[SCM] Samba Shared Repository - branch master updated
Garming Sam
garming at samba.org
Mon Dec 22 00:22:04 MST 2014
The branch, master has been updated
via ad07479 dns.py: Always remove the test zone in tearDown()
via eabc177 dsdb: Ignore errors from search in dns_notify module
via bb88640 dsdb: Use a fixed set of attributes in search in dns_notify module
via e9f6dc7 dsdb: Use ldb_attr_cmp() for comparing objectclass names
via 336ffb2 dns.py: Test dns server reload zones from DSDB when are created or deleted
via 4fb29e9 s4-dns: Reload DNS zones from dsdb when zones are modified through RPC or DRS
via ee4324d selftest: Run samba.tests.dns in :local environment so it can access credentials
from 7cfe6e9 lib/ldb-samba: Add comment dicouraging use of schemaUpgradeInProgress
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ad074795e33b676595aa7fb1b0129a0b5b8cbf24
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 19 15:14:22 2014 +1300
dns.py: Always remove the test zone in tearDown()
Change-Id: Ic6d6c51579f8859b4e396179123974382c253bf7
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Mon Dec 22 08:21:22 CET 2014 on sn-devel-104
commit eabc177bf674a43f6b9442c8a89af0203befb3f1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 19 14:42:08 2014 +1300
dsdb: Ignore errors from search in dns_notify module
This ensures the error messages are unchanged
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit bb886401e8b1c991684c0b9d855b976728e44f13
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 19 14:41:40 2014 +1300
dsdb: Use a fixed set of attributes in search in dns_notify module
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e9f6dc730df7c496b743f258b03d6fbcef76211e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 19 14:40:28 2014 +1300
dsdb: Use ldb_attr_cmp() for comparing objectclass names
This is the same as strcasecmp, but it is best to remain consistent.
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 336ffb29b50298a0597c15b9f60416adb745bc3d
Author: Samuel Cabrero <samuelcabrero at kernevil.me>
Date: Tue Dec 16 18:04:13 2014 +0100
dns.py: Test dns server reload zones from DSDB when are created or deleted
Signed-off-by: Samuel Cabrero <samuelcabrero at kernevil.me>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 4fb29e9347271acd66833d471a84e39a525f4f18
Author: Samuel Cabrero <samuelcabrero at kernevil.me>
Date: Tue Dec 16 10:58:50 2014 +0100
s4-dns: Reload DNS zones from dsdb when zones are modified through RPC or DRS
Setup a RPC management call on the internal DNS server triggered a new LDB
module which sniffs dnsZone object add, delete and modify operations. This
way the notification is triggered when zones are modified either from RPC or
replicated by inbound DRS.
Signed-off-by: Samuel Cabrero <samuelcabrero at kernevil.me>
(shadowed variable error corrected by abartlet)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ee4324ddc24dc6d92b2fdcf87e8dc63c631e2444
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 19 14:58:01 2014 +1300
selftest: Run samba.tests.dns in :local environment so it can access credentials
This allows it to access the machine account, and use that to modify the DNS zones
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/dns.py | 86 ++++
source4/dns_server/dns_server.c | 133 ++++--
source4/dsdb/samdb/ldb_modules/dns_notify.c | 448 +++++++++++++++++++++
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 3 +-
.../dsdb/samdb/ldb_modules/wscript_build_server | 9 +
source4/librpc/idl/irpc.idl | 11 +
source4/selftest/tests.py | 2 +-
7 files changed, 652 insertions(+), 40 deletions(-)
create mode 100644 source4/dsdb/samdb/ldb_modules/dns_notify.c
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 34edf6b..92ac876 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -21,7 +21,9 @@ import random
import socket
import samba.ndr as ndr
import samba.dcerpc.dns as dns
+from samba import credentials, param
from samba.tests import TestCase
+from samba.dcerpc import dnsp, dnsserver
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
@@ -864,6 +866,90 @@ class TestInvalidQueries(DNSTest):
if s is not None:
s.close()
+class TestZones(DNSTest):
+ def get_loadparm(self):
+ lp = param.LoadParm()
+ lp.load(os.getenv("SMB_CONF_PATH"))
+ return lp
+
+ def get_credentials(self, lp):
+ creds = credentials.Credentials()
+ creds.guess(lp)
+ creds.set_machine_account(lp)
+ creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
+ return creds
+
+ def setUp(self):
+ super(TestZones, self).setUp()
+ self.lp = self.get_loadparm()
+ self.creds = self.get_credentials(self.lp)
+ self.server = os.getenv("SERVER_IP")
+ self.zone = "test.lan"
+ self.rpc_conn = dnsserver.dnsserver("ncacn_ip_tcp:%s" % (self.server),
+ self.lp, self.creds)
+
+ def tearDown(self):
+ super(TestZones, self).tearDown()
+ try:
+ self.delete_zone(self.zone)
+ except RuntimeError, (num, string):
+ if num != 9601: #WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST
+ raise
+
+ def create_zone(self, zone):
+ zone_create = dnsserver.DNS_RPC_ZONE_CREATE_INFO_LONGHORN()
+ zone_create.pszZoneName = zone
+ zone_create.dwZoneType = dnsp.DNS_ZONE_TYPE_PRIMARY
+ zone_create.fAllowUpdate = dnsp.DNS_ZONE_UPDATE_SECURE
+ zone_create.fAging = 0
+ zone_create.dwDpFlags = dnsserver.DNS_DP_DOMAIN_DEFAULT
+ self.rpc_conn.DnssrvOperation2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
+ 0,
+ self.server,
+ None,
+ 0,
+ 'ZoneCreate',
+ dnsserver.DNSSRV_TYPEID_ZONE_CREATE,
+ zone_create)
+
+ def delete_zone(self, zone):
+ self.rpc_conn.DnssrvOperation2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
+ 0,
+ self.server,
+ zone,
+ 0,
+ 'DeleteZoneFromDs',
+ dnsserver.DNSSRV_TYPEID_NULL,
+ None)
+
+ def test_soa_query(self):
+ zone = "test.lan"
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(zone, dns.DNS_QTYPE_SOA, dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ response = self.dns_transaction_udp(p)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_NXDOMAIN)
+ self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
+ self.assertEquals(response.ancount, 0)
+
+ self.create_zone(zone)
+ response = self.dns_transaction_udp(p)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+ self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
+ self.assertEquals(response.ancount, 1)
+ self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_SOA)
+
+ self.delete_zone(zone)
+ response = self.dns_transaction_udp(p)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_NXDOMAIN)
+ self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
+ self.assertEquals(response.ancount, 0)
+
+
if __name__ == "__main__":
import unittest
diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index f1a4c4c..3e18287 100644
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -45,6 +45,8 @@
#include "lib/util/tevent_werror.h"
#include "auth/auth.h"
#include "auth/credentials/credentials.h"
+#include "librpc/gen_ndr/ndr_irpc.h"
+#include "lib/messaging/irpc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_DNS
@@ -761,16 +763,90 @@ static struct dns_server_tkey_store *tkey_store_init(TALLOC_CTX *mem_ctx,
return buffer;
}
+static NTSTATUS dns_server_reload_zones(struct dns_server *dns)
+{
+ int ret;
+ static const char * const attrs[] = { "name", NULL};
+ struct ldb_result *res;
+ int i;
+ struct dns_server_zone *new_list = NULL;
+ struct dns_server_zone *old_list = NULL;
+ struct dns_server_zone *old_zone;
+
+ // TODO: this search does not work against windows
+ ret = dsdb_search(dns->samdb, dns, &res, NULL, LDB_SCOPE_SUBTREE,
+ attrs, DSDB_SEARCH_SEARCH_ALL_PARTITIONS, "(objectClass=dnsZone)");
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ TYPESAFE_QSORT(res->msgs, res->count, dns_server_sort_zones);
+
+ for (i=0; i < res->count; i++) {
+ struct dns_server_zone *z;
+
+ z = talloc_zero(dns, struct dns_server_zone);
+ if (z == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ z->name = ldb_msg_find_attr_as_string(res->msgs[i], "name", NULL);
+ z->dn = talloc_move(z, &res->msgs[i]->dn);
+ /*
+ * Ignore the RootDNSServers zone and zones that we don't support yet
+ * RootDNSServers should never be returned (Windows DNS server don't)
+ * ..TrustAnchors should never be returned as is, (Windows returns
+ * TrustAnchors) and for the moment we don't support DNSSEC so we'd better
+ * not return this zone.
+ */
+ if ((strcmp(z->name, "RootDNSServers") == 0) ||
+ (strcmp(z->name, "..TrustAnchors") == 0))
+ {
+ DEBUG(10, ("Ignoring zone %s\n", z->name));
+ talloc_free(z);
+ continue;
+ }
+ DLIST_ADD_END(new_list, z, NULL);
+ }
+
+ old_list = dns->zones;
+ dns->zones = new_list;
+ while ((old_zone = DLIST_TAIL(old_list)) != NULL) {
+ DLIST_REMOVE(old_list, old_zone);
+ talloc_free(old_zone);
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**
+ * Called when the internal DNS server should reload the zones from DB, for
+ * example, when zones are added or deleted through RPC or replicated by
+ * inbound DRS.
+ */
+static NTSTATUS dns_reload_zones(struct irpc_message *msg,
+ struct dnssrv_reload_dns_zones *r)
+{
+ struct dns_server *dns;
+
+ dns = talloc_get_type(msg->private_data, struct dns_server);
+ if (dns == NULL) {
+ r->out.result = NT_STATUS_INTERNAL_ERROR;
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ r->out.result = dns_server_reload_zones(dns);
+
+ return NT_STATUS_OK;
+}
+
static void dns_task_init(struct task_server *task)
{
struct dns_server *dns;
NTSTATUS status;
struct interface *ifaces = NULL;
int ret;
- struct ldb_result *res;
- static const char * const attrs[] = { "name", NULL};
static const char * const attrs_none[] = { NULL};
- unsigned int i;
struct ldb_message *dns_acc;
char *hostname_lower;
char *dns_spn;
@@ -866,48 +942,29 @@ static void dns_task_init(struct task_server *task)
return;
}
- // TODO: this search does not work against windows
- ret = dsdb_search(dns->samdb, dns, &res, NULL, LDB_SCOPE_SUBTREE,
- attrs, DSDB_SEARCH_SEARCH_ALL_PARTITIONS, "(objectClass=dnsZone)");
- if (ret != LDB_SUCCESS) {
- task_server_terminate(task,
- "dns: failed to look up root DNS zones",
- true);
+ status = dns_server_reload_zones(dns);
+ if (!NT_STATUS_IS_OK(status)) {
+ task_server_terminate(task, "dns: failed to load DNS zones", true);
return;
}
- TYPESAFE_QSORT(res->msgs, res->count, dns_server_sort_zones);
-
- for (i=0; i < res->count; i++) {
- struct dns_server_zone *z;
-
- z = talloc_zero(dns, struct dns_server_zone);
- if (z == NULL) {
- task_server_terminate(task, "dns failed to allocate memory", true);
- }
+ status = dns_startup_interfaces(dns, ifaces);
+ if (!NT_STATUS_IS_OK(status)) {
+ task_server_terminate(task, "dns failed to setup interfaces", true);
+ return;
+ }
- z->name = ldb_msg_find_attr_as_string(res->msgs[i], "name", NULL);
- z->dn = talloc_move(z, &res->msgs[i]->dn);
- /*
- * Ignore the RootDNSServers zone and zones that we don't support yet
- * RootDNSServers should never be returned (Windows DNS server don't)
- * ..TrustAnchors should never be returned as is, (Windows returns
- * TrustAnchors) and for the moment we don't support DNSSEC so we'd better
- * not return this zone.
- */
- if ((strcmp(z->name, "RootDNSServers") == 0) ||
- (strcmp(z->name, "..TrustAnchors") == 0))
- {
- DEBUG(10, ("Ignoring zone %s\n", z->name));
- talloc_free(z);
- continue;
- }
- DLIST_ADD_END(dns->zones, z, NULL);
+ /* Setup the IRPC interface and register handlers */
+ status = irpc_add_name(task->msg_ctx, "dnssrv");
+ if (!NT_STATUS_IS_OK(status)) {
+ task_server_terminate(task, "dns: failed to register IRPC name", true);
+ return;
}
- status = dns_startup_interfaces(dns, ifaces);
+ status = IRPC_REGISTER(task->msg_ctx, irpc, DNSSRV_RELOAD_DNS_ZONES,
+ dns_reload_zones, dns);
if (!NT_STATUS_IS_OK(status)) {
- task_server_terminate(task, "dns failed to setup interfaces", true);
+ task_server_terminate(task, "dns: failed to setup reload handler", true);
return;
}
}
diff --git a/source4/dsdb/samdb/ldb_modules/dns_notify.c b/source4/dsdb/samdb/ldb_modules/dns_notify.c
new file mode 100644
index 0000000..2481a41
--- /dev/null
+++ b/source4/dsdb/samdb/ldb_modules/dns_notify.c
@@ -0,0 +1,448 @@
+/*
+ ldb database library
+
+ Copyright (C) Samuel Cabrero <samuelcabrero at kernevil.me> 2014
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * Name: ldb
+ *
+ * Component: ldb dns_notify module
+ *
+ * Description: Notify the DNS server when zones are changed, either by direct
+ * RPC management calls or DRS inbound replication.
+ *
+ * Author: Samuel Cabrero <samuelcabrero at kernevil.me>
+ */
+
+#include "includes.h"
+#include "ldb_module.h"
+#include "dsdb/samdb/ldb_modules/util.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/proto.h"
+#include "librpc/gen_ndr/ndr_irpc.h"
+#include "lib/messaging/irpc.h"
+#include "librpc/gen_ndr/ndr_irpc_c.h"
+#include "param/param.h"
+#include "dlinklist.h"
+
+struct dns_notify_watched_dn {
+ struct dns_notify_watched_dn *next, *prev;
+ struct ldb_dn *dn;
+};
+
+struct dns_notify_private {
+ struct dns_notify_watched_dn *watched;
+ bool reload_zones;
+};
+
+struct dns_notify_dnssrv_state {
+ struct imessaging_context *msg_ctx;
+ struct dnssrv_reload_dns_zones r;
+};
+
+static void dns_notify_dnssrv_done(struct tevent_req *req)
+{
+ NTSTATUS status;
+ struct dns_notify_dnssrv_state *state;
+
+ state = tevent_req_callback_data(req, struct dns_notify_dnssrv_state);
+
+ status = dcerpc_dnssrv_reload_dns_zones_r_recv(req, state);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("%s: Error notifiying dns server: %s\n",
+ __func__, nt_errstr(status)));
+ }
+ imessaging_cleanup(state->msg_ctx);
+
+ talloc_free(req);
+ talloc_free(state);
+}
+
+static void dns_notify_dnssrv_send(struct ldb_module *module)
+{
+ struct ldb_context *ldb;
+ struct loadparm_context *lp_ctx;
+ struct dns_notify_dnssrv_state *state;
+ struct dcerpc_binding_handle *handle;
+ struct tevent_req *req;
+
+ ldb = ldb_module_get_ctx(module);
+
+ lp_ctx = ldb_get_opaque(ldb, "loadparm");
+ if (lp_ctx == NULL) {
+ return;
+ }
+
+ state = talloc_zero(module, struct dns_notify_dnssrv_state);
+ if (state == NULL) {
+ return;
+ }
+
+ /* Initialize messaging client */
+ state->msg_ctx = imessaging_client_init(state, lp_ctx,
+ ldb_get_event_context(ldb));
+ if (state->msg_ctx == NULL) {
+ ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s",
+ lpcfg_imessaging_path(state, lp_ctx));
+ talloc_free(state);
+ return;
+ }
+
+ /* Get a handle to notify the DNS server */
+ handle = irpc_binding_handle_by_name(state, state->msg_ctx,
+ "dnssrv",
+ &ndr_table_irpc);
+ if (handle == NULL) {
+ imessaging_cleanup(state->msg_ctx);
+ talloc_free(state);
+ return;
+ }
+
+ /* Send the notifications */
+ req = dcerpc_dnssrv_reload_dns_zones_r_send(state,
+ ldb_get_event_context(ldb),
+ handle,
+ &state->r);
+ if (req == NULL) {
+ imessaging_cleanup(state->msg_ctx);
+ talloc_free(state);
+ return;
+ }
+ tevent_req_set_callback(req, dns_notify_dnssrv_done, state);
+}
+
+static int dns_notify_add(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_context *ldb;
+ struct dns_notify_private *data;
+ struct dns_notify_watched_dn *w;
+ struct dsdb_schema *schema;
+ const struct dsdb_class *objectclass;
+
+ if (ldb_dn_is_special(req->op.add.message->dn)) {
+ return ldb_next_request(module, req);
+ }
+
+ if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
+ return ldb_next_request(module, req);
+ }
+
+ ldb = ldb_module_get_ctx(module);
+ data = talloc_get_type(ldb_module_get_private(module),
+ struct dns_notify_private);
+ if (data == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ for (w = data->watched; w; w = w->next) {
+ if (ldb_dn_compare_base(w->dn, req->op.add.message->dn) == 0) {
+ schema = dsdb_get_schema(ldb, req);
+ if (schema == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ objectclass = dsdb_get_structural_oc_from_msg(schema, req->op.add.message);
+ if (objectclass == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ if (ldb_attr_cmp(objectclass->lDAPDisplayName, "dnsZone") == 0) {
+ data->reload_zones = true;
+ break;
+ }
+ }
+ }
+
+ return ldb_next_request(module, req);
+}
+
+static int dns_notify_modify(struct ldb_module *module, struct ldb_request *req)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct ldb_context *ldb;
+ struct dns_notify_private *data;
+ struct dns_notify_watched_dn *w;
+ struct ldb_dn *dn;
+ struct ldb_result *res;
+ struct dsdb_schema *schema;
+ const struct dsdb_class *objectclass;
+ const char * const attrs[] = { "objectClass", NULL };
+ int ret;
+
+ if (ldb_dn_is_special(req->op.mod.message->dn)) {
+ return ldb_next_request(module, req);
+ }
+
+ if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
+ return ldb_next_request(module, req);
+ }
+
+ ldb = ldb_module_get_ctx(module);
+ data = talloc_get_type(ldb_module_get_private(module),
+ struct dns_notify_private);
+ if (data == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ tmp_ctx = talloc_new(module);
+ if (tmp_ctx == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ for (w = data->watched; w; w = w->next) {
+ if (ldb_dn_compare_base(w->dn, req->op.add.message->dn) == 0) {
+ dn = ldb_dn_copy(tmp_ctx, req->op.mod.message->dn);
+
+ ret = dsdb_module_search_dn(module, tmp_ctx, &res, dn, attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_SEARCH_REVEAL_INTERNALS |
+ DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, req);
+ if (ret != LDB_SUCCESS) {
+ /*
+ * We want the give the caller the
--
Samba Shared Repository
More information about the samba-cvs
mailing list