1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

261 Commits

Author SHA1 Message Date
Amitay Isaacs
c8c330d5f4 dlz-bind: Add support for BIND 9.11.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-27 23:53:13 +02:00
Amitay Isaacs
e63e51a2cf dlz-bind: Set DNS_CLIENTINFO_VERSION based on BIND version
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-27 23:53:13 +02:00
Amitay Isaacs
370d6baaa6 dlz-bind: Fix initialization of DLZ_DLOPEN_AGE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-27 23:53:13 +02:00
Amitay Isaacs
fbafd2699b dlz-bind: Fix preprocessor checks for BIND versions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-27 23:53:13 +02:00
Günther Deschner
8416a97b30 werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in source4/dns_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:23 +02:00
Günther Deschner
c1c079cf3d werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source4/dns_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:19 +02:00
Jeremy Allison
c3dfeb3aa6 s4: dns: Correctly check for talloc failure.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 16 16:55:15 CEST 2016 on sn-devel-144
2016-06-16 16:55:15 +02:00
Garming Sam
9394e14626 dns_server: Fix typo in dns_authoritative_for_zone() name.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-16 04:40:14 +02:00
Ralph Boehme
88700e7d89 s4/dns_server: enable sending of TSIG error records
This final patch enables sending TSIG error records by adding
DNS_RCODE_NOTAUTH to the set of error conditions that are allowed to
trigger sending a full generated response.

See RFC 2845 "4.5.1. KEY check and error handling" and "4.5.3. MAC check
and error handling".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:28 +02:00
Ralph Boehme
ba683d459e s4/dns_server: prepare sending correct error responses for dns_verify_tsig() errors
Call dns_verify_tsig() after updating state.flags and assign and use
out_packet for dns_verify_tsig().

We will need the updated flags when sending TSIG error responses when
TSIG request MAC verification fails and dns_verify_tsig() uses the
passed in packet as response, so we have to make sure we copy in_packet
to out_packet before calling out and pass out_packet.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:28 +02:00
Ralph Boehme
8f46bf2102 s4/dns_server: don't compute TSIG MAC in TSIG error records
See RFC 2845 "4.3. TSIG on TSIG Error returns".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:28 +02:00
Ralph Boehme
8b4a2dcf38 s4/dns_server: error codes for failing MAC verification in TSIG requests
According to RFC 2845 "4.5.3. MAC check and error handling" we must
return NOTAUTH and DNS_RCODE_BADSIG when MAC verification fails.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Ralph Boehme
77c5bfdce4 s4/dns_server: ensure we store the key name in error code paths
We need the TKEY name when adding TSIG records to error responses.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Ralph Boehme
c1fca8fa39 s4/dns_server: not finding the key here is a fatal error
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Ralph Boehme
830316ce84 s4/dns_server: split out function that does the MAC computation
Split out function that does the MAC computation from the TSIG record
creating function. This will later simplify the code when creating error
responsed to TSIG requests with bad MACs where we have to add the TSIG
record with an empty MAC.

No functional behaviour change besides hard coding "gss-tsig" algorithm
name: later when sending a TSIG error response for a TKEY request with a
bad keyname, we won't have a tkey to fetch the algorithm name from.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Ralph Boehme
8ed125e8bb s4/dns_server: include request MAC in TSIG response MAC calculation
According to RFC 2845 "4.2 TSIG on Answers", when the request is signed,
the request MAC must be included in the response MAC calculation.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Ralph Boehme
bea4aec521 librpc/dns: remove original_id from dns_fake_tsig_rec
Cf RFC2845, 3.4.2. "TSIG Variables", the request id (original_id) is not
used in the MAC calculation. This also explains the mysterious 2 bytes
padding.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-06-16 00:06:27 +02:00
Garming Sam
5caebde11d dns: modify dns forwarder param to be multi-valued
This allows a secondary DNS forwarder for a trivial failover. Requests
which fail/timeout at the primary DNS forwarder will be restarted
entirely with the next forwarder in the list.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-05-03 08:10:09 +02:00
Garming Sam
ac4dd94e3f dnsserver: Remove C++ style comment
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-05-03 08:10:09 +02:00
Garming Sam
7b431eba22 build: mark explicit dependencies on pytalloc-util
All subsystems that include pytalloc.h need to link against
pytalloc-util.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11789

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Mar 15 07:08:16 CET 2016 on sn-devel-144
2016-03-15 07:08:16 +01:00
Stefan Metzmacher
ee8d777bbf CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
From RFC 1035:

    3.3.14. TXT RDATA format

        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        /                   TXT-DATA                    /
        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    where:

    TXT-DATA        One or more <character-string>s.

    TXT RRs are used to hold descriptive text.  The semantics of the text
    depends on the domain where it is found.

Each record contains an array of strings instead of just one string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:24 +01:00
Michael Adam
476672b647 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-06 21:48:17 +01:00
Jelmer Vernooij
da8674c72a Rename 'errors' to 'samba-errors' and make it public.
This is necessary because it has public headers.

Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
2016-01-13 07:47:04 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Volker Lendecke
fc4c2dcd52 bind_dlz: Fix CID 1347318 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-08 02:37:18 +01:00
Volker Lendecke
5a72a2ed0d dns_server: Remove unused handle_question
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Tue Dec 15 17:50:32 CET 2015 on sn-devel-104
2015-12-15 17:50:32 +01:00
Volker Lendecke
6adec9339d dns_server: Add handle_authoritative_send()
An async version of handle_question

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9409
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2015-12-15 14:43:09 +01:00
Volker Lendecke
3b7f99e6f4 dns_server: Add add_dns_res_rec()
Same as add_response_rr(), but it copies over a dns_res_rec

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2015-12-15 14:43:09 +01:00
Volker Lendecke
b6aaf77897 dns_server: Convert "ask_forwarder" params
Usually we have mem_ctx and ev first when doing a _send function

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2015-12-15 14:43:09 +01:00
Volker Lendecke
4b54e14b7c dns_server: Simplify array length handling
talloc objects carry an implicit length

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2015-12-15 14:43:09 +01:00
Volker Lendecke
3f2cbb616f dns_server: Simplify talloc handling
By making sure that the answers are always allocated, we don't have
to pass an explicit mem_ctx anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2015-12-15 14:43:09 +01:00
Volker Lendecke
9de59c7e3f dns_server: Consolidate talloc_realloc
This puts the talloc_realloc into add_response_rr instead of before
create_response_rr. It is a bit less efficient, but as we do not expect
hundreds of answers, I think this code is a bit easier to understand.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2015-12-15 14:43:09 +01:00
Volker Lendecke
dfceb51da8 libdns: Convert dns_udp_request to 0/errno
Replaces 5 calls to unix_to_werror with just one

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-08 23:01:27 +01:00
Volker Lendecke
609a92362e dns_server: Fix a clang warning
clang complains that '\0' is converted to a NULL pointer. This seems
to work fine, so make this pointer explicitly NULL. If instead we
need a "" here, we could of course do that too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 10 10:13:18 CET 2015 on sn-devel-104
2015-11-10 10:13:18 +01:00
Andrew Bartlett
3226077627 pydns: Add replace_by_dn()
This allows us to find a DNS record by searching LDB and unpacking the dnsRecord
but replace the record using the common code that will create a tombstone

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
fff09dae6d dns_server: Give WERR_DNS_ERROR_NAME_DOES_NOT_EXIST on empty records
When not looking for tombstones, a record without a dnsRecord value may as
well not be present, so just return WERR_DNS_ERROR_NAME_DOES_NOT_EXIST

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
2191fcaedc dns_server: Add python method to extract a DNS entry from a ldb.MessageElement
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:21 +01:00
Andrew Bartlett
87cd68c1dc dns_server: Add a python module directly accessing DNS records in sam.ldb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:21 +01:00
Andrew Bartlett
0504065948 dns_server: Put more code in common
This will allow a python module to be written to modify DNS entries in sam.ldb directly

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:21 +01:00
Volker Lendecke
1fcad53d7c dns_server: Fix a small memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug  7 12:57:02 CEST 2015 on sn-devel-104
2015-08-07 12:57:02 +02:00
Volker Lendecke
938636886c dns_server: Don't call tevent_req_finish twice
Both tevent_req_werror and tevent_req_done call tevent_req_finish on a request.
This should not be done. We should only call either of both.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-08-07 09:52:13 +02:00
Kai Blin
42f38fe8d9 dns: always add authority records
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Thu Aug  6 14:06:52 CEST 2015 on sn-devel-104
2015-08-06 14:06:52 +02:00
Kai Blin
d9a3f19749 dns: Add a SOA record to error replies
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:14 +02:00
Kai Blin
bda1a7320f dns: Also pass nsrecs to handle_question()
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:14 +02:00
Kai Blin
0e11c08d3e dns: Just pass the name to create_response_rr
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:13 +02:00
Kai Blin
d7a54f33ef dns: Add dns_get_authoritative_zone helper function
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:13 +02:00
Volker Lendecke
9c48dbde06 dns_server: Fix CNAME handling
recs[i].wtype is == DNS_TYPE_CNAME, and my understanding of the union is that
data.cname is filled. We get away with this, because ipv4 and ipv6 have the
same char * representation, but it's confusing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug  4 13:41:17 CEST 2015 on sn-devel-104
2015-08-04 13:41:17 +02:00
Volker Lendecke
3fbcd78a75 dns_server: Add NULL check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-08-04 10:35:17 +02:00
Andreas Schneider
8a5db7d2f4 dlz_bind9: Fix keytab location.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:52 +01:00
Andrew Bartlett
57a80ebee3 Do not use popt_common.h in dlz_bind9
We do not use popt_common structures here

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2015-03-16 06:41:06 +01:00