1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

333 Commits

Author SHA1 Message Date
Samuel Cabrero
f9eaf4dc71 dns: Always return SOA record for records we should know
Regression introduced by commit 4b54e14b7c,
where the number of returned records is not set by talloc_array_length
when the record is not found.

Found by DELL EMC at SDC SMB3 plugfest trying to perform a secure DNS
update.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Fri Nov  8 12:31:30 UTC 2019 on sn-devel-184
2019-11-08 12:31:29 +00:00
Swen Schillig
5e1c7c084c s4: free popt context in dnsserver
If done with popt context it should be free'd.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2019-08-22 00:21:51 +00:00
Douglas Bagnall
1d6b472cdc pyldb: rename pyldb_Dn_AsDn() to pyldb_Dn_AS_DN()
Following the python/C convention for checking vs non-checking
convertors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Swen Schillig
3bc973c602 source4: Update all consumers of strtoul_err(), strtoull_err() to new API
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2019-06-30 11:32:18 +00:00
Stefan Metzmacher
6d958af0b4 dnsp.idl: fix dnsp_ip4_array definition
In future we should use ipv4address, but that would result in a much
larger change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-06-21 08:49:19 +00:00
Noel Power
a7d75a1c57 s4: squash 'cast between incompatible function types' warning
To avoid warning above produced by using
 -Wcast-function-type we;

  + ensure PyCFunctions of type METH_NOARGS defined dummy arg
  + ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG
    macro
  + ensure PyCFunctions of type METH_KEYWORDS really actually use the
    problematic kargs param, if not remove it

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-05-16 17:55:17 +00:00
Douglas Bagnall
cb9fe0360b s4/dnsserver: delay return when trying to log (CID 1444976)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Douglas Bagnall
e79c839a38 s4/dnsserver: handle broken zone values in sort (CID 1414763, 1414769)
We sort NULL values to the end of the list. What happens to the after
that is another question.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-09 22:39:27 +00:00
Gary Lockyer
3d42e257a6 s4 dns_server Bind9: Log opertion durations
Add duration debug logging to the samba bind9 dlz driver and the
dnsserver_common routines.  This should aid future diagnosis of
performance issues, and could be used to monitor DNS performance.

The logs are currently Human readable text only, i.e. no JSON formatted
output.

Log lines are of the form:

<function>: DNS timing: result: [<result>] \
duration: (<duration>) zone: [<zone>] name: [<name>] \
data: [<data>]

e.g.

dns_common_wildcard_lookup: DNS timing: result: [WERR_OK] \
duration: (111) zone: [] \
name: [DC=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones,\
DC=chgdcpassword.samba.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,\
DC=chgdcpassword,DC=samba,DC=example,DC=com] data: []

Enabled by setting log level to "dns:10"

durations are in microseconds.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May  7 05:03:26 UTC 2019 on sn-devel-184
2019-05-07 05:03:26 +00:00
Michael Saxl
526c6d0be5 s4:dlz make b9_has_soa check dc=@ node
the zone node does not hold the dnsRecord values, so for the zone level
the node dc=@,dc=zonename has to be queried

regression introduced with 28e2a518ff, BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13841

Signed-off-by: Michael Saxl <mike@mwsys.mine.bz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-03-26 03:03:23 +00:00
Andrew Bartlett
fdb6305c86 build: Remove bld.gen_python_environments()
This was part of --extra-python support.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-03-21 04:06:14 +00:00
Swen Schillig
2b2ff12e70 source4: Use wrapper for string to integer conversion
In order to detect an value overflow error during
the string to integer conversion with strtoul/strtoull,
the errno variable must be set to zero before the execution and
checked after the conversion is performed. This is achieved by
using the wrapper function strtoul_err and strtoull_err.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-03-01 00:32:11 +00:00
Andreas Schneider
121af4c3fc s4:dns_crypto: Remove unused include of hmac_md5.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-02-22 21:48:11 +01:00
Noel Power
a8e10a1249 Decrement references to python objects passed to Py_BuildValue
Py_BuildValue when processing format 'O' will
  'Pass a Python object untouched (except for its reference count,
   which is incremented by one'

Basically this means if you are using a new reference to a PyObject
to pass to BuildValue (to be used with the 'O' format) the reference
*isn't* stolen so you really do need to DECREF it in order to ensure
it gets cleaned up.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-02-07 13:44:30 +01:00
Aaron Haslett
ef37988003 dns: changing onelevel search for wildcard to subtree
SCOPE_ONELEVEL is used on wildcard dns searches, but onelevel searches
currently have a performance problem related to GUID indexing, so this
patch changes the search scope to SCOPE_SUBTREE.
In this case, as the onelevel and subtree sets of records are roughly
the same, and the query is matching against the DN itself, we don't
believe there's any benefit in using SCOPE_ONELEVEL over SCOPE_SUBTREE.

The onelevel performance problem will be fixed separately later, but in
the meantime this solves the DNS performance problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13738

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-01-11 02:55:01 +01:00
Volker Lendecke
f1ff407524 dns: Do NULL checks in dns_sign_tsig
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-01-10 02:41:29 +01:00
Stefan Metzmacher
34f4491d79 CVE-2018-14629 dns: fix CNAME loop prevention using counter regression
The loop prevention should only be done for CNAME records!

Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  4 08:52:29 CET 2018 on sn-devel-144
2018-12-04 08:52:29 +01:00
Gary Lockyer
9a12a00146 CVE-2018-16852 dcerpc dnsserver: refactor common properties handling
dnsserver_common.c and dnsutils.c both share similar code to process
zone properties.  This patch extracts the common code and moves it to
dnsserver_common.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-28 08:22:24 +01:00
Aaron Haslett
97b426baba CVE-2018-14629 dns: CNAME loop prevention using counter
Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-11-28 08:22:23 +01:00
Andreas Schneider
3e58e83be5 s4:bind_dlz: Only copy the dn once
../source4/dns_server/dlz_bind9.c:1132:4: error: 'dn' may be used uninitialized in this function [-Werror=maybe-uninitialized]
    state->log(ISC_LOG_INFO, "failed to find dnsRecord for %s",
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ldb_dn_get_linearized(dn));
        ~~~~~~~~~~~~~~~~~~~~~~~~~~

Found by Undefined Sanitizer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-22 22:13:26 +01:00
Gary Lockyer
99aea42520 source4 smdb: Add a post fork hook to the service API
Add a post fork hook to the service API this will be called:

 - standard process model
   immediately after the task_init.

- single process model
  immediately after the task_init

- prefork process model, inhibit_pre_fork = true
  immediately after the task_init

- prefork process model, inhibit_pre_fork = false
  after each service worker has forked. It is not run on the service
  master process.

The post fork hook is not called in the standard model if a new process
is forked on a new connection. It is instead called immediately after
the task_init.

The task_init hook has been changed to return an error code. This ensures
the post_fork code is only run if the task_init code completed successfully.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-01 23:49:24 +01:00
Gary Lockyer
d6777a66c0 source4 smbd: Make the service_details structure constant.
Make the service_details structure a static const.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-01 23:49:24 +01:00
Aaron Haslett
3713905f8b dns: dlz_bind9 reference count logging
dlz_bind9 has to count the number of times the plugin is 'created' by bind's
plugin manager so it doesn't repeat setup.  Logging doesn't reflect this
reference counting logic properly and so messages like "samba_dlz: shutdown"
can, confusingly, come up when the database connection has not actually been
severed.  This patch adds the necessary logging.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13655
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-10-17 05:40:06 +02:00
Andrew Bartlett
28e2a518ff dns_server: Avoid ldb_dn_add_child_fmt() on untrusted input
By using the new ldb_dn_add_child_val() we ensure that the user-controlled values are
not parsed as DN seperators.

Additionally, the casefold DN is obtained before the search to trigger
a full parse of the DN before being handled to the LDB search.

This is not normally required but is done here due to the nature
of the untrusted input.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-15 07:08:24 +02:00
Andrew Bartlett
aa01203ff5 dns_server: Be strict when constructing a LDB DN from an untrusted DNS name
This changes our DNS server to be much more careful when constructing DNS names
into LDB DN values.

This avoids a segfault deep in the LDB code if the ldb_dn_get_casefold() fails there.

A seperate patch will address that part of the issue, and a later patch
will re-work this code to use single API: ldb_dn_add_child_val().  This
is not squahed with this work because this patch does not rely on a new
LDB release, and so may be helpful for a backport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-15 07:08:24 +02:00
Amitay Isaacs
94ffd4b7ad dlz-bind: Add support for BIND 9.12.x
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-08-10 02:44:36 +02:00
Alexander Bokovoy
2114768a8e s4-dns_server: Only build dns server Python code for AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13542

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-07-23 16:24:10 +02:00
Gary Lockyer
cef1b31cd1 dns wildcards: fix BUG 13536
The current position in the dns name was not advanced past the '.'
character

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 20 04:40:31 CEST 2018 on sn-devel-144
2018-07-20 04:40:31 +02:00
Aaron Haslett
f0210f5d17 dns: static records
Modifies bind9 and internal dns to match windows static records behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:56 +02:00
Aaron Haslett
418cd93f4c dns: server side implementation of record aging
Code for retrieving aging properties from a zone and using them for timestamp
setting logic during processing of DNS requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:54 +02:00
Aaron Haslett
350029bdd8 dns: moving name_equal func into common
This function is duplicated in the BIND9 and RPC DNS servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:54 +02:00
Gary Lockyer
b841da04e2 dns: Reformat DNS with clang-format
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10812

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-12 04:31:52 +02:00
Gary Lockyer
1b07f13372 dsdb: add defines for sessionInfo and networkSessionInfo
Replace uses of the string "sessionInfo" with the constant
DSDB_SESSION_INFO, and "networkSessionInfo" with the constant
DSDB_NETWORK_SESSION_INFO.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-09 15:02:11 +02:00
Volker Lendecke
c56cd283f5 dns: Check for talloc_memdup failure
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  1 14:05:56 CEST 2018 on sn-devel-144
2018-06-01 14:05:56 +02:00
Volker Lendecke
341b470854 dns: TALLOC_FREE already checks for !=NULL
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-06-01 11:28:22 +02:00
Volker Lendecke
d8acbe73d9 dns: Simplify logic a bit
We don't need a separate boolean variable

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-06-01 11:28:22 +02:00
Volker Lendecke
d3c82e686b dns: Simplify logic a bit
We've done an early return if (!found_tsig) a few lines before.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-06-01 11:28:22 +02:00
Gary Lockyer
5c0345ea9b samdb: Add remote address to connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Gary Lockyer
daa7b60a60 dsdb: pass the remote address to samdb connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Andreas Schneider
19e621554f s4:dns_server: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Lumir Balhar
7ee74f66a1 python: Port dsdb_dns module to Python 3 compatible form.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:28 +01:00
Stefan Metzmacher
a206cf2dc1 s4:dns_server: avoid debug noise on successful updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Volker Lendecke
36ab213ae6 dns_server: Remove "max_payload" from dns_server
This would have to be retrieved from the interface type we have I guess.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan  4 05:08:02 CET 2018 on sn-devel-144
2018-01-04 05:08:02 +01:00
Volker Lendecke
35683a60e7 dns_server: Remove unused "dns_generate_options"
This was part of the previous bugfix for 9632, which has been replaced
by TCP fallback code. We can dig this up from git if needed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Volker Lendecke
cc3f9c26ec dns_server: Remove unused "dns" parameter from ask_forwarder_send
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Volker Lendecke
300821b793 dns_server: Use dns_cli_request instead of direct udp
This skips adding the DNS option for a larger UDP packet size than
512. This is a different fix for bug 9632.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-04 00:37:21 +01:00
Andrew Bartlett
3efc879d98 dns_server: Do the exact match query first, then do the wildcard lookup
The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute.  This is not as efficient as a base DN lookup, so we try for
that first.

A not-found and wildcard response will still fall back to the ONELEVEL
index.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Andrew Bartlett
948791aca7 dns_server: Do not look for a wildcard for @
This query is made for every record returned via BIND9 DLZ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Andrew Bartlett
071ad56aef dns_server: Use the indexed "name" attribute in wildcard lookup
(the RDN, being 'dc' in this use case, does not have an index in
the AD schema).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-19 07:19:21 +01:00
Uri Simchoni
5fd04020c2 dns server: fix warning about enum mismatch
Fix picky developer clang warning about assignment
of an enum value to a variable of a different enum type.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-22 10:20:20 +01:00