r15462: replace the use of OpenLDAP's ldap_domain2hostlist() for

locating AD DC's with out own DNS SRV queries.
Testing on Linux and Solaris.

source/Makefile.in

@@ -241,14 +241,14 @@ LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \
 	     libads/krb5_setpw.o libads/ldap_user.o \
 	     libads/ads_struct.o libads/kerberos_keytab.o \
              libads/disp_sec.o libads/ads_utils.o libads/ldap_utils.o \
-	     libads/authdata.o
+	     libads/authdata.o 
 
 LIBADS_SERVER_OBJ = libads/util.o libads/kerberos_verify.o
 
 SECRETS_OBJ = passdb/secrets.o passdb/machine_sid.o 
 
 LIBNMB_OBJ = libsmb/unexpected.o libsmb/namecache.o libsmb/nmblib.o \
-	     libsmb/namequery.o libsmb/conncache.o 
+	     libsmb/namequery.o libsmb/conncache.o libads/dns.o
 
 LIBSAMBA_OBJ = libsmb/nterr.o libsmb/dcerpc_err.o libsmb/smbdes.o \
 	       libsmb/smbencrypt.o libsmb/ntlm_check.o \

source/configure.in

@@ -3227,17 +3227,6 @@ else
 	fi
     fi
 
-    AC_CHECK_FUNC_EXT(ldap_domain2hostlist,$LDAP_LIBS)
-
-    if test x"$ac_cv_func_ext_ldap_domain2hostlist" != x"yes"; then
-	if test x"$with_ads_support" = x"yes"; then
-	    AC_MSG_ERROR(Active Directory support requires ldap_domain2hostlist)
-	elif test x"$with_ads_support" = x"auto"; then
-	    AC_MSG_WARN(Disabling Active Directory support (requires ldap_domain2hostlist))
-	    with_ads_support=no
-	fi
-    fi
-
     AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS)
 
     if test x"$ac_cv_func_ext_ldap_add_result_entry" != x"yes"; then

source/include/ads_dns.h

@@ -0,0 +1,54 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Internal DNS query structures
+ *  Copyright (C) Gerald Carter                2006.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#ifndef _ADS_DNS_H
+#define _ADS_DNS_H
+
+/* DNS query section in replies */
+
+struct dns_query {
+	const char *hostname;
+	uint16 type;
+	uint16 in_class;
+};
+
+/* DNS RR record in reply */
+
+struct dns_rr {
+	const char *hostname;
+	uint16 type;
+	uint16 in_class;
+	uint32 ttl;
+	uint16 rdatalen;
+	uint8 *rdata;	
+};
+
+/* SRV records */
+
+struct dns_rr_srv {
+	const char *hostname;
+	uint16 priority;
+	uint16 weight;
+	uint16 port;
+	struct in_addr ip;
+};
+
+
+#endif	/* _ADS_DNS_H */

source/include/includes.h

@@ -903,6 +903,7 @@ extern int errno;
 
 #include "nt_status.h"
 #include "ads.h"
+#include "ads_dns.h"
 #include "interfaces.h"
 #include "trans2.h"
 #include "nterr.h"

source/libads/dns.c

@@ -0,0 +1,353 @@
+/* 
+   Unix SMB/CIFS implementation.
+   DNS utility library
+   Copyright (C) Gerald (Jerry) Carter           2006.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/* AIX resolv.h uses 'class' in struct ns_rr */
+
+#if defined(AIX)
+#  if defined(class)
+#    undef class
+#  endif
+#endif	/* AIX */
+
+/* resolver headers */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h>
+
+#define MAX_DNS_PACKET_SIZE 0xffff
+
+/*********************************************************************
+*********************************************************************/
+
+static BOOL ads_dns_parse_query( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
+                          uint8 **ptr, struct dns_query *q )
+{
+	uint8 *p = *ptr;
+	pstring hostname;
+	int namelen;
+
+	ZERO_STRUCTP( q );
+	
+	if ( !start || !end || !q || !*ptr)
+		return False;
+
+	/* See RFC 1035 for details. If this fails, then return. */
+
+	namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
+	if ( namelen < 0 ) {
+		return False;
+	}
+	p += namelen;
+	q->hostname = talloc_strdup( ctx, hostname );
+
+	/* check that we have space remaining */
+
+	if ( PTR_DIFF(p+4, end) > 0 )
+		return False;
+
+	q->type     = RSVAL( p, 0 );
+	q->in_class = RSVAL( p, 2 );
+	p += 4;
+
+	*ptr = p;
+
+	return True;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static BOOL ads_dns_parse_rr( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
+                       uint8 **ptr, struct dns_rr *rr )
+{
+	uint8 *p = *ptr;
+	pstring hostname;
+	int namelen;
+
+	if ( !start || !end || !rr || !*ptr)
+		return -1;
+
+	ZERO_STRUCTP( rr );
+	/* pull the name from the answer */
+
+	namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
+	if ( namelen < 0 ) {
+		return -1;
+	}
+	p += namelen;
+	rr->hostname = talloc_strdup( ctx, hostname );
+
+	/* check that we have space remaining */
+
+	if ( PTR_DIFF(p+10, end) > 0 )
+		return False;
+
+	/* pull some values and then skip onto the string */
+
+	rr->type     = RSVAL(p, 0);
+	rr->in_class = RSVAL(p, 2);
+	rr->ttl      = RIVAL(p, 4);
+	rr->rdatalen = RSVAL(p, 8);
+	
+	p += 10;
+
+	/* sanity check the available space */
+
+	if ( PTR_DIFF(p+rr->rdatalen, end ) > 0 ) {
+		return False;
+
+	}
+
+	/* save a point to the rdata for this section */
+
+	rr->rdata = p;
+	p += rr->rdatalen;
+
+	*ptr = p;
+
+	return True;
+}
+
+/*********************************************************************
+*********************************************************************/
+
+static BOOL ads_dns_parse_rr_srv( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
+                       uint8 **ptr, struct dns_rr_srv *srv )
+{
+	struct dns_rr rr;
+	uint8 *p;
+	pstring dcname;
+	int namelen;
+
+	if ( !start || !end || !srv || !*ptr)
+		return -1;
+
+	/* Parse the RR entry.  Coming out of the this, ptr is at the beginning 
+	   of the next record */
+
+	if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
+		DEBUG(1,("ads_dns_parse_rr_srv: Failed to parse RR record\n"));
+		return False;
+	}
+
+	if ( rr.type != ns_t_srv ) {
+		DEBUG(1,("ads_dns_parse_rr_srv: Bad answer type (%d)\n", rr.type));
+		return False;
+	}
+
+	p = rr.rdata;
+
+	srv->priority = RSVAL(p, 0);
+	srv->weight   = RSVAL(p, 2);
+	srv->port     = RSVAL(p, 4);
+
+	p += 6;
+
+	namelen = dn_expand( start, end, p, dcname, sizeof(dcname) );
+	if ( namelen < 0 ) {
+		DEBUG(1,("ads_dns_parse_rr_srv: Failed to uncompress name!\n"));
+		return False;
+	}
+	srv->hostname = talloc_strdup( ctx, dcname );
+
+	return True;
+}
+
+
+/*********************************************************************
+ Sort SRV record list based on weight and priority.  See RFC 2782.
+*********************************************************************/
+
+static int dnssrvcmp( struct dns_rr_srv *a, struct dns_rr_srv *b )
+{
+	BOOL init = False;
+
+	if ( !init ) {
+		srand( (uint32)time(NULL) );
+	}
+
+	if ( a->priority == b->priority ) {
+
+		/* randomize entries with an equal weight and priority */
+		if ( a->weight == b->weight ) 
+			return rand() % 2 ? -1 : 1;
+
+		/* higher weights should be sorted lower */ 
+		if ( a->weight > b->weight )
+			return -1;
+		else
+			return 1;
+	}
+		
+	if ( a->priority < b->priority )
+		return -1;
+
+	return 1;
+}
+
+/*********************************************************************
+ Simple wrapper for a DNS SRV query
+*********************************************************************/
+
+NTSTATUS ads_dns_lookup_srv( TALLOC_CTX *ctx, const char *name, struct dns_rr_srv **dclist, int *numdcs )
+{
+	uint8 *buffer = NULL;
+	size_t buf_len;
+	int resp_len = NS_PACKETSZ;
+	struct dns_rr_srv *dcs = NULL;
+	int query_count, answer_count, auth_count, additional_count;
+	uint8 *p = buffer;
+	int rrnum;
+	int idx = 0;
+
+	if ( !ctx || !name || !dclist ) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	
+	/* Send the request.  May have to loop several times in case 
+	   of large replies */
+
+	do {
+		if ( buffer )
+			TALLOC_FREE( buffer );
+		
+		buf_len = resp_len * sizeof(uint8);
+
+		if ( (buffer = TALLOC_ARRAY(ctx, uint8, buf_len)) == NULL ) {
+			DEBUG(0,("ads_dns_lookup_srv: talloc() failed!\n"));
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		if ( (resp_len = res_query(name, ns_c_in, ns_t_srv, buffer, buf_len)) < 0 ) {
+			DEBUG(1,("ads_dns_lookup_srv: Failed to resolve %s (%s)\n", name, strerror(errno)));
+			TALLOC_FREE( buffer );
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	} while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE );
+
+	p = buffer;
+
+	/* For some insane reason, the ns_initparse() et. al. routines are only
+	   available in libresolv.a, and not the shared lib.  Who knows why....
+	   So we have to parse the DNS reply ourselves */
+
+	/* Pull the answer RR's count from the header.  Use the NMB ordering macros */
+
+	query_count      = RSVAL( p, 4 );
+	answer_count     = RSVAL( p, 6 );
+	auth_count       = RSVAL( p, 8 );
+	additional_count = RSVAL( p, 10 );
+
+	DEBUG(4,("ads_dns_lookup_srv: %d records returned in the answer section.\n", 
+		answer_count));
+		
+	if ( (dcs = TALLOC_ARRAY(ctx, struct dns_rr_srv, answer_count)) == NULL ) {
+		DEBUG(0,("ads_dns_lookup_srv: talloc() failure for %d char*'s\n", 
+			answer_count));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* now skip the header */
+
+	p += NS_HFIXEDSZ;
+
+	/* parse the query section */
+
+	for ( rrnum=0; rrnum<query_count; rrnum++ ) {
+		struct dns_query q;
+
+		if ( !ads_dns_parse_query( ctx, buffer, buffer+resp_len, &p, &q ) ) {
+			DEBUG(1,("ads_dns_lookup_srv: Failed to parse query record!\n"));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	/* now we are at the answer section */
+
+	for ( rrnum=0; rrnum<answer_count; rrnum++ ) {
+		if ( !ads_dns_parse_rr_srv( ctx, buffer, buffer+resp_len, &p, &dcs[rrnum] ) ) {
+			DEBUG(1,("ads_dns_lookup_srv: Failed to parse answer record!\n"));
+			return NT_STATUS_UNSUCCESSFUL;
+		}		
+	}
+	idx = rrnum;
+
+	/* Parse the authority section */
+	/* just skip these for now */
+
+	for ( rrnum=0; rrnum<auth_count; rrnum++ ) {
+		struct dns_rr rr;
+
+		if ( !ads_dns_parse_rr( ctx, buffer, buffer+resp_len, &p, &rr ) ) {
+			DEBUG(1,("ads_dns_lookup_srv: Failed to parse authority record!\n"));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	/* Parse the additional records section */
+
+	for ( rrnum=0; rrnum<additional_count; rrnum++ ) {
+		struct dns_rr rr;
+		int i;
+
+		if ( !ads_dns_parse_rr( ctx, buffer, buffer+resp_len, &p, &rr ) ) {
+			DEBUG(1,("ads_dns_lookup_srv: Failed to parse additional records section!\n"));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		/* only interested in A records as a shortcut for having to come 
+		   back later and lookup the name */
+
+		if ( (rr.type != ns_t_a) || (rr.rdatalen != 4) ) 
+			continue;
+
+		for ( i=0; i<idx; i++ ) {
+			if ( strcmp( rr.hostname, dcs[i].hostname ) == 0 ) {
+				uint8 *buf = (uint8*)&dcs[i].ip.s_addr;
+				memcpy( buf, rr.rdata, 4 );
+			}
+		}
+	}
+
+	qsort( dcs, idx, sizeof(struct dns_rr_srv), QSORT_CAST dnssrvcmp );
+	
+	*dclist = dcs;
+	*numdcs = idx;
+	
+	return NT_STATUS_OK;
+}
+
+/********************************************************************
+********************************************************************/
+
+NTSTATUS ads_dns_query_dcs( TALLOC_CTX *ctx, const char *domain, struct dns_rr_srv **dclist, int *numdcs )
+{
+	pstring name;
+
+	snprintf( name, sizeof(name), "_ldap._tcp.dc._msdcs.%s", domain );
+
+	return ads_dns_lookup_srv( ctx, name, dclist, numdcs );
+}
+

source/libsmb/namequery.c

@@ -1024,13 +1024,13 @@ static BOOL resolve_hosts(const char *name, int name_type,
 static BOOL resolve_ads(const char *name, int name_type,
                          struct ip_service **return_iplist, int *return_count)
 {
-	
 #ifdef HAVE_ADS
 	if ( name_type == 0x1c ) {
 		int 			count, i = 0;
-		char 			*list = NULL;
-		const char		*ptr;
-		pstring			tok;
+		NTSTATUS  		status;
+		TALLOC_CTX		*ctx;
+		struct dns_rr_srv	*dcs = NULL;
+		int			numdcs = 0;
 		
 		/* try to lookup the _ldap._tcp.<domain> if we are using ADS */
 		if ( lp_security() != SEC_ADS )
@@ -1039,25 +1039,31 @@ static BOOL resolve_ads(const char *name, int name_type,
 		DEBUG(5,("resolve_hosts: Attempting to resolve DC's for %s using DNS\n",
 			name));
 			
-		if (ldap_domain2hostlist(name, &list) != LDAP_SUCCESS)
+		if ( (ctx = talloc_init("resolve_ads")) == NULL ) {
+			DEBUG(0,("resolve_ads: talloc_init() failed!\n"));
 			return False;
-				
-		count = count_chars(list, ' ') + 1;
-		if ( (*return_iplist = SMB_MALLOC_ARRAY(struct ip_service, count)) == NULL ) {
-			DEBUG(0,("resolve_hosts: malloc failed for %d entries\n", count ));
+		}
+		
+		status = ads_dns_query_dcs( ctx, name, &dcs, &numdcs );
+		if ( !NT_STATUS_IS_OK( status ) ) {
+			return False;
+		}
+		
+		if ( (*return_iplist = SMB_MALLOC_ARRAY(struct ip_service, numdcs)) == NULL ) {
+			DEBUG(0,("resolve_ads: malloc failed for %d entries\n", count ));
 			return False;
 		}
 
-		ptr = list;
-		while (next_token(&ptr, tok, " ", sizeof(tok))) {
-			unsigned port = LDAP_PORT;	
-			char *p = strchr(tok, ':');
-			if (p) {
-				*p = 0;
-				port = atoi(p+1);
-			}
-			(*return_iplist)[i].ip   = *interpret_addr2(tok);
-			(*return_iplist)[i].port = port;
+		i = 0;
+		while ( i < numdcs ) {
+
+			/* use the IP address from the SRV structure if we have one */
+			if ( is_zero_ip( dcs[i].ip ) )
+				(*return_iplist)[i].ip   = *interpret_addr2(dcs[i].hostname);
+			else
+				(*return_iplist)[i].ip = dcs[i].ip;
+
+			(*return_iplist)[i].port = dcs[i].port;
 			
 			/* make sure it is a valid IP.  I considered checking the negative
 			   connection cache, but this is the wrong place for it.  Maybe only
@@ -1067,11 +1073,12 @@ static BOOL resolve_ads(const char *name, int name_type,
 			   our DNS server doesn't know anything about the DC's   -- jerry */	
 			   
 			if ( is_zero_ip((*return_iplist)[i].ip) )
-				continue;
-		
+				continue;		
+
 			i++;
 		}
-		SAFE_FREE(list);
+		
+		TALLOC_FREE( dcs );
 		
 		*return_count = i;
 				

source/utils/net_ads.c

@@ -72,8 +72,12 @@ static int net_ads_lookup(int argc, const char **argv)
 {
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
+	const char *realm = NULL;
 
-	ads = ads_init(NULL, opt_target_workgroup, opt_host);
+	if ( strequal(lp_workgroup(), opt_target_workgroup ) )
+		realm = lp_realm();
+
+	ads = ads_init(realm, opt_target_workgroup, opt_host);
 	if (ads) {
 		ads->auth.flags |= ADS_AUTH_NO_BIND;
 	}

source/utils/net_lookup.c

@@ -62,71 +62,85 @@ static int net_lookup_host(int argc, const char **argv)
 	return 0;
 }
 
-#ifdef HAVE_LDAP
-static void print_ldap_srvlist(char *srvlist)
+#ifdef HAVE_ADS
+static void print_ldap_srvlist(struct dns_rr_srv *dclist, int numdcs )
 {
-	char *cur, *next;
 	struct in_addr ip;
-	BOOL printit;
+	int i;
 
-	cur = srvlist;
-	do {
-		next = strchr(cur,':');
-		if (next) *next++='\0';
-		printit = resolve_name(cur, &ip, 0x20);
-		cur=next;
-		next=cur ? strchr(cur,' ') :NULL;
-		if (next)
-			*next++='\0';
-		if (printit)
-			d_printf("%s:%s\n", inet_ntoa(ip), cur?cur:"");
-		cur = next;
-	} while (next);
+	for ( i=0; i<numdcs; i++ ) {
+		if ( resolve_name(dclist[i].hostname, &ip, 0x20) ) {
+			d_printf("%s:%d\n", inet_ntoa(ip), dclist[i].port); 
+		}
+	}
 }
 #endif
 
 static int net_lookup_ldap(int argc, const char **argv)
 {
 #ifdef HAVE_ADS
-	char *srvlist;
 	const char *domain;
-	int rc;
 	struct in_addr addr;
 	struct hostent *hostent;
+	struct dns_rr_srv *dcs = NULL;
+	int numdcs = 0;
+	TALLOC_CTX *ctx;
+	NTSTATUS status;
 
 	if (argc > 0)
 		domain = argv[0];
 	else
 		domain = opt_target_workgroup;
 
+	if ( (ctx = talloc_init("net_lookup_ldap")) == NULL ) {
+		d_fprintf(stderr, "net_lookup_ldap: talloc_inti() failed!\n");
+		return -1;
+	}
+
 	DEBUG(9, ("Lookup up ldap for domain %s\n", domain));
-	rc = ldap_domain2hostlist(domain, &srvlist);
-	if ((rc == LDAP_SUCCESS) && srvlist) {
-		print_ldap_srvlist(srvlist);
+
+	status = ads_dns_query_dcs( ctx, domain, &dcs, &numdcs );
+	if ( NT_STATUS_IS_OK(status) && numdcs ) {
+		print_ldap_srvlist(dcs, numdcs);
+		TALLOC_FREE( ctx );
+
 		return 0;
 	}
 
      	DEBUG(9, ("Looking up DC for domain %s\n", domain));
-	if (!get_pdc_ip(domain, &addr))
+	if (!get_pdc_ip(domain, &addr)) {
+		TALLOC_FREE( ctx );
 		return -1;
+	}
 
 	hostent = gethostbyaddr((char *) &addr.s_addr, sizeof(addr.s_addr),
 				AF_INET);
-	if (!hostent)
+	if (!hostent) {
+		TALLOC_FREE( ctx );
 		return -1;
+	}
 
 	DEBUG(9, ("Found DC with DNS name %s\n", hostent->h_name));
 	domain = strchr(hostent->h_name, '.');
-	if (!domain)
+	if (!domain) {
+		TALLOC_FREE( ctx );
 		return -1;
+	}
 	domain++;
 
 	DEBUG(9, ("Looking up ldap for domain %s\n", domain));
-	rc = ldap_domain2hostlist(domain, &srvlist);
-	if ((rc == LDAP_SUCCESS) && srvlist) {
-		print_ldap_srvlist(srvlist);
+
+	status = ads_dns_query_dcs( ctx, domain, &dcs, &numdcs );
+	if ( NT_STATUS_IS_OK(status) && numdcs ) {
+		print_ldap_srvlist(dcs, numdcs);
+		TALLOC_FREE( ctx );
+
 		return 0;
 	}
+
+	TALLOC_FREE( ctx );
+
+
 	return -1;
 #endif
 	DEBUG(1,("No ADS support\n"));