
+        return
+
     obj_target = modname + '.objlist'
 
     realname = modname
diff --git a/lib/addns/dns.h b/lib/addns/dns.h
index 2e80577..2864bdf 100644
--- a/lib/addns/dns.h
+++ b/lib/addns/dns.h
@@ -436,7 +436,7 @@ const char *dns_errstr(DNS_ERROR err);
 
 /* from dnsgss.c */
 
-#ifdef HAVE_KRB5
+#ifdef HAVE_GSSAPI
 
 void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat ); 
 DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm,
@@ -450,6 +450,6 @@ DNS_ERROR dns_sign_update(struct dns_update_request *req,
 			  const char *algorithmname,
 			  time_t time_signed, uint16 fudge);
 
-#endif	/* HAVE_KRB5 */
+#endif	/* HAVE_GSSAPI */
 
 #endif	/* _DNS_H */
diff --git a/lib/addns/dnsgss.c b/lib/addns/dnsgss.c
index 4fef832..4f7571f 100644
--- a/lib/addns/dnsgss.c
+++ b/lib/addns/dnsgss.c
@@ -26,7 +26,7 @@
 #include <ctype.h>
 
 
-#ifdef HAVE_KRB5
+#ifdef HAVE_GSSAPI
 
 /*********************************************************************
 *********************************************************************/
@@ -331,4 +331,4 @@ DNS_ERROR dns_sign_update(struct dns_update_request *req,
 	return err;
 }
 
-#endif	/* HAVE_KRB5 */
+#endif	/* HAVE_GSSAPI */
diff --git a/lib/addns/dnsquery.c b/lib/addns/dnsquery.c
new file mode 100644
index 0000000..57ef8d9
--- /dev/null
+++ b/lib/addns/dnsquery.c
@@ -0,0 +1,910 @@
+/*
+   Unix SMB/CIFS implementation.
+   DNS utility library
+   Copyright (C) Gerald (Jerry) Carter           2006.
+   Copyright (C) Jeremy Allison                  2007.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util_net.h"
+#include "lib/util/tsort.h"
+#include "dnsquery.h"
+
+/* AIX resolv.h uses 'class' in struct ns_rr */
+
+#if defined(AIX)
+#  if defined(class)
+#    undef class
+#  endif
+#endif	/* AIX */
+
+/* resolver headers */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h>
+
+#define MAX_DNS_PACKET_SIZE 0xffff
+
+#ifdef NS_HFIXEDSZ	/* Bind 8/9 interface */
+#if !defined(C_IN)	/* AIX 5.3 already defines C_IN */
+#  define C_IN		ns_c_in
+#endif
+#if !defined(T_A)	/* AIX 5.3 already defines T_A */
+#  define T_A   	ns_t_a
+#endif
+
+#if defined(HAVE_IPV6)
+#if !defined(T_AAAA)
+#  define T_AAAA	ns_t_aaaa
+#endif
+#endif
+
+#  define T_SRV 	ns_t_srv
+#if !defined(T_NS)	/* AIX 5.3 already defines T_NS */
+#  define T_NS 		ns_t_ns
+#endif
+#else
+#  ifdef HFIXEDSZ
+#    define NS_HFIXEDSZ HFIXEDSZ
+#  else
+#    define NS_HFIXEDSZ sizeof(HEADER)
+#  endif	/* HFIXEDSZ */
+#  ifdef PACKETSZ
+#    define NS_PACKETSZ	PACKETSZ
+#  else	/* 512 is usually the default */
+#    define NS_PACKETSZ	512
+#  endif	/* PACKETSZ */
+#  define T_SRV 	33
+#endif
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_query( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+                          uint8_t **ptr, struct dns_query *q )
+{
+	uint8_t *p = *ptr;
+	char hostname[MAX_DNS_NAME_LENGTH];
+	int namelen;
+
+	ZERO_STRUCTP( q );
+
+	if ( !start || !end || !q || !*ptr)
+		return false;
+
+	/* See RFC 1035 for details. If this fails, then return. */
+
+	namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
+	if ( namelen < 0 ) {
+		return false;
+	}
+	p += namelen;
+	q->hostname = talloc_strdup( ctx, hostname );
+
+	/* check that we have space remaining */
+
+	if ( PTR_DIFF(p+4, end) > 0 )
+		return false;
+
+	q->type     = RSVAL( p, 0 );
+	q->in_class = RSVAL( p, 2 );
+	p += 4;
+
+	*ptr = p;
+
+	return true;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_rr( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+                       uint8_t **ptr, struct dns_rr *rr )
+{
+	uint8_t *p = *ptr;
+	char hostname[MAX_DNS_NAME_LENGTH];
+	int namelen;
+
+	if ( !start || !end || !rr || !*ptr)
+		return -1;
+
+	ZERO_STRUCTP( rr );
+	/* pull the name from the answer */
+
+	namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
+	if ( namelen < 0 ) {
+		return -1;
+	}
+	p += namelen;
+	rr->hostname = talloc_strdup( ctx, hostname );
+
+	/* check that we have space remaining */
+
+	if ( PTR_DIFF(p+10, end) > 0 )
+		return false;
+
+	/* pull some values and then skip onto the string */
+
+	rr->type     = RSVAL(p, 0);
+	rr->in_class = RSVAL(p, 2);
+	rr->ttl      = RIVAL(p, 4);
+	rr->rdatalen = RSVAL(p, 8);
+
+	p += 10;
+
+	/* sanity check the available space */
+
+	if ( PTR_DIFF(p+rr->rdatalen, end ) > 0 ) {
+		return false;
+
+	}
+
+	/* save a point to the rdata for this section */
+
+	rr->rdata = p;
+	p += rr->rdatalen;
+
+	*ptr = p;
+
+	return true;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_rr_srv( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+                       uint8_t **ptr, struct dns_rr_srv *srv )
+{
+	struct dns_rr rr;
+	uint8_t *p;
+	char dcname[MAX_DNS_NAME_LENGTH];
+	int namelen;
+
+	if ( !start || !end || !srv || !*ptr)
+		return -1;
+
+	/* Parse the RR entry.  Coming out of the this, ptr is at the beginning
+	   of the next record */
+
+	if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
+		DEBUG(1,("ads_dns_parse_rr_srv: Failed to parse RR record\n"));
+		return false;
+	}
+
+	if ( rr.type != T_SRV ) {
+		DEBUG(1,("ads_dns_parse_rr_srv: Bad answer type (%d)\n",
+					rr.type));
+		return false;
+	}
+
+	p = rr.rdata;
+
+	srv->priority = RSVAL(p, 0);
+	srv->weight   = RSVAL(p, 2);
+	srv->port     = RSVAL(p, 4);
+
+	p += 6;
+
+	namelen = dn_expand( start, end, p, dcname, sizeof(dcname) );
+	if ( namelen < 0 ) {
+		DEBUG(1,("ads_dns_parse_rr_srv: Failed to uncompress name!\n"));
+		return false;
+	}
+
+	srv->hostname = talloc_strdup( ctx, dcname );
+
+	DEBUG(10,("ads_dns_parse_rr_srv: Parsed %s [%u, %u, %u]\n",
+		  srv->hostname,
+		  srv->priority,
+		  srv->weight,
+		  srv->port));
+
+	return true;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_rr_ns( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+                       uint8_t **ptr, struct dns_rr_ns *nsrec )
+{
+	struct dns_rr rr;
+	uint8_t *p;
+	char nsname[MAX_DNS_NAME_LENGTH];
+	int namelen;
+
+	if ( !start || !end || !nsrec || !*ptr)
+		return -1;
+
+	/* Parse the RR entry.  Coming out of the this, ptr is at the beginning
+	   of the next record */
+
+	if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
+		DEBUG(1,("ads_dns_parse_rr_ns: Failed to parse RR record\n"));
+		return false;
+	}
+
+	if ( rr.type != T_NS ) {
+		DEBUG(1,("ads_dns_parse_rr_ns: Bad answer type (%d)\n",
+					rr.type));
+		return false;
+	}
+
+	p = rr.rdata;
+
+	/* ame server hostname */
+
+	namelen = dn_expand( start, end, p, nsname, sizeof(nsname) );
+	if ( namelen < 0 ) {
+		DEBUG(1,("ads_dns_parse_rr_ns: Failed to uncompress name!\n"));
+		return false;
+	}
+	nsrec->hostname = talloc_strdup( ctx, nsname );
+
+	return true;
+}
+
+/*********************************************************************
+ Sort SRV record list based on weight and priority.  See RFC 2782.
+*********************************************************************/
+
+static int dnssrvcmp( struct dns_rr_srv *a, struct dns_rr_srv *b )
+{
+	if ( a->priority == b->priority ) {
+
+		/* randomize entries with an equal weight and priority */
+		if ( a->weight == b->weight )
+			return 0;
+
+		/* higher weights should be sorted lower */
+		if ( a->weight > b->weight )
+			return -1;
+		else
+			return 1;
+	}
+
+	if ( a->priority < b->priority )
+		return -1;
+
+	return 1;
+}
+
+/*********************************************************************
+ Simple wrapper for a DNS query
+*********************************************************************/
+
+#define DNS_FAILED_WAITTIME          30
+
+static NTSTATUS dns_send_req( TALLOC_CTX *ctx, const char *name, int q_type,
+                              uint8_t **buf, int *resp_length )
+{
+	uint8_t *buffer = NULL;
+	size_t buf_len = 0;
+	int resp_len = NS_PACKETSZ;
+	static time_t last_dns_check = 0;
+	static NTSTATUS last_dns_status = NT_STATUS_OK;
+	time_t now = time_mono(NULL);
+
+	/* Try to prevent bursts of DNS lookups if the server is down */
+
+	/* Protect against large clock changes */
+
+	if ( last_dns_check > now )
+		last_dns_check = 0;
+
+	/* IF we had a DNS timeout or a bad server and we are still
+	   in the 30 second cache window, just return the previous
+	   status and save the network timeout. */
+
+	if ( (NT_STATUS_EQUAL(last_dns_status,NT_STATUS_IO_TIMEOUT) ||
+	      NT_STATUS_EQUAL(last_dns_status,NT_STATUS_CONNECTION_REFUSED)) &&
+	     (last_dns_check+DNS_FAILED_WAITTIME) > now )
+	{
+		DEBUG(10,("dns_send_req: last dns check returning cached status (%s)\n",
+			  nt_errstr(last_dns_status) ));
+		return last_dns_status;
+	}
+
+	/* Send the Query */
+	do {
+		if ( buffer )
+			TALLOC_FREE( buffer );
+
+		buf_len = resp_len * sizeof(uint8_t);
+
+		if (buf_len) {
+			if ((buffer = talloc_array(ctx, uint8_t, buf_len))
+					== NULL ) {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list