[SCM] Samba Shared Repository - branch master updated
Alexander Bokovoy
ab at samba.org
Wed May 23 10:47:02 MDT 2012
The branch, master has been updated
via dcfb34f blackbox: fix samba4.blackbox.kinit test
via 2b14453 gse: Use the smb_gss_oid_equal wrapper.
via 0a6e568 krb5samba: Add smb_gss_oid_equal wrapper.
via c1444c3 s3-autoconf: fix typo after migrating DNS resolver code to lib/addns
via 77a6c81 wafsamba: ensure TO_LIST does not fail with empty string
via 744f991 libcli/dns: make 'clidns' private library out of DNS code in WAF build
via 2ddf89a Introduce system MIT krb5 build with --with-system-mitkrb5 option. System MIT krb5 build also enabled by specifying --without-ad-dc
via 2fc96e6 s4: samba-tool is usable without export-keytab command, make sure it does not break
via ec989e7 auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
via 2d9a0d8 s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API
via f32d437 dns: fix comments and make s4/libcli/resolve dns resolver working
via 1feb312 lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos
via ad945bc gensec_gssapi: Make it possible to build with MIT krb5
via 302abe6 auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build
via c54fe86 s4-resolve: Remove dependency on libroken
via a8ee6f2 addns: Make ads_dns_lookup_srv pulic
via 34a6573 Move source3/libads/dns.c to lib/addns
via cc3321c s3-ads-dns: Avoid unnecessary dependencies
via a7e94fc s3-ads-dns: Break dependency on lp_parm
via 4a335e9 s3-ad-dns: Use more standard uint and booleans defs
via 9c5aa0b addns: Fix talloc hiereachy
from 37866df s3:smbd: use reply_force_doserror(req, ERRSRV, ERRbaduid) on SMBulogoff
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dcfb34fbb4b7484bdaa70fbe9ae9fd84738ab469
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed May 23 17:34:24 2012 +0300
blackbox: fix samba4.blackbox.kinit test
This deserves some explanation.
With commit 518232d4578d700f5f5ea1609275a6cd1de3a1e7 samba4.blackbox.kinit test set
was wrapped with password settings reset before and after the tests with an idea to
maintain reliable state for the tests. As result, the resetting of the password
settings was done after the test that tried to use smbclient with a Kerberos ticket
obtained with machine account credentials.
However, the code in credentials_krb5.c, function cli_credentials_get_client_gss_creds(),
never worked correctly when credentials were already in ccache. Instead, gensec_gssapi module
always re-kinited even if existing credentials were available in the ccache. This had an effect
on 'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' test equal to
never having initialized ccache at all, as if 'rm -f $KRB5CCNAME' was run before the test.
When the issue of not using already initialized credentials from ccache was fixed with
d0aae88f1290e6a7a6d4bfc24aa62795e4892a31 'auth-credentials: Support using pre-fetched ccache
when obtaining kerberos credentials' commit, Samba 4 credentials library started to correctly
re-used already obtained credentials from ccaches. This caused failure of the test
'samba4.blackbox.kinit(dc:local).reset password policies(dc:local)' because machine account
has no permissions to modify password settings.
Thus, the correct fix is to reset ccache state before performing the test.
Autobuild-User: Alexander Bokovoy <ab at samba.org>
Autobuild-Date: Wed May 23 18:46:12 CEST 2012 on sn-devel-104
commit 2b144531f1a760514f217012e9dab01359b7a0d7
Author: Andreas Schneider <asn at samba.org>
Date: Mon May 21 18:25:28 2012 +0200
gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 0a6e568344adb66e5f20ce61f106d791886fcb35
Author: Andreas Schneider <asn at samba.org>
Date: Mon May 21 18:24:31 2012 +0200
krb5samba: Add smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn at samba.org>
commit c1444c3839573793c24244da8572e6c8468c927f
Author: Alexander Bokovoy <ab at samba.org>
Date: Tue May 22 13:52:48 2012 +0300
s3-autoconf: fix typo after migrating DNS resolver code to lib/addns
commit 77a6c8134763dc0b50ad33e1b4419441220c47a9
Author: Alexander Bokovoy <ab at samba.org>
Date: Mon May 21 18:38:56 2012 +0300
wafsamba: ensure TO_LIST does not fail with empty string
commit 744f9910c81cee13228165db4e46200c41c69221
Author: Alexander Bokovoy <ab at samba.org>
Date: Mon May 21 17:54:13 2012 +0300
libcli/dns: make 'clidns' private library out of DNS code in WAF build
After consolidating DNS resolver code to lib/addns, there is one piece
that still needs to be moved into a common DNS resolver library: DNS_HOSTS_FILE
subsystem. Unfortunately, direct move would require lib/addns to depend on
libcli/util/{ntstatus.h,werror.h} (provided by errors subsystem).
In addition, moving libcli/dns/* code to lib/addns/ would make conflicting
the dns_tkey_record struct. The conflict comes from source4/dns_server/ and is due
to use of IDL to define the struct. lib/addns/ library also provides its own definition
so we either need to keep them in sync (rewrite code in lib/addns/ a bit) or
depend on generated IDL headers.
Thus, making a private library and subsystem clidns is an intermediate step
that allows to buy some time fore refactoring.
commit 2ddf89a2bc3c00b71dec230f071416e594f89113
Author: Alexander Bokovoy <ab at samba.org>
Date: Mon May 21 12:45:12 2012 +0300
Introduce system MIT krb5 build with --with-system-mitkrb5 option.
System MIT krb5 build also enabled by specifying --without-ad-dc
When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.
Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
* Samba 4 client libraries and their Python bindings
* Samba 3 server (smbd, nmbd, winbindd from source3/)
* Samba 3 client libraries
In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
commit 2fc96e695599312c26576b5d0a0f6a86852131c4
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri May 18 15:24:38 2012 +0300
s4: samba-tool is usable without export-keytab command, make sure it does not break
When export_keytab is not compiled in (pure client-side Samba 4 build as with
system MIT krb5), export-keytab command of samba-tool will not be available.
Make sure it is not provided but its absence does not break the Python tool.
commit ec989e7c402e9868d45d7764175f2b44d85bb244
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri May 18 10:05:38 2012 +0300
auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
commit 2d9a0d8d0c2587fcfdbab83c0a241830d2fcaafb
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri May 18 10:00:58 2012 +0300
s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API
struct unixid is defined in idmap.idl and therefore to use it one
would need generated headers from librpc/gen_ndr. Not all of these
files are installed and available as public headers. Also, they
pull in some support headers which requires them to be available
via specific locations like <librpc/gen_ndr/*> or <libcli/util>.
Instead of pulling the headers to get structure and enum definitions,
introduce three simple helpers to fill in 'struct unixid' based on
the type of id. This is sufficient for PASSDB users and does not
require exposing generated headers or code.
commit f32d43763d35fe386bfa1e9f7997b7eb1014b20c
Author: Alexander Bokovoy <ab at samba.org>
Date: Tue May 15 16:28:44 2012 +0300
dns: fix comments and make s4/libcli/resolve dns resolver working
After migrating to use libaddns, reply_to_addrs() needed to change the
way answers are iterated through. Originally libroken implementation
gave all answers as separate records with last one being explicitly NULL.
libaddns unmarshalling code gives all non-NULL answers and should be
iterated with explicit reply->num_answers in use.
commit 1feb31246d00cdadf7624925a324f7f591c26b82
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu May 10 00:00:03 2012 +0300
lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos
In case krb5_cc_get_lifetime is not available, iterate over
existing tickets in the keytab, find the one marked as TKT_FLAG_INITIAL,
and use its lifetime. This is how it is implemented in Heimdal and
how it was suggested to be done by MIT Kerberos developers.
commit ad945bc68f6b1e73a47bc0a33b35fcbf182f8137
Author: Simo Sorce <idra at samba.org>
Date: Tue May 8 12:38:20 2012 -0400
gensec_gssapi: Make it possible to build with MIT krb5
We need to ifdef out some minor things here because there is no available API
to set these options in MIT.
The realm and canonicalize options should be not interesting in the client
case. Same for the send_to_kdc hacks.
Also the OLD DES3 enctype is not at all interesting. I am not aware that
Windows will ever use DES3 and no modern implementation relies on that enctype
anymore as it has been fully deprecated long ago, so we can simply ignore it.
commit 302abe61900af3bd9b4fffe1b9e9d7e39cac599a
Author: Simo Sorce <idra at samba.org>
Date: Wed May 2 12:53:34 2012 -0400
auth and s4-rpc_server: Do not use features we currently can't implement with MIT Kerbros build
commit c54fe86a63f73543eaf9b031e146d5f647c05830
Author: Simo Sorce <idra at samba.org>
Date: Fri May 4 23:11:19 2012 -0400
s4-resolve: Remove dependency on libroken
Use available native samba resolver functions
commit a8ee6f2ca588aae1220f8b6a257e6dd43eacd46b
Author: Simo Sorce <idra at samba.org>
Date: Fri May 4 23:07:14 2012 -0400
addns: Make ads_dns_lookup_srv pulic
commit 34a65739d32d7e895e71b2b81298fab82dfd11fe
Author: Simo Sorce <idra at samba.org>
Date: Fri May 4 16:47:27 2012 -0400
Move source3/libads/dns.c to lib/addns
commit cc3321c9ffee9e1688af724b7286fe548ff28793
Author: Simo Sorce <idra at samba.org>
Date: Fri May 4 22:32:47 2012 -0400
s3-ads-dns: Avoid unnecessary dependencies
commit a7e94fce3f86b99c328669d45dd685fc70026378
Author: Simo Sorce <idra at samba.org>
Date: Fri May 4 17:27:36 2012 -0400
s3-ads-dns: Break dependency on lp_parm
In preparation of making this code common to s3 and s4
commit 4a335e9632282d92c8d9c5fdae59114540ed0803
Author: Simo Sorce <idra at samba.org>
Date: Fri May 4 16:49:05 2012 -0400
s3-ad-dns: Use more standard uint and booleans defs
In preparation of making this code common to s3 and s4
commit 9c5aa0bef43e1b8db1c322e578b861eae486bd95
Author: Simo Sorce <idra at samba.org>
Date: Mon May 7 16:14:07 2012 -0400
addns: Fix talloc hiereachy
Attach request to local memory context not to potentially long lived connection
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 19 +-
auth/kerberos/pac_utils.h | 2 +-
buildtools/wafsamba/samba_utils.py | 13 +-
buildtools/wafsamba/wafsamba.py | 7 +
lib/addns/dns.h | 4 +-
lib/addns/dnsgss.c | 4 +-
lib/addns/dnsquery.c | 910 ++++++++++++++++++++
lib/addns/dnsquery.h | 66 ++
lib/addns/dnssock.c | 2 +-
lib/addns/wscript_build | 4 +-
lib/krb5_wrap/gss_samba.c | 51 ++
lib/krb5_wrap/gss_samba.h | 36 +
lib/krb5_wrap/krb5_samba.c | 41 +-
lib/krb5_wrap/krb5_samba.h | 3 +
lib/krb5_wrap/wscript_build | 12 +-
lib/replace/system/gssapi.h | 2 +-
libcli/dns/wscript_build | 8 +-
libcli/nbt/wscript_build | 4 +-
source3/Makefile.in | 3 +-
source3/auth/wscript_build | 4 +-
source3/configure.in | 2 +-
source3/include/passdb.h | 5 +
source3/include/smb_krb5.h | 1 +
source3/libads/dns.c | 909 -------------------
source3/libads/dns.h | 55 --
source3/libads/ldap.c | 7 +-
source3/librpc/crypto/gse.c | 23 +-
source3/librpc/wscript_build | 2 +-
source3/libsmb/dsgetdcname.c | 32 +-
source3/libsmb/namequery.c | 13 +-
source3/modules/getdate.h | 2 +-
source3/modules/wscript_build | 8 +-
source3/passdb/pdb_unixid.c | 47 +
source3/passdb/wscript_build | 4 +-
source3/utils/net_ads.c | 10 +-
source3/utils/net_lookup.c | 10 +-
source3/winbindd/wscript_build | 4 +-
source3/wscript | 4 +-
source3/wscript_build | 18 +-
source4/auth/gensec/gensec_gssapi.c | 36 +-
source4/auth/gensec/wscript_build | 1 +
source4/auth/kerberos/kerberos.h | 1 +
source4/auth/kerberos/wscript_build | 2 +-
source4/dns_server/wscript_build | 9 +-
source4/dsdb/samdb/cracknames.c | 1 -
source4/dsdb/samdb/ldb_modules/wscript_build | 357 +--------
.../dsdb/samdb/ldb_modules/wscript_build_server | 357 ++++++++
source4/dsdb/wscript_build | 6 +-
source4/echo_server/wscript_build | 3 +-
source4/heimdal_build/wscript_configure | 4 +-
source4/ldap_server/wscript_build | 1 +
source4/libcli/resolve/dns_ex.c | 349 ++++-----
source4/libcli/wscript_build | 2 +-
source4/libnet/wscript_build | 3 +-
source4/nbt_server/wscript_build | 14 +-
source4/ntp_signd/wscript_build | 1 +
source4/ntptr/wscript_build | 6 +-
source4/ntvfs/posix/wscript_build | 2 +-
source4/ntvfs/wscript_build | 24 +-
source4/param/loadparm.c | 13 -
source4/rpc_server/common/loadparm.c | 45 +
source4/rpc_server/lsa/dcesrv_lsa.c | 6 +
source4/rpc_server/wscript_build | 27 +-
source4/scripting/bin/wscript_build | 9 +-
source4/scripting/python/samba/netcmd/domain.py | 41 +-
source4/scripting/wscript_build | 15 +-
source4/smb_server/smb/wscript_build | 3 +-
source4/smb_server/smb2/wscript_build | 3 +-
source4/smb_server/wscript_build | 4 +-
source4/smbd/wscript_build | 23 +-
source4/torture/rpc/remote_pac.c | 5 +
source4/torture/rpc/rpc.c | 2 +
source4/torture/wscript_build | 7 +-
source4/web_server/wscript_build | 2 +
testprogs/blackbox/test_kinit.sh | 1 +
utils/wscript_build | 2 +-
wscript | 15 +-
wscript_build | 3 +-
wscript_configure_krb5 | 192 ----
wscript_configure_system_mitkrb5 | 224 +++++
80 files changed, 2242 insertions(+), 1930 deletions(-)
create mode 100644 lib/addns/dnsquery.c
create mode 100644 lib/addns/dnsquery.h
mode change 100644 => 100755 lib/addns/wscript_build
create mode 100644 lib/krb5_wrap/gss_samba.c
create mode 100644 lib/krb5_wrap/gss_samba.h
mode change 100644 => 100755 libcli/dns/wscript_build
mode change 100644 => 100755 libcli/nbt/wscript_build
delete mode 100644 source3/libads/dns.c
delete mode 100644 source3/libads/dns.h
create mode 100644 source3/passdb/pdb_unixid.c
create mode 100755 source4/dsdb/samdb/ldb_modules/wscript_build_server
mode change 100644 => 100755 source4/libcli/wscript_build
create mode 100644 source4/rpc_server/common/loadparm.c
delete mode 100644 wscript_configure_krb5
create mode 100644 wscript_configure_system_mitkrb5
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 684f244..2c93a8f 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
}
}
- ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
- &ccache, error_string);
+
+ if (cred->ccache_obtained == CRED_UNINITIALISED) {
+ /* Only attempt to re-acquire ccache if it is not already in place.
+ * this is important for client-side use within frameworks with already acquired tickets
+ * like Apache+mod_auth_kerb+Python
+ */
+ ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+ &ccache, error_string);
+ } else {
+ ccache = cred->ccache;
+ }
+
if (ret) {
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
@@ -533,6 +543,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks krb5_get_default_in_tkt_etypes */
/*
* transfer the enctypes from the smb_krb5_context to the gssapi layer
*
@@ -567,6 +578,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
}
+#endif
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
@@ -582,7 +595,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
(*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret));
return ret;
}
-
+#endif
cred->client_gss_creds_obtained = cred->ccache_obtained;
talloc_set_destructor(gcc, free_gssapi_creds);
cred->client_gss_creds = gcc;
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index 7726f52..d654bec 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -22,7 +22,7 @@
#define _PAC_UTILS_H
#include "lib/krb5_wrap/krb5_samba.h"
-#include "system/gssapi.h"
+#include "lib/krb5_wrap/gss_samba.h"
struct PAC_SIGNATURE_DATA;
struct PAC_DATA;
diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py
index 477e0b4..c252663 100644
--- a/buildtools/wafsamba/samba_utils.py
+++ b/buildtools/wafsamba/samba_utils.py
@@ -215,6 +215,8 @@ def TO_LIST(str, delimiter=None):
return []
if isinstance(str, list):
return str
+ if len(str) == 0:
+ return []
lst = str.split(delimiter)
# the string may have had quotes in it, now we
# check if we did have quotes, and use the slower shlex
@@ -642,8 +644,17 @@ def PROCESS_SEPARATE_RULE(self, rule):
if txt:
dc = {'ctx': self}
if getattr(self.__class__, 'pre_recurse', None):
- dc = self.pre_recurse(txt, file_path, [])
+ dc = self.pre_recurse(txt, file_path, self.curdir)
exec(compile(txt, file_path, 'exec'), dc)
+ if getattr(self.__class__, 'post_recurse', None):
+ dc = self.post_recurse(txt, file_path, self.curdir)
Build.BuildContext.PROCESS_SEPARATE_RULE = PROCESS_SEPARATE_RULE
ConfigurationContext.PROCESS_SEPARATE_RULE = PROCESS_SEPARATE_RULE
+
+def AD_DC_BUILD_IS_ENABLED(self):
+ if self.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
+ return True
+ return False
+
+Build.BuildContext.AD_DC_BUILD_IS_ENABLED = AD_DC_BUILD_IS_ENABLED
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 534bace..f1e7aff 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -413,6 +413,9 @@ def SAMBA_MODULE(bld, modname, source,
source = bld.SUBDIR(subdir, source)
if internal_module or BUILTIN_LIBRARY(bld, modname):
+ # Do not create modules for disabled subsystems
+ if subsystem and GET_TARGET_TYPE(bld, subsystem) == 'DISABLED':
+ return
bld.SAMBA_SUBSYSTEM(modname, source,
deps=deps,
includes=includes,
@@ -430,6 +433,10 @@ def SAMBA_MODULE(bld, modname, source,
SET_TARGET_TYPE(bld, modname, 'DISABLED')
return
+ # Do not create modules for disabled subsystems
+ if subsystem and GET_TARGET_TYPE(bld, subsystem) == 'DISABLED':
+ return
+
obj_target = modname + '.objlist'
realname = modname
diff --git a/lib/addns/dns.h b/lib/addns/dns.h
index 2e80577..2864bdf 100644
--- a/lib/addns/dns.h
+++ b/lib/addns/dns.h
@@ -436,7 +436,7 @@ const char *dns_errstr(DNS_ERROR err);
/* from dnsgss.c */
-#ifdef HAVE_KRB5
+#ifdef HAVE_GSSAPI
void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat );
DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm,
@@ -450,6 +450,6 @@ DNS_ERROR dns_sign_update(struct dns_update_request *req,
const char *algorithmname,
time_t time_signed, uint16 fudge);
-#endif /* HAVE_KRB5 */
+#endif /* HAVE_GSSAPI */
#endif /* _DNS_H */
diff --git a/lib/addns/dnsgss.c b/lib/addns/dnsgss.c
index 4fef832..4f7571f 100644
--- a/lib/addns/dnsgss.c
+++ b/lib/addns/dnsgss.c
@@ -26,7 +26,7 @@
#include <ctype.h>
-#ifdef HAVE_KRB5
+#ifdef HAVE_GSSAPI
/*********************************************************************
*********************************************************************/
@@ -331,4 +331,4 @@ DNS_ERROR dns_sign_update(struct dns_update_request *req,
return err;
}
-#endif /* HAVE_KRB5 */
+#endif /* HAVE_GSSAPI */
diff --git a/lib/addns/dnsquery.c b/lib/addns/dnsquery.c
new file mode 100644
index 0000000..57ef8d9
--- /dev/null
+++ b/lib/addns/dnsquery.c
@@ -0,0 +1,910 @@
+/*
+ Unix SMB/CIFS implementation.
+ DNS utility library
+ Copyright (C) Gerald (Jerry) Carter 2006.
+ Copyright (C) Jeremy Allison 2007.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util_net.h"
+#include "lib/util/tsort.h"
+#include "dnsquery.h"
+
+/* AIX resolv.h uses 'class' in struct ns_rr */
+
+#if defined(AIX)
+# if defined(class)
+# undef class
+# endif
+#endif /* AIX */
+
+/* resolver headers */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h>
+
+#define MAX_DNS_PACKET_SIZE 0xffff
+
+#ifdef NS_HFIXEDSZ /* Bind 8/9 interface */
+#if !defined(C_IN) /* AIX 5.3 already defines C_IN */
+# define C_IN ns_c_in
+#endif
+#if !defined(T_A) /* AIX 5.3 already defines T_A */
+# define T_A ns_t_a
+#endif
+
+#if defined(HAVE_IPV6)
+#if !defined(T_AAAA)
+# define T_AAAA ns_t_aaaa
+#endif
+#endif
+
+# define T_SRV ns_t_srv
+#if !defined(T_NS) /* AIX 5.3 already defines T_NS */
+# define T_NS ns_t_ns
+#endif
+#else
+# ifdef HFIXEDSZ
+# define NS_HFIXEDSZ HFIXEDSZ
+# else
+# define NS_HFIXEDSZ sizeof(HEADER)
+# endif /* HFIXEDSZ */
+# ifdef PACKETSZ
+# define NS_PACKETSZ PACKETSZ
+# else /* 512 is usually the default */
+# define NS_PACKETSZ 512
+# endif /* PACKETSZ */
+# define T_SRV 33
+#endif
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_query( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+ uint8_t **ptr, struct dns_query *q )
+{
+ uint8_t *p = *ptr;
+ char hostname[MAX_DNS_NAME_LENGTH];
+ int namelen;
+
+ ZERO_STRUCTP( q );
+
+ if ( !start || !end || !q || !*ptr)
+ return false;
+
+ /* See RFC 1035 for details. If this fails, then return. */
+
+ namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
+ if ( namelen < 0 ) {
+ return false;
+ }
+ p += namelen;
+ q->hostname = talloc_strdup( ctx, hostname );
+
+ /* check that we have space remaining */
+
+ if ( PTR_DIFF(p+4, end) > 0 )
+ return false;
+
+ q->type = RSVAL( p, 0 );
+ q->in_class = RSVAL( p, 2 );
+ p += 4;
+
+ *ptr = p;
+
+ return true;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_rr( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+ uint8_t **ptr, struct dns_rr *rr )
+{
+ uint8_t *p = *ptr;
+ char hostname[MAX_DNS_NAME_LENGTH];
+ int namelen;
+
+ if ( !start || !end || !rr || !*ptr)
+ return -1;
+
+ ZERO_STRUCTP( rr );
+ /* pull the name from the answer */
+
+ namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
+ if ( namelen < 0 ) {
+ return -1;
+ }
+ p += namelen;
+ rr->hostname = talloc_strdup( ctx, hostname );
+
+ /* check that we have space remaining */
+
+ if ( PTR_DIFF(p+10, end) > 0 )
+ return false;
+
+ /* pull some values and then skip onto the string */
+
+ rr->type = RSVAL(p, 0);
+ rr->in_class = RSVAL(p, 2);
+ rr->ttl = RIVAL(p, 4);
+ rr->rdatalen = RSVAL(p, 8);
+
+ p += 10;
+
+ /* sanity check the available space */
+
+ if ( PTR_DIFF(p+rr->rdatalen, end ) > 0 ) {
+ return false;
+
+ }
+
+ /* save a point to the rdata for this section */
+
+ rr->rdata = p;
+ p += rr->rdatalen;
+
+ *ptr = p;
+
+ return true;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_rr_srv( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+ uint8_t **ptr, struct dns_rr_srv *srv )
+{
+ struct dns_rr rr;
+ uint8_t *p;
+ char dcname[MAX_DNS_NAME_LENGTH];
+ int namelen;
+
+ if ( !start || !end || !srv || !*ptr)
+ return -1;
+
+ /* Parse the RR entry. Coming out of the this, ptr is at the beginning
+ of the next record */
+
+ if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
+ DEBUG(1,("ads_dns_parse_rr_srv: Failed to parse RR record\n"));
+ return false;
+ }
+
+ if ( rr.type != T_SRV ) {
+ DEBUG(1,("ads_dns_parse_rr_srv: Bad answer type (%d)\n",
+ rr.type));
+ return false;
+ }
+
+ p = rr.rdata;
+
+ srv->priority = RSVAL(p, 0);
+ srv->weight = RSVAL(p, 2);
+ srv->port = RSVAL(p, 4);
+
+ p += 6;
+
+ namelen = dn_expand( start, end, p, dcname, sizeof(dcname) );
+ if ( namelen < 0 ) {
+ DEBUG(1,("ads_dns_parse_rr_srv: Failed to uncompress name!\n"));
+ return false;
+ }
+
+ srv->hostname = talloc_strdup( ctx, dcname );
+
+ DEBUG(10,("ads_dns_parse_rr_srv: Parsed %s [%u, %u, %u]\n",
+ srv->hostname,
+ srv->priority,
+ srv->weight,
+ srv->port));
+
+ return true;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static bool ads_dns_parse_rr_ns( TALLOC_CTX *ctx, uint8_t *start, uint8_t *end,
+ uint8_t **ptr, struct dns_rr_ns *nsrec )
+{
+ struct dns_rr rr;
+ uint8_t *p;
+ char nsname[MAX_DNS_NAME_LENGTH];
+ int namelen;
+
+ if ( !start || !end || !nsrec || !*ptr)
+ return -1;
+
+ /* Parse the RR entry. Coming out of the this, ptr is at the beginning
+ of the next record */
+
+ if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
+ DEBUG(1,("ads_dns_parse_rr_ns: Failed to parse RR record\n"));
+ return false;
+ }
+
+ if ( rr.type != T_NS ) {
+ DEBUG(1,("ads_dns_parse_rr_ns: Bad answer type (%d)\n",
+ rr.type));
+ return false;
+ }
+
+ p = rr.rdata;
+
+ /* ame server hostname */
+
+ namelen = dn_expand( start, end, p, nsname, sizeof(nsname) );
+ if ( namelen < 0 ) {
+ DEBUG(1,("ads_dns_parse_rr_ns: Failed to uncompress name!\n"));
+ return false;
+ }
+ nsrec->hostname = talloc_strdup( ctx, nsname );
+
+ return true;
+}
+
+/*********************************************************************
+ Sort SRV record list based on weight and priority. See RFC 2782.
+*********************************************************************/
+
+static int dnssrvcmp( struct dns_rr_srv *a, struct dns_rr_srv *b )
+{
+ if ( a->priority == b->priority ) {
+
+ /* randomize entries with an equal weight and priority */
+ if ( a->weight == b->weight )
+ return 0;
+
+ /* higher weights should be sorted lower */
+ if ( a->weight > b->weight )
+ return -1;
+ else
+ return 1;
+ }
+
+ if ( a->priority < b->priority )
+ return -1;
+
+ return 1;
+}
+
+/*********************************************************************
+ Simple wrapper for a DNS query
+*********************************************************************/
+
+#define DNS_FAILED_WAITTIME 30
+
+static NTSTATUS dns_send_req( TALLOC_CTX *ctx, const char *name, int q_type,
+ uint8_t **buf, int *resp_length )
+{
+ uint8_t *buffer = NULL;
+ size_t buf_len = 0;
+ int resp_len = NS_PACKETSZ;
+ static time_t last_dns_check = 0;
+ static NTSTATUS last_dns_status = NT_STATUS_OK;
+ time_t now = time_mono(NULL);
+
+ /* Try to prevent bursts of DNS lookups if the server is down */
+
+ /* Protect against large clock changes */
+
+ if ( last_dns_check > now )
+ last_dns_check = 0;
+
+ /* IF we had a DNS timeout or a bad server and we are still
+ in the 30 second cache window, just return the previous
+ status and save the network timeout. */
+
+ if ( (NT_STATUS_EQUAL(last_dns_status,NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(last_dns_status,NT_STATUS_CONNECTION_REFUSED)) &&
+ (last_dns_check+DNS_FAILED_WAITTIME) > now )
+ {
+ DEBUG(10,("dns_send_req: last dns check returning cached status (%s)\n",
+ nt_errstr(last_dns_status) ));
+ return last_dns_status;
+ }
+
+ /* Send the Query */
+ do {
+ if ( buffer )
+ TALLOC_FREE( buffer );
+
+ buf_len = resp_len * sizeof(uint8_t);
+
+ if (buf_len) {
+ if ((buffer = talloc_array(ctx, uint8_t, buf_len))
+ == NULL ) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list