[PATCH][WIP] Create DC DNS entires at domain join

Thu Jun 8 09:13:42 UTC 2017

On Mon, 2017-05-29 at 20:38 +1200, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-05-29 at 09:51 +0200, Stefan Metzmacher wrote:
> > Am 29.05.2017 um 07:05 schrieb Andrew Bartlett:
> > > 
> > > I plan to add in a couple of tests for the join.py changes and propose
> > > it for review tomorrow, so if you do see something you are still really
> > > unhappy about, please let me know.
> > 
> > Can't we do the dns rpc calls with the machine account and avoid
> > resetting the security descriptors manually?
> 
> The difficulty there is that we then need to race with the KDC, or
> write out a private krb5.conf with our join partner as the KDC (as the
> source3 code does, I think). 
> 
> The challenge is that the KDC we select via the krb5.conf we use for
> the join might not have the new machine account yet.  (And I don't want
> to fall back to NTLMSSP for new code if I can at all avoid it). 

Attached is the current patches, taking the approach as above, but now
with tests to show that the entries are created.

Not here - the patches on my workstation (drat) - are also tests to
assert that subsequent modification using DNS is possible, using the
machine account. 

This also gives us a good framework for improvements here in the
future. 

The only other thing blocking this from being put up for review is that
Garming asked that I test the MNAME over-stamp in an environment where
it would actually do something, and it is taking a little longer to get
the tests and knownfail entries set up.  

Regardless, any further comments most welcome as I would hope to seek a
formal review tomorrow.

http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/dns-at-domain-join

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
-------------- next part --------------
From 4510ac2b0129743e44819fb7998ebbd89daea951 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu, 1 Jun 2017 13:26:38 +1200
Subject: [PATCH] strerror_r: provide XSI-compliant strerror_r

Provide a XSI-compliant strerror_r on GNU based systems.
The default GNU strerror_r is not XSI-compliant, this patch wraps the
GNU-specific call in an XSI-compliant wrapper.

This reverts 18ed32ce0821d11c0c06d82c07ba1c27b0c2b886 which tried to
make Heimdal use roken, rather than libreplace for strerror_r.

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>

fix freebsd
---
 lib/replace/replace.c                          | 17 ++++++
 lib/replace/replace.h                          |  2 +-
 lib/replace/wscript                            |  7 +++
 source4/dsdb/samdb/ldb_modules/password_hash.c |  6 +-
 source4/heimdal/lib/roken/strerror_r.c         | 84 --------------------------
 source4/heimdal_build/config.h                 |  3 +
 source4/heimdal_build/wscript_build            |  1 -
 source4/heimdal_build/wscript_configure        |  7 ---
 8 files changed, 33 insertions(+), 94 deletions(-)
 delete mode 100644 source4/heimdal/lib/roken/strerror_r.c

diff --git a/lib/replace/replace.c b/lib/replace/replace.c
index b5d7f11..1e9833f 100644
--- a/lib/replace/replace.c
+++ b/lib/replace/replace.c
@@ -820,6 +820,23 @@ int rep_strerror_r(int errnum, char *buf, size_t buflen)
 	strncpy(buf, s, buflen);
 	return 0;
 }
+#elif (!defined(STRERROR_R_XSI_NOT_GNU))
+#undef strerror_r
+int rep_strerror_r(int errnum, char *buf, size_t buflen)
+{
+	char *s = strerror_r(errnum, buf, buflen);
+	if (s == NULL) {
+		/* Shouldn't happen, should always get a string */
+		return EINVAL;
+	} else if (s != buf) {
+		strlcpy(buf, s, buflen);
+		if (strlen(s) > buflen - 1) {
+			return ERANGE;
+		}
+	}
+	return 0;
+
+}
 #endif
 
 #ifndef HAVE_CLOCK_GETTIME
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index 1dbeacf..a41e9f8 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -628,7 +628,7 @@ ssize_t rep_pwrite(int __fd, const void *__buf, size_t __nbytes, off_t __offset)
 char *rep_get_current_dir_name(void);
 #endif
 
-#ifndef HAVE_STRERROR_R
+#if (!defined(HAVE_STRERROR_R) || !defined(STRERROR_R_XSI_NOT_GNU))
 #define strerror_r rep_strerror_r
 int rep_strerror_r(int errnum, char *buf, size_t buflen);
 #endif
diff --git a/lib/replace/wscript b/lib/replace/wscript
index eeb1b3e..33f49eb 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -627,6 +627,13 @@ removeea setea
 
     conf.RECURSE('system')
     conf.SAMBA_CONFIG_H()
+    if conf.CHECK_FUNCS('strerror_r'):
+        # Check if strerror_r is XSI-Compatable, the default GNU implementation
+        # is not
+        conf.CHECK_CODE('int strerror_r(int errnum, char *buf, size_t buflen);',
+                        'STRERROR_R_XSI_NOT_GNU',
+                        headers='string.h', addmain=False, link=False,
+                        msg="Checking for XSI (rather than GNU) prototype for strerror_r")
 
 
 REPLACEMENT_FUNCTIONS = {
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 8e8dc2c..1eb39da 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1544,12 +1544,16 @@ static int setup_primary_userPassword_hash(
 #endif
 	if (hash == NULL) {
 		char buf[1024];
+		int err = strerror_r(errno, buf, sizeof(buf));
+		if (err != 0) {
+			strlcpy(buf, "Unknown error", sizeof(buf)-1);
+		}
 		ldb_asprintf_errstring(
 			ldb,
 			"setup_primary_userPassword: generation of a %s "
 			"password hash failed: (%s)",
 			scheme,
-			strerror_r(errno, buf, sizeof(buf)));
+			buf);
 		TALLOC_FREE(frame);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
diff --git a/source4/heimdal/lib/roken/strerror_r.c b/source4/heimdal/lib/roken/strerror_r.c
deleted file mode 100644
index 85271ec..0000000
--- a/source4/heimdal/lib/roken/strerror_r.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <config.h>
-
-#if (!defined(HAVE_STRERROR_R) && !defined(strerror_r)) || (!defined(STRERROR_R_PROTO_COMPATIBLE) && defined(HAVE_STRERROR_R))
-
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include "roken.h"
-
-#ifdef _MSC_VER
-
-int ROKEN_LIB_FUNCTION
-rk_strerror_r(int eno, char * strerrbuf, size_t buflen)
-{
-    errno_t err;
-
-    err = strerror_s(strerrbuf, buflen, eno);
-    if (err != 0) {
-        int code;
-        code = sprintf_s(strerrbuf, buflen, "Error % occurred.", eno);
-        err = ((code != 0)? errno : 0);
-    }
-
-    return err;
-}
-
-#else  /* _MSC_VER */
-
-int ROKEN_LIB_FUNCTION
-rk_strerror_r(int eno, char *strerrbuf, size_t buflen)
-{
-    /* Assume is the linux broken strerror_r (returns the a buffer (char *) if the input buffer wasn't use */
-#ifdef HAVE_STRERROR_R
-    const char *str;
-    str = strerror_r(eno, strerrbuf, buflen);
-    if (str != strerrbuf)
-	if (strlcpy(strerrbuf, str, buflen) >= buflen)
-	    return ERANGE;
-    return 0;
-#else
-    int ret;
-    ret = strlcpy(strerrbuf, strerror(eno), buflen);
-    if (ret > buflen)
-	return ERANGE;
-    return 0;
-#endif
-}
-
-#endif  /* !_MSC_VER */
-
-#endif
diff --git a/source4/heimdal_build/config.h b/source4/heimdal_build/config.h
index 2d113ae..a766922 100644
--- a/source4/heimdal_build/config.h
+++ b/source4/heimdal_build/config.h
@@ -49,4 +49,7 @@
 /* heimdal now wants some atomic ops - ask for the non-atomic ones for Samba */
 #define HEIM_BASE_NON_ATOMIC 1
 
+/* lib/replace provides an XSI Compatable strerror_r so use that */
+#define STRERROR_R_PROTO_COMPATIBLE
+
 #endif
diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build
index c733b8f..2072be4 100644
--- a/source4/heimdal_build/wscript_build
+++ b/source4/heimdal_build/wscript_build
@@ -408,7 +408,6 @@ if not bld.CONFIG_SET('USING_SYSTEM_ROKEN'):
         lib/roken/resolve.c
         lib/roken/socket.c
         lib/roken/roken_gethostby.c
-        lib/roken/strerror_r.c
     '''
 
     HEIMDAL_LIBRARY('roken',
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 67ac34b..354d44f 100644
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -28,13 +28,6 @@ conf.CHECK_FUNCS('''atexit cgetent getprogname setprogname gethostname
             strptime strsep strsep_copy    strtok_r strupr swab umask uname unsetenv
             closefrom err warn errx warnx flock writev''')
 
-if conf.CHECK_FUNCS('strerror_r'):
-    # Check if strerror_r is BSD compatible (default GNU implementation is not what Heimdal expects)
-    conf.CHECK_CODE('int strerror_r(int errnum, char *buf, size_t buflen);',
-                    'STRERROR_R_PROTO_COMPATIBLE',
-                    headers='string.h', addmain=False, link=False,
-                    msg="Checking for XSI (rather than GNU) prototype for strerror_r")
-
 conf.CHECK_FUNCS_IN('hstrerror', 'resolv socket nsl', checklibc=True)
 conf.CHECK_FUNCS_IN('''getnameinfo sendmsg socket getipnodebyname gethostent gethostent_r
                        sethostent endhostent getipnodebyaddr freehostent gethostbyname
-- 
2.9.4

