From 0eded14f19806e87b2205677064d1413bcb86d38 Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 25 Sep 2012 11:09:45 +0200
Subject: [PATCH] s3-net: give more control how to update/register DNS entries.

Guenther
---
 source3/utils/net_ads.c | 13 ++++++++-
 source3/utils/net_dns.c | 78 ++++++++++++++++++++++++++++++++++---------------
 source3/utils/net_dns.h |  9 ++++++
 3 files changed, 76 insertions(+), 24 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index ffb79991ded..7648dc77977 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1206,6 +1206,17 @@ static NTSTATUS net_update_dns_internal(struct net_context *c,
 
 	for (i=0; i < ns_count; i++) {
 
+		uint32_t flags = DNS_UPDATE_SIGNED |
+				 DNS_UPDATE_UNSIGNED |
+				 DNS_UPDATE_UNSIGNED_SUFFICIENT |
+				 DNS_UPDATE_PROBE |
+				 DNS_UPDATE_PROBE_SUFFICIENT;
+
+		if (c->opt_force) {
+			flags &= ~DNS_UPDATE_PROBE_SUFFICIENT;
+			flags &= ~DNS_UPDATE_UNSIGNED_SUFFICIENT;
+		}
+
 		status = NT_STATUS_UNSUCCESSFUL;
 
 		/* Now perform the dns update - we'll try non-secure and if we fail,
@@ -1213,7 +1224,7 @@ static NTSTATUS net_update_dns_internal(struct net_context *c,
 
 		fstrcpy( dns_server, nameservers[i].hostname );
 
-		dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs);
+		dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name, addrs, num_addrs, flags);
 		if (ERR_DNS_IS_OK(dns_err)) {
 			status = NT_STATUS_OK;
 			goto done;
diff --git a/source3/utils/net_dns.c b/source3/utils/net_dns.c
index 437b4c1b96e..9bbefdb8b1c 100644
--- a/source3/utils/net_dns.c
+++ b/source3/utils/net_dns.c
@@ -40,6 +40,14 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
 	OM_uint32 minor;
 	struct dns_update_request *req, *resp;
 
+	DEBUG(10,("DoDNSUpdate called with flags: 0x%08x\n", flags));
+
+	if (!(flags & DNS_UPDATE_SIGNED) &&
+	    !(flags & DNS_UPDATE_UNSIGNED) &&
+	    !(flags & DNS_UPDATE_PROBE)) {
+		return ERROR_DNS_INVALID_PARAMETER;
+	}
+
 	if ( (num_addrs <= 0) || !sslist ) {
 		return ERROR_DNS_INVALID_PARAMETER;
 	}
@@ -53,45 +61,65 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
 		goto error;
 	}
 
-	/*
-	 * Probe if everything's fine
-	 */
+	if (flags & DNS_UPDATE_PROBE) {
 
-	err = dns_create_probe(mem_ctx, pszDomainName, pszHostName,
-			       num_addrs, sslist, &req);
-	if (!ERR_DNS_IS_OK(err)) goto error;
+		/*
+		 * Probe if everything's fine
+		 */
 
-	err = dns_update_transaction(mem_ctx, conn, req, &resp);
-	if (!ERR_DNS_IS_OK(err)) goto error;
+		err = dns_create_probe(mem_ctx, pszDomainName, pszHostName,
+				       num_addrs, sslist, &req);
+		if (!ERR_DNS_IS_OK(err)) goto error;
 
-	if (dns_response_code(resp->flags) == DNS_NO_ERROR) {
-		TALLOC_FREE(mem_ctx);
-		return ERROR_DNS_SUCCESS;
+		err = dns_update_transaction(mem_ctx, conn, req, &resp);
+		if (!ERR_DNS_IS_OK(err)) goto error;
+
+		if (!ERR_DNS_IS_OK(err)) {
+			DEBUG(3,("DoDNSUpdate: failed to probe DNS\n"));
+		}
+
+		if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
+		    (flags & DNS_UPDATE_PROBE_SUFFICIENT)) {
+			TALLOC_FREE(mem_ctx);
+			return ERROR_DNS_SUCCESS;
+		}
 	}
 
-	/*
-	 * First try without signing
-	 */
+	if (flags & DNS_UPDATE_UNSIGNED) {
 
-	err = dns_create_update_request(mem_ctx, pszDomainName, pszHostName,
-					sslist, num_addrs, &req);
-	if (!ERR_DNS_IS_OK(err)) goto error;
+		/*
+		 * First try without signing
+		 */
 
-	err = dns_update_transaction(mem_ctx, conn, req, &resp);
-	if (!ERR_DNS_IS_OK(err)) goto error;
+		err = dns_create_update_request(mem_ctx, pszDomainName, pszHostName,
+						sslist, num_addrs, &req);
+		if (!ERR_DNS_IS_OK(err)) goto error;
+
+		err = dns_update_transaction(mem_ctx, conn, req, &resp);
+		if (!ERR_DNS_IS_OK(err)) goto error;
+
+		if (!ERR_DNS_IS_OK(err)) {
+			DEBUG(3,("DoDNSUpdate: unsigned update failed\n"));
+		}
 
-	if (dns_response_code(resp->flags) == DNS_NO_ERROR) {
-		TALLOC_FREE(mem_ctx);
-		return ERROR_DNS_SUCCESS;
+		if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
+		    (flags & DNS_UPDATE_UNSIGNED_SUFFICIENT)) {
+			TALLOC_FREE(mem_ctx);
+			return ERROR_DNS_SUCCESS;
+		}
 	}
 
 	/*
 	 * Okay, we have to try with signing
 	 */
-	{
+	if (flags & DNS_UPDATE_SIGNED) {
 		gss_ctx_id_t gss_context;
 		char *keyname;
 
+		err = dns_create_update_request(mem_ctx, pszDomainName, pszHostName,
+						sslist, num_addrs, &req);
+		if (!ERR_DNS_IS_OK(err)) goto error;
+
 		if (!(keyname = dns_generate_keyname( mem_ctx ))) {
 			err = ERROR_DNS_NO_MEMORY;
 			goto error;
@@ -122,6 +150,10 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
 
 		err = (dns_response_code(resp->flags) == DNS_NO_ERROR) ?
 			ERROR_DNS_SUCCESS : ERROR_DNS_UPDATE_FAILED;
+
+		if (!ERR_DNS_IS_OK(err)) {
+			DEBUG(3,("DoDNSUpdate: signed update failed\n"));
+		}
 	}
 
 
diff --git a/source3/utils/net_dns.h b/source3/utils/net_dns.h
index 19bf86683e2..31e541be997 100644
--- a/source3/utils/net_dns.h
+++ b/source3/utils/net_dns.h
@@ -19,6 +19,15 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+/* flags for DoDNSUpdate */
+
+#define	DNS_UPDATE_SIGNED		0x01
+#define	DNS_UPDATE_SIGNED_SUFFICIENT	0x02
+#define	DNS_UPDATE_UNSIGNED		0x04
+#define	DNS_UPDATE_UNSIGNED_SUFFICIENT	0x08
+#define	DNS_UPDATE_PROBE		0x10
+#define	DNS_UPDATE_PROBE_SUFFICIENT	0x20
+
 #if defined(WITH_DNS_UPDATES)
 
 #include "../lib/addns/dns.h"
-- 
2.11.4.GIT