2 Unix SMB/CIFS implementation.
4 bind9 dlz driver for Samba
6 Copyright (C) 2010 Andrew Tridgell
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "param/param.h"
25 #include "lib/events/events.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "dsdb/common/util.h"
28 #include "auth/auth.h"
29 #include "auth/session.h"
30 #include "auth/gensec/gensec.h"
31 #include "librpc/gen_ndr/security.h"
32 #include "auth/credentials/credentials.h"
33 #include "system/kerberos.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "gen_ndr/ndr_dnsp.h"
36 #include "gen_ndr/server_id.h"
37 #include "messaging/messaging.h"
39 #include "lib/util/dlinklist.h"
40 #include "dlz_minimal.h"
41 #include "dnsserver_common.h"
42 #include "lib/util/smb_strtox.h"
43 #include "lib/util/access.h"
54 struct b9_zone
*prev
, *next
;
57 struct dlz_bind9_data
{
58 struct b9_options options
;
59 struct ldb_context
*samdb
;
60 struct tevent_context
*ev_ctx
;
61 struct loadparm_context
*lp
;
62 int *transaction_token
;
64 struct b9_zone
*zonelist
;
66 /* Used for dynamic update */
67 struct smb_krb5_context
*smb_krb5_ctx
;
68 struct auth4_context
*auth_context
;
69 struct auth_session_info
*session_info
;
72 /* helper functions from the dlz_dlopen driver */
74 dns_sdlz_putrr_t
*putrr
;
75 dns_sdlz_putnamedrr_t
*putnamedrr
;
76 dns_dlz_writeablezone_t
*writeable_zone
;
79 static struct dlz_bind9_data
*dlz_bind9_state
= NULL
;
80 static int dlz_bind9_state_ref_count
= 0;
82 static const char *zone_prefixes
[] = {
83 "CN=MicrosoftDNS,DC=DomainDnsZones",
84 "CN=MicrosoftDNS,DC=ForestDnsZones",
85 "CN=MicrosoftDNS,CN=System",
90 * Get a printable string representation of an isc_result_t
92 static const char *isc_result_str( const isc_result_t result
) {
95 return "ISC_R_SUCCESS";
97 return "ISC_R_NOMEMORY";
99 return "ISC_R_NOPERM";
101 return "ISC_R_NOSPACE";
103 return "ISC_R_NOTFOUND";
105 return "ISC_R_FAILURE";
106 case ISC_R_NOTIMPLEMENTED
:
107 return "ISC_R_NOTIMPLEMENTED";
109 return "ISC_R_NOMORE";
110 case ISC_R_INVALIDFILE
:
111 return "ISC_R_INVALIDFILE";
112 case ISC_R_UNEXPECTED
:
113 return "ISC_R_UNEXPECTED";
114 case ISC_R_FILENOTFOUND
:
115 return "ISC_R_FILENOTFOUND";
122 return the version of the API
124 _PUBLIC_
int dlz_version(unsigned int *flags
)
126 return DLZ_DLOPEN_VERSION
;
130 remember a helper function from the bind9 dlz_dlopen driver
132 static void b9_add_helper(struct dlz_bind9_data
*state
, const char *helper_name
, void *ptr
)
134 if (strcmp(helper_name
, "log") == 0) {
137 if (strcmp(helper_name
, "putrr") == 0) {
140 if (strcmp(helper_name
, "putnamedrr") == 0) {
141 state
->putnamedrr
= ptr
;
143 if (strcmp(helper_name
, "writeable_zone") == 0) {
144 state
->writeable_zone
= ptr
;
149 * Add a trailing '.' if it's missing
151 static const char *b9_format_fqdn(TALLOC_CTX
*mem_ctx
, const char *str
)
156 if (str
== NULL
|| str
[0] == '\0') {
161 if (str
[len
-1] != '.') {
162 tmp
= talloc_asprintf(mem_ctx
, "%s.", str
);
170 format a record for bind9
172 static bool b9_format(struct dlz_bind9_data
*state
,
174 struct dnsp_DnssrvRpcRecord
*rec
,
175 const char **type
, const char **data
)
181 switch (rec
->wType
) {
184 *data
= rec
->data
.ipv4
;
189 *data
= rec
->data
.ipv6
;
194 *data
= b9_format_fqdn(mem_ctx
, rec
->data
.cname
);
199 tmp
= talloc_asprintf(mem_ctx
, "\"%s\"", rec
->data
.txt
.str
[0]);
200 for (i
=1; i
<rec
->data
.txt
.count
; i
++) {
201 tmp
= talloc_asprintf_append(tmp
, " \"%s\"", rec
->data
.txt
.str
[i
]);
208 *data
= b9_format_fqdn(mem_ctx
, rec
->data
.ptr
);
213 fqdn
= b9_format_fqdn(mem_ctx
, rec
->data
.srv
.nameTarget
);
217 *data
= talloc_asprintf(mem_ctx
, "%u %u %u %s",
218 rec
->data
.srv
.wPriority
,
219 rec
->data
.srv
.wWeight
,
226 fqdn
= b9_format_fqdn(mem_ctx
, rec
->data
.mx
.nameTarget
);
230 *data
= talloc_asprintf(mem_ctx
, "%u %s",
231 rec
->data
.mx
.wPriority
, fqdn
);
236 *data
= b9_format_fqdn(mem_ctx
, rec
->data
.ns
);
243 /* we need to fake the authoritative nameserver to
244 * point at ourselves. This is how AD DNS servers
245 * force clients to send updates to the right local DC
247 mname
= talloc_asprintf(mem_ctx
, "%s.%s.",
248 lpcfg_netbios_name(state
->lp
),
249 lpcfg_dnsdomain(state
->lp
));
253 mname
= strlower_talloc(mem_ctx
, mname
);
258 fqdn
= b9_format_fqdn(mem_ctx
, rec
->data
.soa
.rname
);
263 state
->soa_serial
= rec
->data
.soa
.serial
;
265 *data
= talloc_asprintf(mem_ctx
, "%s %s %u %u %u %u %u",
267 rec
->data
.soa
.serial
,
268 rec
->data
.soa
.refresh
,
270 rec
->data
.soa
.expire
,
271 rec
->data
.soa
.minimum
);
276 state
->log(ISC_LOG_ERROR
, "samba_dlz b9_format: unhandled record type %u",
284 static const struct {
285 enum dns_record_type dns_type
;
289 { DNS_TYPE_A
, "A" , false},
290 { DNS_TYPE_AAAA
, "AAAA" , false},
291 { DNS_TYPE_CNAME
, "CNAME" , true},
292 { DNS_TYPE_TXT
, "TXT" , false},
293 { DNS_TYPE_PTR
, "PTR" , false},
294 { DNS_TYPE_SRV
, "SRV" , false},
295 { DNS_TYPE_MX
, "MX" , false},
296 { DNS_TYPE_NS
, "NS" , false},
297 { DNS_TYPE_SOA
, "SOA" , true},
302 see if a DNS type is single valued
304 static bool b9_single_valued(enum dns_record_type dns_type
)
307 for (i
=0; i
<ARRAY_SIZE(dns_typemap
); i
++) {
308 if (dns_typemap
[i
].dns_type
== dns_type
) {
309 return dns_typemap
[i
].single_valued
;
316 get a DNS_TYPE_* value from the corresponding string
318 static bool b9_dns_type(const char *type
, enum dns_record_type
*dtype
)
321 for (i
=0; i
<ARRAY_SIZE(dns_typemap
); i
++) {
322 if (strcasecmp(dns_typemap
[i
].typestr
, type
) == 0) {
323 *dtype
= dns_typemap
[i
].dns_type
;
331 #define DNS_PARSE_STR(ret, str, sep, saveptr) do { \
332 (ret) = strtok_r(str, sep, &saveptr); \
333 if ((ret) == NULL) return false; \
336 #define DNS_PARSE_UINT(ret, str, sep, saveptr) do { \
337 char *istr = strtok_r(str, sep, &saveptr); \
339 if ((istr) == NULL) return false; \
340 (ret) = smb_strtoul(istr, NULL, 10, &error, SMB_STR_STANDARD); \
347 parse a record from bind9
349 static bool b9_parse(struct dlz_bind9_data
*state
,
350 const char *rdatastr
,
351 struct dnsp_DnssrvRpcRecord
*rec
)
353 char *full_name
, *dclass
, *type
;
354 char *str
, *tmp
, *saveptr
=NULL
;
357 str
= talloc_strdup(rec
, rdatastr
);
362 /* parse the SDLZ string form */
363 DNS_PARSE_STR(full_name
, str
, "\t", saveptr
);
364 DNS_PARSE_UINT(rec
->dwTtlSeconds
, NULL
, "\t", saveptr
);
365 DNS_PARSE_STR(dclass
, NULL
, "\t", saveptr
);
366 DNS_PARSE_STR(type
, NULL
, "\t", saveptr
);
368 /* construct the record */
369 for (i
=0; i
<ARRAY_SIZE(dns_typemap
); i
++) {
370 if (strcasecmp(type
, dns_typemap
[i
].typestr
) == 0) {
371 rec
->wType
= dns_typemap
[i
].dns_type
;
375 if (i
== ARRAY_SIZE(dns_typemap
)) {
376 state
->log(ISC_LOG_ERROR
, "samba_dlz: unsupported record type '%s' for '%s'",
381 switch (rec
->wType
) {
383 DNS_PARSE_STR(rec
->data
.ipv4
, NULL
, " ", saveptr
);
387 DNS_PARSE_STR(rec
->data
.ipv6
, NULL
, " ", saveptr
);
391 DNS_PARSE_STR(rec
->data
.cname
, NULL
, " ", saveptr
);
395 rec
->data
.txt
.count
= 0;
396 rec
->data
.txt
.str
= talloc_array(rec
, const char *, rec
->data
.txt
.count
);
397 tmp
= strtok_r(NULL
, "\t", &saveptr
);
399 rec
->data
.txt
.str
= talloc_realloc(rec
, rec
->data
.txt
.str
, const char *,
400 rec
->data
.txt
.count
+1);
403 rec
->data
.txt
.str
[rec
->data
.txt
.count
] = talloc_strndup(rec
, &tmp
[1], strlen(tmp
)-2);
405 rec
->data
.txt
.str
[rec
->data
.txt
.count
] = talloc_strdup(rec
, tmp
);
407 rec
->data
.txt
.count
++;
408 tmp
= strtok_r(NULL
, " ", &saveptr
);
413 DNS_PARSE_STR(rec
->data
.ptr
, NULL
, " ", saveptr
);
417 DNS_PARSE_UINT(rec
->data
.srv
.wPriority
, NULL
, " ", saveptr
);
418 DNS_PARSE_UINT(rec
->data
.srv
.wWeight
, NULL
, " ", saveptr
);
419 DNS_PARSE_UINT(rec
->data
.srv
.wPort
, NULL
, " ", saveptr
);
420 DNS_PARSE_STR(rec
->data
.srv
.nameTarget
, NULL
, " ", saveptr
);
424 DNS_PARSE_UINT(rec
->data
.mx
.wPriority
, NULL
, " ", saveptr
);
425 DNS_PARSE_STR(rec
->data
.mx
.nameTarget
, NULL
, " ", saveptr
);
429 DNS_PARSE_STR(rec
->data
.ns
, NULL
, " ", saveptr
);
433 DNS_PARSE_STR(rec
->data
.soa
.mname
, NULL
, " ", saveptr
);
434 DNS_PARSE_STR(rec
->data
.soa
.rname
, NULL
, " ", saveptr
);
435 DNS_PARSE_UINT(rec
->data
.soa
.serial
, NULL
, " ", saveptr
);
436 DNS_PARSE_UINT(rec
->data
.soa
.refresh
, NULL
, " ", saveptr
);
437 DNS_PARSE_UINT(rec
->data
.soa
.retry
, NULL
, " ", saveptr
);
438 DNS_PARSE_UINT(rec
->data
.soa
.expire
, NULL
, " ", saveptr
);
439 DNS_PARSE_UINT(rec
->data
.soa
.minimum
, NULL
, " ", saveptr
);
443 state
->log(ISC_LOG_ERROR
, "samba_dlz b9_parse: unhandled record type %u",
448 /* we should be at the end of the buffer now */
449 if (strtok_r(NULL
, "\t ", &saveptr
) != NULL
) {
450 state
->log(ISC_LOG_ERROR
, "samba_dlz b9_parse: unexpected data at end of string for '%s'",
459 send a resource record to bind9
461 static isc_result_t
b9_putrr(struct dlz_bind9_data
*state
,
462 void *handle
, struct dnsp_DnssrvRpcRecord
*rec
,
466 const char *type
, *data
;
467 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
469 if (!b9_format(state
, tmp_ctx
, rec
, &type
, &data
)) {
470 return ISC_R_FAILURE
;
474 talloc_free(tmp_ctx
);
475 return ISC_R_NOMEMORY
;
480 for (i
=0; types
[i
]; i
++) {
481 if (strcmp(types
[i
], type
) == 0) break;
483 if (types
[i
] == NULL
) {
485 return ISC_R_SUCCESS
;
489 result
= state
->putrr(handle
, type
, rec
->dwTtlSeconds
, data
);
490 if (result
!= ISC_R_SUCCESS
) {
491 state
->log(ISC_LOG_ERROR
, "Failed to put rr");
493 talloc_free(tmp_ctx
);
499 send a named resource record to bind9
501 static isc_result_t
b9_putnamedrr(struct dlz_bind9_data
*state
,
502 void *handle
, const char *name
,
503 struct dnsp_DnssrvRpcRecord
*rec
)
506 const char *type
, *data
;
507 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
509 if (!b9_format(state
, tmp_ctx
, rec
, &type
, &data
)) {
510 return ISC_R_FAILURE
;
514 talloc_free(tmp_ctx
);
515 return ISC_R_NOMEMORY
;
518 result
= state
->putnamedrr(handle
, name
, type
, rec
->dwTtlSeconds
, data
);
519 if (result
!= ISC_R_SUCCESS
) {
520 state
->log(ISC_LOG_ERROR
, "Failed to put named rr '%s'", name
);
522 talloc_free(tmp_ctx
);
529 static isc_result_t
parse_options(struct dlz_bind9_data
*state
,
530 unsigned int argc
, const char **argv
,
531 struct b9_options
*options
)
535 struct poptOption long_options
[] = {
536 { "url", 'H', POPT_ARG_STRING
, &options
->url
, 0, "database URL", "URL" },
537 { "debug", 'd', POPT_ARG_STRING
, &options
->debug
, 0, "debug level", "DEBUG" },
541 pc
= poptGetContext("dlz_bind9", argc
, argv
, long_options
,
542 POPT_CONTEXT_KEEP_FIRST
);
543 while ((opt
= poptGetNextOpt(pc
)) != -1) {
546 state
->log(ISC_LOG_ERROR
, "dlz_bind9: Invalid option %s: %s",
547 poptBadOption(pc
, 0), poptStrerror(opt
));
549 return ISC_R_FAILURE
;
554 return ISC_R_SUCCESS
;
559 * Create session info from PAC
560 * This is called as auth_context->generate_session_info_pac()
562 static NTSTATUS
b9_generate_session_info_pac(struct auth4_context
*auth_context
,
564 struct smb_krb5_context
*smb_krb5_context
,
566 const char *principal_name
,
567 const struct tsocket_address
*remote_addr
,
568 uint32_t session_info_flags
,
569 struct auth_session_info
**session_info
)
572 struct auth_user_info_dc
*user_info_dc
;
575 tmp_ctx
= talloc_new(mem_ctx
);
576 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
578 status
= kerberos_pac_blob_to_user_info_dc(tmp_ctx
,
580 smb_krb5_context
->krb5_context
,
584 if (!NT_STATUS_IS_OK(status
)) {
585 talloc_free(tmp_ctx
);
589 if (user_info_dc
->info
->authenticated
) {
590 session_info_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
593 session_info_flags
|= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
;
595 status
= auth_generate_session_info(mem_ctx
, NULL
, NULL
, user_info_dc
,
596 session_info_flags
, session_info
);
597 if (!NT_STATUS_IS_OK(status
)) {
598 talloc_free(tmp_ctx
);
602 talloc_free(tmp_ctx
);
606 /* Callback for the DEBUG() system, to catch the remaining messages */
607 static void b9_debug(void *private_ptr
, int msg_level
, const char *msg
)
609 static const int isc_log_map
[] = {
610 ISC_LOG_CRITICAL
, /* 0 */
611 ISC_LOG_ERROR
, /* 1 */
612 ISC_LOG_WARNING
, /* 2 */
613 ISC_LOG_NOTICE
/* 3 */
615 struct dlz_bind9_data
*state
= private_ptr
;
618 if (msg_level
>= ARRAY_SIZE(isc_log_map
) || msg_level
< 0) {
619 isc_log_level
= ISC_LOG_INFO
;
621 isc_log_level
= isc_log_map
[msg_level
];
623 state
->log(isc_log_level
, "samba_dlz: %s", msg
);
626 static int dlz_state_debug_unregister(struct dlz_bind9_data
*state
)
628 /* Stop logging (to the bind9 logs) */
629 debug_set_callback(NULL
, NULL
);
634 called to initialise the driver
636 _PUBLIC_ isc_result_t
dlz_create(const char *dlzname
,
637 unsigned int argc
, const char **argv
,
640 struct dlz_bind9_data
*state
;
641 const char *helper_name
;
647 char *errstring
= NULL
;
649 if (dlz_bind9_state
!= NULL
) {
650 dlz_bind9_state
->log(ISC_LOG_ERROR
,
651 "samba_dlz: dlz_create ignored, #refs=%d",
652 dlz_bind9_state_ref_count
);
653 *dbdata
= dlz_bind9_state
;
654 dlz_bind9_state_ref_count
++;
655 return ISC_R_SUCCESS
;
658 state
= talloc_zero(NULL
, struct dlz_bind9_data
);
660 return ISC_R_NOMEMORY
;
663 talloc_set_destructor(state
, dlz_state_debug_unregister
);
665 /* fill in the helper functions */
666 va_start(ap
, dbdata
);
667 while ((helper_name
= va_arg(ap
, const char *)) != NULL
) {
668 b9_add_helper(state
, helper_name
, va_arg(ap
, void*));
672 /* Do not install samba signal handlers */
673 fault_setup_disable();
675 /* Start logging (to the bind9 logs) */
676 debug_set_callback(state
, b9_debug
);
678 state
->ev_ctx
= s4_event_context_init(state
);
679 if (state
->ev_ctx
== NULL
) {
680 result
= ISC_R_NOMEMORY
;
684 result
= parse_options(state
, argc
, argv
, &state
->options
);
685 if (result
!= ISC_R_SUCCESS
) {
689 state
->lp
= loadparm_init_global(true);
690 if (state
->lp
== NULL
) {
691 result
= ISC_R_NOMEMORY
;
695 if (state
->options
.debug
) {
696 lpcfg_do_global_parameter(state
->lp
, "log level", state
->options
.debug
);
698 lpcfg_do_global_parameter(state
->lp
, "log level", "0");
701 if (smb_krb5_init_context(state
, state
->lp
, &state
->smb_krb5_ctx
) != 0) {
702 result
= ISC_R_NOMEMORY
;
706 nt_status
= gensec_init();
707 if (!NT_STATUS_IS_OK(nt_status
)) {
708 result
= ISC_R_NOMEMORY
;
712 state
->auth_context
= talloc_zero(state
, struct auth4_context
);
713 if (state
->auth_context
== NULL
) {
714 result
= ISC_R_NOMEMORY
;
718 if (state
->options
.url
== NULL
) {
719 state
->options
.url
= talloc_asprintf(state
,
721 lpcfg_binddns_dir(state
->lp
));
722 if (state
->options
.url
== NULL
) {
723 result
= ISC_R_NOMEMORY
;
727 if (!file_exist(state
->options
.url
)) {
728 state
->options
.url
= talloc_asprintf(state
,
730 lpcfg_private_dir(state
->lp
));
731 if (state
->options
.url
== NULL
) {
732 result
= ISC_R_NOMEMORY
;
738 ret
= samdb_connect_url(state
,
741 system_session(state
->lp
),
747 if (ret
!= LDB_SUCCESS
) {
748 state
->log(ISC_LOG_ERROR
,
749 "samba_dlz: Failed to connect to %s: %s",
750 errstring
, ldb_strerror(ret
));
751 result
= ISC_R_FAILURE
;
755 dn
= ldb_get_default_basedn(state
->samdb
);
757 state
->log(ISC_LOG_ERROR
, "samba_dlz: Unable to get basedn for %s - %s",
758 state
->options
.url
, ldb_errstring(state
->samdb
));
759 result
= ISC_R_FAILURE
;
763 state
->log(ISC_LOG_INFO
, "samba_dlz: started for DN %s",
764 ldb_dn_get_linearized(dn
));
766 state
->auth_context
->event_ctx
= state
->ev_ctx
;
767 state
->auth_context
->lp_ctx
= state
->lp
;
768 state
->auth_context
->sam_ctx
= state
->samdb
;
769 state
->auth_context
->generate_session_info_pac
= b9_generate_session_info_pac
;
772 dlz_bind9_state
= state
;
773 dlz_bind9_state_ref_count
++;
775 return ISC_R_SUCCESS
;
778 state
->log(ISC_LOG_INFO
,
779 "samba_dlz: FAILED dlz_create call result=%d #refs=%d",
781 dlz_bind9_state_ref_count
);
789 _PUBLIC_
void dlz_destroy(void *dbdata
)
791 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
793 dlz_bind9_state_ref_count
--;
794 if (dlz_bind9_state_ref_count
== 0) {
795 state
->log(ISC_LOG_INFO
, "samba_dlz: shutting down");
796 talloc_unlink(state
, state
->samdb
);
798 dlz_bind9_state
= NULL
;
800 state
->log(ISC_LOG_INFO
,
801 "samba_dlz: dlz_destroy called. %d refs remaining.",
802 dlz_bind9_state_ref_count
);
808 return the base DN for a zone
810 static isc_result_t
b9_find_zone_dn(struct dlz_bind9_data
*state
, const char *zone_name
,
811 TALLOC_CTX
*mem_ctx
, struct ldb_dn
**zone_dn
)
814 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
815 const char *attrs
[] = { NULL
};
818 for (i
=0; zone_prefixes
[i
]; i
++) {
819 const char *casefold
;
821 struct ldb_result
*res
;
822 struct ldb_val zone_name_val
823 = data_blob_string_const(zone_name
);
825 dn
= ldb_dn_copy(tmp_ctx
, ldb_get_default_basedn(state
->samdb
));
827 talloc_free(tmp_ctx
);
828 return ISC_R_NOMEMORY
;
832 * This dance ensures that it is not possible to put
833 * (eg) an extra DC=x, into the DNS name being
837 if (!ldb_dn_add_child_fmt(dn
,
840 talloc_free(tmp_ctx
);
841 return ISC_R_NOMEMORY
;
844 ret
= ldb_dn_set_component(dn
,
848 if (ret
!= LDB_SUCCESS
) {
849 talloc_free(tmp_ctx
);
850 return ISC_R_NOMEMORY
;
854 * Check if this is a plausibly valid DN early
855 * (time spent here will be saved during the
856 * search due to an internal cache)
858 casefold
= ldb_dn_get_casefold(dn
);
860 if (casefold
== NULL
) {
861 talloc_free(tmp_ctx
);
862 return ISC_R_NOTFOUND
;
865 ret
= ldb_search(state
->samdb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
, attrs
, "objectClass=dnsZone");
866 if (ret
== LDB_SUCCESS
) {
867 if (zone_dn
!= NULL
) {
868 *zone_dn
= talloc_steal(mem_ctx
, dn
);
870 talloc_free(tmp_ctx
);
871 return ISC_R_SUCCESS
;
876 talloc_free(tmp_ctx
);
877 return ISC_R_NOTFOUND
;
882 return the DN for a name. The record does not need to exist, but the
885 static isc_result_t
b9_find_name_dn(struct dlz_bind9_data
*state
, const char *name
,
886 TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
890 /* work through the name piece by piece, until we find a zone */
893 result
= b9_find_zone_dn(state
, p
, mem_ctx
, dn
);
894 if (result
== ISC_R_SUCCESS
) {
895 const char *casefold
;
897 /* we found a zone, now extend the DN to get
902 ret
= ldb_dn_add_child_fmt(*dn
, "DC=@");
905 return ISC_R_NOMEMORY
;
908 struct ldb_val name_val
909 = data_blob_const(name
,
912 if (!ldb_dn_add_child_val(*dn
,
916 return ISC_R_NOMEMORY
;
921 * Check if this is a plausibly valid DN early
922 * (time spent here will be saved during the
923 * search due to an internal cache)
925 casefold
= ldb_dn_get_casefold(*dn
);
927 if (casefold
== NULL
) {
928 return ISC_R_NOTFOUND
;
931 return ISC_R_SUCCESS
;
939 return ISC_R_NOTFOUND
;
944 see if we handle a given zone
946 _PUBLIC_ isc_result_t
dlz_findzonedb(void *dbdata
, const char *name
,
947 dns_clientinfomethods_t
*methods
,
948 dns_clientinfo_t
*clientinfo
)
950 struct timeval start
= timeval_current();
951 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
952 isc_result_t result
= ISC_R_SUCCESS
;
954 result
= b9_find_zone_dn(state
, name
, NULL
, NULL
);
955 DNS_COMMON_LOG_OPERATION(
956 isc_result_str(result
),
968 static isc_result_t
dlz_lookup_types(struct dlz_bind9_data
*state
,
969 const char *zone
, const char *name
,
970 dns_sdlzlookup_t
*lookup
,
973 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
975 WERROR werr
= WERR_DNS_ERROR_NAME_DOES_NOT_EXIST
;
976 struct dnsp_DnssrvRpcRecord
*records
= NULL
;
977 uint16_t num_records
= 0, i
;
978 struct ldb_val zone_name_val
979 = data_blob_string_const(zone
);
980 struct ldb_val name_val
981 = data_blob_string_const(name
);
983 for (i
=0; zone_prefixes
[i
]; i
++) {
985 const char *casefold
;
986 dn
= ldb_dn_copy(tmp_ctx
, ldb_get_default_basedn(state
->samdb
));
988 talloc_free(tmp_ctx
);
989 return ISC_R_NOMEMORY
;
993 * This dance ensures that it is not possible to put
994 * (eg) an extra DC=x, into the DNS name being
998 if (!ldb_dn_add_child_fmt(dn
,
1000 zone_prefixes
[i
])) {
1001 talloc_free(tmp_ctx
);
1002 return ISC_R_NOMEMORY
;
1005 ret
= ldb_dn_set_component(dn
,
1009 if (ret
!= LDB_SUCCESS
) {
1010 talloc_free(tmp_ctx
);
1011 return ISC_R_NOMEMORY
;
1014 ret
= ldb_dn_set_component(dn
,
1018 if (ret
!= LDB_SUCCESS
) {
1019 talloc_free(tmp_ctx
);
1020 return ISC_R_NOMEMORY
;
1024 * Check if this is a plausibly valid DN early
1025 * (time spent here will be saved during the
1026 * search due to an internal cache)
1028 casefold
= ldb_dn_get_casefold(dn
);
1030 if (casefold
== NULL
) {
1031 talloc_free(tmp_ctx
);
1032 return ISC_R_NOTFOUND
;
1035 werr
= dns_common_wildcard_lookup(state
->samdb
, tmp_ctx
, dn
,
1036 &records
, &num_records
);
1037 if (W_ERROR_IS_OK(werr
)) {
1041 if (!W_ERROR_IS_OK(werr
)) {
1042 talloc_free(tmp_ctx
);
1043 return ISC_R_NOTFOUND
;
1046 for (i
=0; i
< num_records
; i
++) {
1047 isc_result_t result
;
1049 result
= b9_putrr(state
, lookup
, &records
[i
], types
);
1050 if (result
!= ISC_R_SUCCESS
) {
1051 talloc_free(tmp_ctx
);
1056 talloc_free(tmp_ctx
);
1057 return ISC_R_SUCCESS
;
1063 _PUBLIC_ isc_result_t
dlz_lookup(const char *zone
, const char *name
,
1064 void *dbdata
, dns_sdlzlookup_t
*lookup
,
1065 dns_clientinfomethods_t
*methods
,
1066 dns_clientinfo_t
*clientinfo
)
1068 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1069 isc_result_t result
= ISC_R_SUCCESS
;
1070 struct timeval start
= timeval_current();
1072 result
= dlz_lookup_types(state
, zone
, name
, lookup
, NULL
);
1073 DNS_COMMON_LOG_OPERATION(
1074 isc_result_str(result
),
1085 see if a zone transfer is allowed
1087 _PUBLIC_ isc_result_t
dlz_allowzonexfr(void *dbdata
, const char *name
, const char *client
)
1089 struct dlz_bind9_data
*state
= talloc_get_type(
1090 dbdata
, struct dlz_bind9_data
);
1092 const char **authorized_clients
, **denied_clients
;
1093 const char *cname
="";
1095 /* check that the zone is known */
1096 ret
= b9_find_zone_dn(state
, name
, NULL
, NULL
);
1097 if (ret
!= ISC_R_SUCCESS
) {
1101 /* default is to deny all transfers */
1103 authorized_clients
= lpcfg_dns_zone_transfer_clients_allow(state
->lp
);
1104 denied_clients
= lpcfg_dns_zone_transfer_clients_deny(state
->lp
);
1106 /* The logic of allow_access() when both allow and deny lists are given
1107 * does not match our expectation here: it would allow clients thar are
1108 * neither allowed nor denied.
1109 * Here, we want to deny clients by default.
1110 * Using the allow_access() function is still useful as it takes care of
1111 * parsing IP adresses and subnets in a consistent way with other options
1114 * We will then check the deny list first, then the allow list, so that
1115 * we accept only clients that are explicitely allowed AND not explicitely
1118 if ((authorized_clients
== NULL
) && (denied_clients
== NULL
)) {
1119 /* No "allow" or "deny" lists given. Deny by default. */
1120 return ISC_R_NOPERM
;
1123 if (denied_clients
!= NULL
) {
1124 bool ok
= allow_access(denied_clients
, NULL
, cname
, client
);
1126 /* client on deny list. Deny. */
1127 return ISC_R_NOPERM
;
1131 if (authorized_clients
!= NULL
) {
1132 bool ok
= allow_access(NULL
, authorized_clients
, cname
, client
);
1135 * client is not on deny list and is on allow list.
1136 * This is the only place we should return "allow".
1138 return ISC_R_SUCCESS
;
1141 /* We shouldn't get here, but deny by default. */
1142 return ISC_R_NOPERM
;
1146 perform a zone transfer
1148 _PUBLIC_ isc_result_t
dlz_allnodes(const char *zone
, void *dbdata
,
1149 dns_sdlzallnodes_t
*allnodes
)
1151 struct timeval start
= timeval_current();
1152 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1153 const char *attrs
[] = { "dnsRecord", NULL
};
1154 int ret
= LDB_ERR_NO_SUCH_OBJECT
;
1156 struct ldb_dn
*dn
= NULL
;
1157 struct ldb_result
*res
;
1158 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
1159 struct ldb_val zone_name_val
= data_blob_string_const(zone
);
1160 isc_result_t result
= ISC_R_SUCCESS
;
1162 for (i
=0; zone_prefixes
[i
]; i
++) {
1163 const char *casefold
;
1165 dn
= ldb_dn_copy(tmp_ctx
, ldb_get_default_basedn(state
->samdb
));
1167 talloc_free(tmp_ctx
);
1168 result
= ISC_R_NOMEMORY
;
1173 * This dance ensures that it is not possible to put
1174 * (eg) an extra DC=x, into the DNS name being
1178 if (!ldb_dn_add_child_fmt(dn
,
1180 zone_prefixes
[i
])) {
1181 talloc_free(tmp_ctx
);
1182 result
= ISC_R_NOMEMORY
;
1186 ret
= ldb_dn_set_component(dn
,
1190 if (ret
!= LDB_SUCCESS
) {
1191 talloc_free(tmp_ctx
);
1192 result
= ISC_R_NOMEMORY
;
1197 * Check if this is a plausibly valid DN early
1198 * (time spent here will be saved during the
1199 * search due to an internal cache)
1201 casefold
= ldb_dn_get_casefold(dn
);
1203 if (casefold
== NULL
) {
1204 result
= ISC_R_NOTFOUND
;
1208 ret
= ldb_search(state
->samdb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_SUBTREE
,
1209 attrs
, "objectClass=dnsNode");
1210 if (ret
== LDB_SUCCESS
) {
1214 if (ret
!= LDB_SUCCESS
|| dn
== NULL
) {
1215 talloc_free(tmp_ctx
);
1216 result
= ISC_R_NOTFOUND
;
1220 for (i
=0; i
<res
->count
; i
++) {
1221 struct ldb_message_element
*el
;
1222 TALLOC_CTX
*el_ctx
= talloc_new(tmp_ctx
);
1223 const char *rdn
, *name
;
1224 const struct ldb_val
*v
;
1226 struct dnsp_DnssrvRpcRecord
*recs
= NULL
;
1227 uint16_t num_recs
= 0;
1229 el
= ldb_msg_find_element(res
->msgs
[i
], "dnsRecord");
1230 if (el
== NULL
|| el
->num_values
== 0) {
1231 state
->log(ISC_LOG_INFO
, "failed to find dnsRecord for %s",
1232 ldb_dn_get_linearized(dn
));
1233 talloc_free(el_ctx
);
1237 v
= ldb_dn_get_rdn_val(res
->msgs
[i
]->dn
);
1239 state
->log(ISC_LOG_INFO
, "failed to find RDN for %s",
1240 ldb_dn_get_linearized(dn
));
1241 talloc_free(el_ctx
);
1245 rdn
= talloc_strndup(el_ctx
, (char *)v
->data
, v
->length
);
1247 talloc_free(tmp_ctx
);
1248 result
= ISC_R_NOMEMORY
;
1252 if (strcmp(rdn
, "@") == 0) {
1255 name
= talloc_asprintf(el_ctx
, "%s.%s", rdn
, zone
);
1257 name
= b9_format_fqdn(el_ctx
, name
);
1259 talloc_free(tmp_ctx
);
1260 result
= ISC_R_NOMEMORY
;
1264 werr
= dns_common_extract(state
->samdb
, el
, el_ctx
, &recs
, &num_recs
);
1265 if (!W_ERROR_IS_OK(werr
)) {
1266 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to parse dnsRecord for %s, %s",
1267 ldb_dn_get_linearized(dn
), win_errstr(werr
));
1268 talloc_free(el_ctx
);
1272 for (j
=0; j
< num_recs
; j
++) {
1275 rc
= b9_putnamedrr(state
, allnodes
, name
, &recs
[j
]);
1276 if (rc
!= ISC_R_SUCCESS
) {
1281 talloc_free(el_ctx
);
1284 talloc_free(tmp_ctx
);
1286 DNS_COMMON_LOG_OPERATION(
1287 isc_result_str(result
),
1299 _PUBLIC_ isc_result_t
dlz_newversion(const char *zone
, void *dbdata
, void **versionp
)
1301 struct timeval start
= timeval_current();
1302 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1303 isc_result_t result
= ISC_R_SUCCESS
;
1305 state
->log(ISC_LOG_INFO
, "samba_dlz: starting transaction on zone %s", zone
);
1307 if (state
->transaction_token
!= NULL
) {
1308 state
->log(ISC_LOG_INFO
, "samba_dlz: transaction already started for zone %s", zone
);
1309 result
= ISC_R_FAILURE
;
1313 state
->transaction_token
= talloc_zero(state
, int);
1314 if (state
->transaction_token
== NULL
) {
1315 result
= ISC_R_NOMEMORY
;
1319 if (ldb_transaction_start(state
->samdb
) != LDB_SUCCESS
) {
1320 state
->log(ISC_LOG_INFO
, "samba_dlz: failed to start a transaction for zone %s", zone
);
1321 talloc_free(state
->transaction_token
);
1322 state
->transaction_token
= NULL
;
1323 result
= ISC_R_FAILURE
;
1327 *versionp
= (void *)state
->transaction_token
;
1329 DNS_COMMON_LOG_OPERATION(
1330 isc_result_str(result
),
1341 _PUBLIC_
void dlz_closeversion(const char *zone
, isc_boolean_t commit
,
1342 void *dbdata
, void **versionp
)
1344 struct timeval start
= timeval_current();
1345 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1346 const char *data
= NULL
;
1348 data
= commit
? "commit" : "cancel";
1350 if (state
->transaction_token
!= (int *)*versionp
) {
1351 state
->log(ISC_LOG_INFO
, "samba_dlz: transaction not started for zone %s", zone
);
1356 if (ldb_transaction_commit(state
->samdb
) != LDB_SUCCESS
) {
1357 state
->log(ISC_LOG_INFO
, "samba_dlz: failed to commit a transaction for zone %s", zone
);
1360 state
->log(ISC_LOG_INFO
, "samba_dlz: committed transaction on zone %s", zone
);
1362 if (ldb_transaction_cancel(state
->samdb
) != LDB_SUCCESS
) {
1363 state
->log(ISC_LOG_INFO
, "samba_dlz: failed to cancel a transaction for zone %s", zone
);
1366 state
->log(ISC_LOG_INFO
, "samba_dlz: cancelling transaction on zone %s", zone
);
1369 talloc_free(state
->transaction_token
);
1370 state
->transaction_token
= NULL
;
1374 DNS_COMMON_LOG_OPERATION(
1375 isc_result_str(ISC_R_SUCCESS
),
1384 see if there is a SOA record for a zone
1386 static bool b9_has_soa(struct dlz_bind9_data
*state
, struct ldb_dn
*dn
, const char *zone
)
1388 TALLOC_CTX
*tmp_ctx
= talloc_new(state
);
1390 struct dnsp_DnssrvRpcRecord
*records
= NULL
;
1391 uint16_t num_records
= 0, i
;
1392 struct ldb_val zone_name_val
1393 = data_blob_string_const(zone
);
1396 * This dance ensures that it is not possible to put
1397 * (eg) an extra DC=x, into the DNS name being
1401 if (!ldb_dn_add_child_val(dn
,
1404 talloc_free(tmp_ctx
);
1409 * The SOA record is alwas stored under DC=@,DC=zonename
1410 * This can probably be removed when dns_common_lookup makes a fallback
1411 * lookup on @ pseudo record
1414 if (!ldb_dn_add_child_fmt(dn
,"DC=@")) {
1415 talloc_free(tmp_ctx
);
1419 werr
= dns_common_lookup(state
->samdb
, tmp_ctx
, dn
,
1420 &records
, &num_records
, NULL
);
1421 if (!W_ERROR_IS_OK(werr
)) {
1422 talloc_free(tmp_ctx
);
1426 for (i
=0; i
< num_records
; i
++) {
1427 if (records
[i
].wType
== DNS_TYPE_SOA
) {
1428 talloc_free(tmp_ctx
);
1433 talloc_free(tmp_ctx
);
1437 static bool b9_zone_add(struct dlz_bind9_data
*state
, const char *name
)
1439 struct b9_zone
*zone
;
1441 zone
= talloc_zero(state
, struct b9_zone
);
1446 zone
->name
= talloc_strdup(zone
, name
);
1447 if (zone
->name
== NULL
) {
1452 DLIST_ADD(state
->zonelist
, zone
);
1456 static bool b9_zone_exists(struct dlz_bind9_data
*state
, const char *name
)
1458 struct b9_zone
*zone
= state
->zonelist
;
1461 while (zone
!= NULL
) {
1462 if (strcasecmp(name
, zone
->name
) == 0) {
1474 configure a writeable zone
1476 _PUBLIC_ isc_result_t
dlz_configure(dns_view_t
*view
, dns_dlzdb_t
*dlzdb
,
1479 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1480 TALLOC_CTX
*tmp_ctx
;
1484 state
->log(ISC_LOG_INFO
, "samba_dlz: starting configure");
1485 if (state
->writeable_zone
== NULL
) {
1486 state
->log(ISC_LOG_INFO
, "samba_dlz: no writeable_zone method available");
1487 return ISC_R_FAILURE
;
1490 tmp_ctx
= talloc_new(state
);
1492 for (i
=0; zone_prefixes
[i
]; i
++) {
1493 const char *attrs
[] = { "name", NULL
};
1495 struct ldb_result
*res
;
1497 dn
= ldb_dn_copy(tmp_ctx
, ldb_get_default_basedn(state
->samdb
));
1499 talloc_free(tmp_ctx
);
1500 return ISC_R_NOMEMORY
;
1503 if (!ldb_dn_add_child_fmt(dn
, "%s", zone_prefixes
[i
])) {
1504 talloc_free(tmp_ctx
);
1505 return ISC_R_NOMEMORY
;
1508 ret
= ldb_search(state
->samdb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_SUBTREE
,
1509 attrs
, "objectClass=dnsZone");
1510 if (ret
!= LDB_SUCCESS
) {
1514 for (j
=0; j
<res
->count
; j
++) {
1515 isc_result_t result
;
1516 const char *zone
= ldb_msg_find_attr_as_string(res
->msgs
[j
], "name", NULL
);
1517 struct ldb_dn
*zone_dn
;
1522 /* Ignore zones that are not handled in BIND */
1523 if ((strcmp(zone
, "RootDNSServers") == 0) ||
1524 (strcmp(zone
, "..TrustAnchors") == 0)) {
1527 zone_dn
= ldb_dn_copy(tmp_ctx
, dn
);
1528 if (zone_dn
== NULL
) {
1529 talloc_free(tmp_ctx
);
1530 return ISC_R_NOMEMORY
;
1533 if (!b9_has_soa(state
, zone_dn
, zone
)) {
1537 if (b9_zone_exists(state
, zone
)) {
1538 state
->log(ISC_LOG_WARNING
, "samba_dlz: Ignoring duplicate zone '%s' from '%s'",
1539 zone
, ldb_dn_get_linearized(zone_dn
));
1543 if (!b9_zone_add(state
, zone
)) {
1544 talloc_free(tmp_ctx
);
1545 return ISC_R_NOMEMORY
;
1548 result
= state
->writeable_zone(view
, dlzdb
, zone
);
1549 if (result
!= ISC_R_SUCCESS
) {
1550 state
->log(ISC_LOG_ERROR
, "samba_dlz: Failed to configure zone '%s'",
1552 talloc_free(tmp_ctx
);
1555 state
->log(ISC_LOG_INFO
, "samba_dlz: configured writeable zone '%s'", zone
);
1559 talloc_free(tmp_ctx
);
1560 return ISC_R_SUCCESS
;
1564 authorize a zone update
1566 _PUBLIC_ isc_boolean_t
dlz_ssumatch(const char *signer
, const char *name
, const char *tcpaddr
,
1567 const char *type
, const char *key
, uint32_t keydatalen
, uint8_t *keydata
,
1570 struct timeval start
= timeval_current();
1571 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1572 TALLOC_CTX
*tmp_ctx
;
1574 struct cli_credentials
*server_credentials
;
1576 char *keytab_file
= NULL
;
1580 struct gensec_security
*gensec_ctx
;
1581 struct auth_session_info
*session_info
;
1584 struct ldb_result
*res
;
1585 const char * attrs
[] = { NULL
};
1586 uint32_t access_mask
;
1587 struct gensec_settings
*settings
= NULL
;
1588 const struct gensec_security_ops
**backends
= NULL
;
1590 isc_boolean_t result
= ISC_FALSE
;
1594 /* Remove cached credentials, if any */
1595 if (state
->session_info
) {
1596 talloc_free(state
->session_info
);
1597 state
->session_info
= NULL
;
1599 if (state
->update_name
) {
1600 talloc_free(state
->update_name
);
1601 state
->update_name
= NULL
;
1604 tmp_ctx
= talloc_new(state
);
1605 if (tmp_ctx
== NULL
) {
1606 state
->log(ISC_LOG_ERROR
, "samba_dlz: no memory");
1611 ap_req
= data_blob_const(keydata
, keydatalen
);
1612 server_credentials
= cli_credentials_init(tmp_ctx
);
1613 if (!server_credentials
) {
1614 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to init server credentials");
1615 talloc_free(tmp_ctx
);
1620 status
= cli_credentials_set_krb5_context(server_credentials
,
1621 state
->smb_krb5_ctx
);
1622 if (!NT_STATUS_IS_OK(status
)) {
1623 state
->log(ISC_LOG_ERROR
,
1624 "samba_dlz: failed to set krb5 context");
1625 talloc_free(tmp_ctx
);
1630 ok
= cli_credentials_set_conf(server_credentials
, state
->lp
);
1632 state
->log(ISC_LOG_ERROR
,
1633 "samba_dlz: failed to load smb.conf");
1634 talloc_free(tmp_ctx
);
1639 keytab_file
= talloc_asprintf(tmp_ctx
,
1641 lpcfg_binddns_dir(state
->lp
));
1642 if (keytab_file
== NULL
) {
1643 state
->log(ISC_LOG_ERROR
, "samba_dlz: Out of memory!");
1644 talloc_free(tmp_ctx
);
1649 if (!file_exist(keytab_file
)) {
1650 keytab_file
= talloc_asprintf(tmp_ctx
,
1652 lpcfg_private_dir(state
->lp
));
1653 if (keytab_file
== NULL
) {
1654 state
->log(ISC_LOG_ERROR
, "samba_dlz: Out of memory!");
1655 talloc_free(tmp_ctx
);
1661 keytab_name
= talloc_asprintf(tmp_ctx
, "FILE:%s", keytab_file
);
1662 if (keytab_name
== NULL
) {
1663 state
->log(ISC_LOG_ERROR
, "samba_dlz: Out of memory!");
1664 talloc_free(tmp_ctx
);
1669 ret
= cli_credentials_set_keytab_name(server_credentials
, state
->lp
, keytab_name
,
1672 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to obtain server credentials from %s",
1674 talloc_free(tmp_ctx
);
1678 talloc_free(keytab_name
);
1680 settings
= lpcfg_gensec_settings(tmp_ctx
, state
->lp
);
1681 if (settings
== NULL
) {
1682 state
->log(ISC_LOG_ERROR
, "samba_dlz: lpcfg_gensec_settings failed");
1683 talloc_free(tmp_ctx
);
1687 backends
= talloc_zero_array(settings
,
1688 const struct gensec_security_ops
*, 3);
1689 if (backends
== NULL
) {
1690 state
->log(ISC_LOG_ERROR
, "samba_dlz: talloc_zero_array gensec_security_ops failed");
1691 talloc_free(tmp_ctx
);
1695 settings
->backends
= backends
;
1699 backends
[idx
++] = gensec_security_by_oid(NULL
, GENSEC_OID_KERBEROS5
);
1700 backends
[idx
++] = gensec_security_by_oid(NULL
, GENSEC_OID_SPNEGO
);
1702 nt_status
= gensec_server_start(tmp_ctx
, settings
,
1703 state
->auth_context
, &gensec_ctx
);
1704 if (!NT_STATUS_IS_OK(nt_status
)) {
1705 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to start gensec server");
1706 talloc_free(tmp_ctx
);
1711 gensec_set_credentials(gensec_ctx
, server_credentials
);
1713 nt_status
= gensec_start_mech_by_oid(gensec_ctx
, GENSEC_OID_SPNEGO
);
1714 if (!NT_STATUS_IS_OK(nt_status
)) {
1715 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to start spnego");
1716 talloc_free(tmp_ctx
);
1722 * We only allow SPNEGO/KRB5 and make sure the backend
1723 * to is RPC/IPC free.
1725 * See gensec_gssapi_update_internal() as
1728 * It allows gensec_update() not to block.
1730 * If that changes in future we need to use
1731 * gensec_update_send/recv here!
1733 nt_status
= gensec_update(gensec_ctx
, tmp_ctx
, ap_req
, &ap_req
);
1734 if (!NT_STATUS_IS_OK(nt_status
)) {
1735 state
->log(ISC_LOG_ERROR
, "samba_dlz: spnego update failed");
1736 talloc_free(tmp_ctx
);
1741 nt_status
= gensec_session_info(gensec_ctx
, tmp_ctx
, &session_info
);
1742 if (!NT_STATUS_IS_OK(nt_status
)) {
1743 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to create session info");
1744 talloc_free(tmp_ctx
);
1749 /* Get the DN from name */
1750 rc
= b9_find_name_dn(state
, name
, tmp_ctx
, &dn
);
1751 if (rc
!= ISC_R_SUCCESS
) {
1752 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to find name %s", name
);
1753 talloc_free(tmp_ctx
);
1758 /* make sure the dn exists, or find parent dn in case new object is being added */
1759 ldb_ret
= ldb_search(state
->samdb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
,
1760 attrs
, "objectClass=dnsNode");
1761 if (ldb_ret
== LDB_ERR_NO_SUCH_OBJECT
) {
1762 ldb_dn_remove_child_components(dn
, 1);
1763 access_mask
= SEC_ADS_CREATE_CHILD
;
1765 } else if (ldb_ret
== LDB_SUCCESS
) {
1766 access_mask
= SEC_STD_REQUIRED
| SEC_ADS_SELF_WRITE
;
1769 talloc_free(tmp_ctx
);
1775 ldb_ret
= dsdb_check_access_on_dn(state
->samdb
, tmp_ctx
, dn
,
1776 session_info
->security_token
,
1778 if (ldb_ret
!= LDB_SUCCESS
) {
1779 state
->log(ISC_LOG_INFO
,
1780 "samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s",
1781 signer
, name
, type
, ldb_strerror(ldb_ret
));
1782 talloc_free(tmp_ctx
);
1787 /* Cache session_info, so it can be used in the actual add/delete operation */
1788 state
->update_name
= talloc_strdup(state
, name
);
1789 if (state
->update_name
== NULL
) {
1790 state
->log(ISC_LOG_ERROR
, "samba_dlz: memory allocation error");
1791 talloc_free(tmp_ctx
);
1795 state
->session_info
= talloc_steal(state
, session_info
);
1797 state
->log(ISC_LOG_INFO
, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s",
1798 signer
, name
, tcpaddr
, type
, key
);
1800 talloc_free(tmp_ctx
);
1803 DNS_COMMON_LOG_OPERATION(
1804 isc_result_str(result
),
1814 see if two dns records match
1816 static bool b9_record_match(struct dnsp_DnssrvRpcRecord
*rec1
,
1817 struct dnsp_DnssrvRpcRecord
*rec2
)
1819 if (rec1
->wType
!= rec2
->wType
) {
1822 /* see if this type is single valued */
1823 if (b9_single_valued(rec1
->wType
)) {
1827 return dns_record_match(rec1
, rec2
);
1831 * Update session_info on samdb using the cached credentials
1833 static bool b9_set_session_info(struct dlz_bind9_data
*state
, const char *name
)
1837 if (state
->update_name
== NULL
|| state
->session_info
== NULL
) {
1838 state
->log(ISC_LOG_ERROR
, "samba_dlz: invalid credentials");
1842 /* Do not use client credentials, if we're not updating the client specified name */
1843 if (strcmp(state
->update_name
, name
) != 0) {
1847 ret
= ldb_set_opaque(
1850 state
->session_info
);
1851 if (ret
!= LDB_SUCCESS
) {
1852 state
->log(ISC_LOG_ERROR
, "samba_dlz: unable to set session info");
1860 * Reset session_info on samdb as system session
1862 static void b9_reset_session_info(struct dlz_bind9_data
*state
)
1867 system_session(state
->lp
));
1871 add or modify a rdataset
1873 _PUBLIC_ isc_result_t
dlz_addrdataset(const char *name
, const char *rdatastr
, void *dbdata
, void *version
)
1875 struct timeval start
= timeval_current();
1876 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
1877 struct dnsp_DnssrvRpcRecord
*rec
;
1879 isc_result_t result
= ISC_R_SUCCESS
;
1880 bool tombstoned
= false;
1881 bool needs_add
= false;
1882 struct dnsp_DnssrvRpcRecord
*recs
= NULL
;
1883 uint16_t num_recs
= 0;
1888 if (state
->transaction_token
!= (void*)version
) {
1889 state
->log(ISC_LOG_INFO
, "samba_dlz: bad transaction version");
1890 result
= ISC_R_FAILURE
;
1894 rec
= talloc_zero(state
, struct dnsp_DnssrvRpcRecord
);
1896 result
= ISC_R_NOMEMORY
;
1900 rec
->rank
= DNS_RANK_ZONE
;
1902 if (!b9_parse(state
, rdatastr
, rec
)) {
1903 state
->log(ISC_LOG_INFO
, "samba_dlz: failed to parse rdataset '%s'", rdatastr
);
1905 result
= ISC_R_FAILURE
;
1909 /* find the DN of the record */
1910 result
= b9_find_name_dn(state
, name
, rec
, &dn
);
1911 if (result
!= ISC_R_SUCCESS
) {
1916 /* get any existing records */
1917 werr
= dns_common_lookup(state
->samdb
, rec
, dn
,
1918 &recs
, &num_recs
, &tombstoned
);
1919 if (W_ERROR_EQUAL(werr
, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST
)) {
1923 if (!W_ERROR_IS_OK(werr
)) {
1924 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to parse dnsRecord for %s, %s",
1925 ldb_dn_get_linearized(dn
), win_errstr(werr
));
1927 result
= ISC_R_FAILURE
;
1933 * we need to keep the existing tombstone record
1939 /* there may be existing records. We need to see if this will
1940 * replace a record or add to it
1942 for (i
=first
; i
< num_recs
; i
++) {
1943 if (b9_record_match(rec
, &recs
[i
])) {
1947 if (i
== UINT16_MAX
) {
1948 state
->log(ISC_LOG_ERROR
,
1949 "samba_dlz: failed to find record to modify, and "
1950 "there are already %u dnsRecord values for %s",
1951 i
, ldb_dn_get_linearized(dn
));
1953 result
= ISC_R_FAILURE
;
1957 if (i
== num_recs
) {
1958 /* adding a new value */
1959 recs
= talloc_realloc(rec
, recs
,
1960 struct dnsp_DnssrvRpcRecord
,
1964 result
= ISC_R_NOMEMORY
;
1969 if (dns_name_is_static(recs
, num_recs
)) {
1970 rec
->dwTimeStamp
= 0;
1972 rec
->dwTimeStamp
= unix_to_dns_timestamp(time(NULL
));
1978 if (!b9_set_session_info(state
, name
)) {
1980 result
= ISC_R_FAILURE
;
1984 /* modify the record */
1985 werr
= dns_common_replace(state
->samdb
, rec
, dn
,
1989 b9_reset_session_info(state
);
1990 if (!W_ERROR_IS_OK(werr
)) {
1991 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to %s %s - %s",
1992 needs_add
? "add" : "modify",
1993 ldb_dn_get_linearized(dn
), win_errstr(werr
));
1995 result
= ISC_R_FAILURE
;
1999 state
->log(ISC_LOG_INFO
, "samba_dlz: added rdataset %s '%s'", name
, rdatastr
);
2003 DNS_COMMON_LOG_OPERATION(
2004 isc_result_str(result
),
2015 _PUBLIC_ isc_result_t
dlz_subrdataset(const char *name
, const char *rdatastr
, void *dbdata
, void *version
)
2017 struct timeval start
= timeval_current();
2018 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
2019 struct dnsp_DnssrvRpcRecord
*rec
;
2021 isc_result_t result
= ISC_R_SUCCESS
;
2022 struct dnsp_DnssrvRpcRecord
*recs
= NULL
;
2023 uint16_t num_recs
= 0;
2027 if (state
->transaction_token
!= (void*)version
) {
2028 state
->log(ISC_LOG_ERROR
, "samba_dlz: bad transaction version");
2029 result
= ISC_R_FAILURE
;
2033 rec
= talloc_zero(state
, struct dnsp_DnssrvRpcRecord
);
2035 result
= ISC_R_NOMEMORY
;
2039 if (!b9_parse(state
, rdatastr
, rec
)) {
2040 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to parse rdataset '%s'", rdatastr
);
2042 result
= ISC_R_FAILURE
;
2046 /* find the DN of the record */
2047 result
= b9_find_name_dn(state
, name
, rec
, &dn
);
2048 if (result
!= ISC_R_SUCCESS
) {
2053 /* get the existing records */
2054 werr
= dns_common_lookup(state
->samdb
, rec
, dn
,
2055 &recs
, &num_recs
, NULL
);
2056 if (!W_ERROR_IS_OK(werr
)) {
2058 result
= ISC_R_NOTFOUND
;
2062 for (i
=0; i
< num_recs
; i
++) {
2063 if (b9_record_match(rec
, &recs
[i
])) {
2064 recs
[i
] = (struct dnsp_DnssrvRpcRecord
) {
2065 .wType
= DNS_TYPE_TOMBSTONE
,
2070 if (i
== num_recs
) {
2072 result
= ISC_R_NOTFOUND
;
2076 if (!b9_set_session_info(state
, name
)) {
2078 result
= ISC_R_FAILURE
;
2082 /* modify the record */
2083 werr
= dns_common_replace(state
->samdb
, rec
, dn
,
2084 false,/* needs_add */
2087 b9_reset_session_info(state
);
2088 if (!W_ERROR_IS_OK(werr
)) {
2089 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to modify %s - %s",
2090 ldb_dn_get_linearized(dn
), win_errstr(werr
));
2092 result
= ISC_R_FAILURE
;
2096 state
->log(ISC_LOG_INFO
, "samba_dlz: subtracted rdataset %s '%s'", name
, rdatastr
);
2100 DNS_COMMON_LOG_OPERATION(
2101 isc_result_str(result
),
2111 delete all records of the given type
2113 _PUBLIC_ isc_result_t
dlz_delrdataset(const char *name
, const char *type
, void *dbdata
, void *version
)
2115 struct timeval start
= timeval_current();
2116 struct dlz_bind9_data
*state
= talloc_get_type_abort(dbdata
, struct dlz_bind9_data
);
2117 TALLOC_CTX
*tmp_ctx
;
2119 isc_result_t result
= ISC_R_SUCCESS
;
2120 enum dns_record_type dns_type
;
2122 struct dnsp_DnssrvRpcRecord
*recs
= NULL
;
2123 uint16_t num_recs
= 0;
2127 if (state
->transaction_token
!= (void*)version
) {
2128 state
->log(ISC_LOG_ERROR
, "samba_dlz: bad transaction version");
2129 result
= ISC_R_FAILURE
;
2133 if (!b9_dns_type(type
, &dns_type
)) {
2134 state
->log(ISC_LOG_ERROR
, "samba_dlz: bad dns type %s in delete", type
);
2135 result
= ISC_R_FAILURE
;
2139 tmp_ctx
= talloc_new(state
);
2141 /* find the DN of the record */
2142 result
= b9_find_name_dn(state
, name
, tmp_ctx
, &dn
);
2143 if (result
!= ISC_R_SUCCESS
) {
2144 talloc_free(tmp_ctx
);
2148 /* get the existing records */
2149 werr
= dns_common_lookup(state
->samdb
, tmp_ctx
, dn
,
2150 &recs
, &num_recs
, NULL
);
2151 if (!W_ERROR_IS_OK(werr
)) {
2152 talloc_free(tmp_ctx
);
2153 result
= ISC_R_NOTFOUND
;
2157 for (ri
=0; ri
< num_recs
; ri
++) {
2158 if (dns_type
!= recs
[ri
].wType
) {
2163 recs
[ri
] = (struct dnsp_DnssrvRpcRecord
) {
2164 .wType
= DNS_TYPE_TOMBSTONE
,
2169 talloc_free(tmp_ctx
);
2170 result
= ISC_R_FAILURE
;
2174 if (!b9_set_session_info(state
, name
)) {
2175 talloc_free(tmp_ctx
);
2176 result
= ISC_R_FAILURE
;
2180 /* modify the record */
2181 werr
= dns_common_replace(state
->samdb
, tmp_ctx
, dn
,
2182 false,/* needs_add */
2185 b9_reset_session_info(state
);
2186 if (!W_ERROR_IS_OK(werr
)) {
2187 state
->log(ISC_LOG_ERROR
, "samba_dlz: failed to modify %s - %s",
2188 ldb_dn_get_linearized(dn
), win_errstr(werr
));
2189 talloc_free(tmp_ctx
);
2190 result
= ISC_R_FAILURE
;
2194 state
->log(ISC_LOG_INFO
, "samba_dlz: deleted rdataset %s of type %s", name
, type
);
2196 talloc_free(tmp_ctx
);
2198 DNS_COMMON_LOG_OPERATION(
2199 isc_result_str(result
),