diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source4/dns_server | |
parent | Initial commit. (diff) | |
download | samba-upstream.tar.xz samba-upstream.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | source4/dns_server/TODO | 12 | ||||
-rw-r--r-- | source4/dns_server/dlz_bind9.c | 2219 | ||||
-rw-r--r-- | source4/dns_server/dlz_minimal.h | 317 | ||||
-rw-r--r-- | source4/dns_server/dns_crypto.c | 434 | ||||
-rw-r--r-- | source4/dns_server/dns_query.c | 1176 | ||||
-rw-r--r-- | source4/dns_server/dns_server.c | 941 | ||||
-rw-r--r-- | source4/dns_server/dns_server.h | 124 | ||||
-rw-r--r-- | source4/dns_server/dns_update.c | 867 | ||||
-rw-r--r-- | source4/dns_server/dns_utils.c | 130 | ||||
-rw-r--r-- | source4/dns_server/dnsserver_common.c | 1589 | ||||
-rw-r--r-- | source4/dns_server/dnsserver_common.h | 139 | ||||
-rw-r--r-- | source4/dns_server/pydns.c | 445 | ||||
-rw-r--r-- | source4/dns_server/wscript_build | 98 |
13 files changed, 8491 insertions, 0 deletions
diff --git a/source4/dns_server/TODO b/source4/dns_server/TODO new file mode 100644 index 0000000..1949650 --- /dev/null +++ b/source4/dns_server/TODO @@ -0,0 +1,12 @@ +DNS server todo list +-------------------- + +Just so we don't forget the required features for an AD-compatible DNS server: + +- Symmetric Bind-style TKEY handling (not strictly needed for AD, but needed for + integration to other name servers / tools) +(- Command line tools that unix admins are used to) +- Zone transfer support (XFER, IFER) (look at AD for permission settings) +- Caching +- dynamic zone reloading +- Tests, tests, tests diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c new file mode 100644 index 0000000..7b73abd --- /dev/null +++ b/source4/dns_server/dlz_bind9.c @@ -0,0 +1,2219 @@ +/* + Unix SMB/CIFS implementation. + + bind9 dlz driver for Samba + + Copyright (C) 2010 Andrew Tridgell + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "talloc.h" +#include "param/param.h" +#include "lib/events/events.h" +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "auth/auth.h" +#include "auth/session.h" +#include "auth/gensec/gensec.h" +#include "librpc/gen_ndr/security.h" +#include "auth/credentials/credentials.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "gen_ndr/ndr_dnsp.h" +#include "gen_ndr/server_id.h" +#include "messaging/messaging.h" +#include <popt.h> +#include "lib/util/dlinklist.h" +#include "dlz_minimal.h" +#include "dnsserver_common.h" +#include "lib/util/smb_strtox.h" +#include "lib/util/access.h" + +#undef strcasecmp + +struct b9_options { + const char *url; + const char *debug; +}; + +struct b9_zone { + char *name; + struct b9_zone *prev, *next; +}; + +struct dlz_bind9_data { + struct b9_options options; + struct ldb_context *samdb; + struct tevent_context *ev_ctx; + struct loadparm_context *lp; + int *transaction_token; + uint32_t soa_serial; + struct b9_zone *zonelist; + + /* Used for dynamic update */ + struct smb_krb5_context *smb_krb5_ctx; + struct auth4_context *auth_context; + struct auth_session_info *session_info; + char *update_name; + + /* helper functions from the dlz_dlopen driver */ + log_t *log; + dns_sdlz_putrr_t *putrr; + dns_sdlz_putnamedrr_t *putnamedrr; + dns_dlz_writeablezone_t *writeable_zone; +}; + +static struct dlz_bind9_data *dlz_bind9_state = NULL; +static int dlz_bind9_state_ref_count = 0; + +static const char *zone_prefixes[] = { + "CN=MicrosoftDNS,DC=DomainDnsZones", + "CN=MicrosoftDNS,DC=ForestDnsZones", + "CN=MicrosoftDNS,CN=System", + NULL +}; + +/* + * Get a printable string representation of an isc_result_t + */ +static const char *isc_result_str( const isc_result_t result) { + switch (result) { + case ISC_R_SUCCESS: + return "ISC_R_SUCCESS"; + case ISC_R_NOMEMORY: + return "ISC_R_NOMEMORY"; + case ISC_R_NOPERM: + return "ISC_R_NOPERM"; + case ISC_R_NOSPACE: + return "ISC_R_NOSPACE"; + case ISC_R_NOTFOUND: + return "ISC_R_NOTFOUND"; + case ISC_R_FAILURE: + return "ISC_R_FAILURE"; + case ISC_R_NOTIMPLEMENTED: + return "ISC_R_NOTIMPLEMENTED"; + case ISC_R_NOMORE: + return "ISC_R_NOMORE"; + case ISC_R_INVALIDFILE: + return "ISC_R_INVALIDFILE"; + case ISC_R_UNEXPECTED: + return "ISC_R_UNEXPECTED"; + case ISC_R_FILENOTFOUND: + return "ISC_R_FILENOTFOUND"; + default: + return "UNKNOWN"; + } +} + +/* + return the version of the API + */ +_PUBLIC_ int dlz_version(unsigned int *flags) +{ + return DLZ_DLOPEN_VERSION; +} + +/* + remember a helper function from the bind9 dlz_dlopen driver + */ +static void b9_add_helper(struct dlz_bind9_data *state, const char *helper_name, void *ptr) +{ + if (strcmp(helper_name, "log") == 0) { + state->log = ptr; + } + if (strcmp(helper_name, "putrr") == 0) { + state->putrr = ptr; + } + if (strcmp(helper_name, "putnamedrr") == 0) { + state->putnamedrr = ptr; + } + if (strcmp(helper_name, "writeable_zone") == 0) { + state->writeable_zone = ptr; + } +} + +/* + * Add a trailing '.' if it's missing + */ +static const char *b9_format_fqdn(TALLOC_CTX *mem_ctx, const char *str) +{ + size_t len; + const char *tmp; + + if (str == NULL || str[0] == '\0') { + return str; + } + + len = strlen(str); + if (str[len-1] != '.') { + tmp = talloc_asprintf(mem_ctx, "%s.", str); + } else { + tmp = str; + } + return tmp; +} + +/* + * Format a record for bind9. + * + * On failure/error returns false, OR sets *data to NULL. + * Callers should check for both! + */ +static bool b9_format(struct dlz_bind9_data *state, + TALLOC_CTX *mem_ctx, + struct dnsp_DnssrvRpcRecord *rec, + const char **type, const char **data) +{ + uint32_t i; + char *tmp; + const char *fqdn; + + switch (rec->wType) { + case DNS_TYPE_A: + *type = "a"; + *data = rec->data.ipv4; + break; + + case DNS_TYPE_AAAA: + *type = "aaaa"; + *data = rec->data.ipv6; + break; + + case DNS_TYPE_CNAME: + *type = "cname"; + *data = b9_format_fqdn(mem_ctx, rec->data.cname); + break; + + case DNS_TYPE_TXT: + *type = "txt"; + tmp = talloc_asprintf(mem_ctx, "\"%s\"", rec->data.txt.str[0]); + for (i=1; i<rec->data.txt.count; i++) { + tmp = talloc_asprintf_append(tmp, " \"%s\"", rec->data.txt.str[i]); + } + *data = tmp; + break; + + case DNS_TYPE_PTR: + *type = "ptr"; + *data = b9_format_fqdn(mem_ctx, rec->data.ptr); + break; + + case DNS_TYPE_SRV: + *type = "srv"; + fqdn = b9_format_fqdn(mem_ctx, rec->data.srv.nameTarget); + if (fqdn == NULL) { + return false; + } + *data = talloc_asprintf(mem_ctx, "%u %u %u %s", + rec->data.srv.wPriority, + rec->data.srv.wWeight, + rec->data.srv.wPort, + fqdn); + break; + + case DNS_TYPE_MX: + *type = "mx"; + fqdn = b9_format_fqdn(mem_ctx, rec->data.mx.nameTarget); + if (fqdn == NULL) { + return false; + } + *data = talloc_asprintf(mem_ctx, "%u %s", + rec->data.mx.wPriority, fqdn); + break; + + case DNS_TYPE_NS: + *type = "ns"; + *data = b9_format_fqdn(mem_ctx, rec->data.ns); + break; + + case DNS_TYPE_SOA: { + const char *mname; + *type = "soa"; + + /* we need to fake the authoritative nameserver to + * point at ourselves. This is how AD DNS servers + * force clients to send updates to the right local DC + */ + mname = talloc_asprintf(mem_ctx, "%s.%s.", + lpcfg_netbios_name(state->lp), + lpcfg_dnsdomain(state->lp)); + if (mname == NULL) { + return false; + } + mname = strlower_talloc(mem_ctx, mname); + if (mname == NULL) { + return false; + } + + fqdn = b9_format_fqdn(mem_ctx, rec->data.soa.rname); + if (fqdn == NULL) { + return false; + } + + state->soa_serial = rec->data.soa.serial; + + *data = talloc_asprintf(mem_ctx, "%s %s %u %u %u %u %u", + mname, fqdn, + rec->data.soa.serial, + rec->data.soa.refresh, + rec->data.soa.retry, + rec->data.soa.expire, + rec->data.soa.minimum); + break; + } + + default: + state->log(ISC_LOG_ERROR, "samba_dlz b9_format: unhandled record type %u", + rec->wType); + return false; + } + + return true; +} + +static const struct { + enum dns_record_type dns_type; + const char *typestr; + bool single_valued; +} dns_typemap[] = { + { DNS_TYPE_A, "A" , false}, + { DNS_TYPE_AAAA, "AAAA" , false}, + { DNS_TYPE_CNAME, "CNAME" , true}, + { DNS_TYPE_TXT, "TXT" , false}, + { DNS_TYPE_PTR, "PTR" , false}, + { DNS_TYPE_SRV, "SRV" , false}, + { DNS_TYPE_MX, "MX" , false}, + { DNS_TYPE_NS, "NS" , false}, + { DNS_TYPE_SOA, "SOA" , true}, +}; + + +/* + see if a DNS type is single valued + */ +static bool b9_single_valued(enum dns_record_type dns_type) +{ + int i; + for (i=0; i<ARRAY_SIZE(dns_typemap); i++) { + if (dns_typemap[i].dns_type == dns_type) { + return dns_typemap[i].single_valued; + } + } + return false; +} + +/* + get a DNS_TYPE_* value from the corresponding string + */ +static bool b9_dns_type(const char *type, enum dns_record_type *dtype) +{ + int i; + for (i=0; i<ARRAY_SIZE(dns_typemap); i++) { + if (strcasecmp(dns_typemap[i].typestr, type) == 0) { + *dtype = dns_typemap[i].dns_type; + return true; + } + } + return false; +} + + +#define DNS_PARSE_STR(ret, str, sep, saveptr) do { \ + (ret) = strtok_r(str, sep, &saveptr); \ + if ((ret) == NULL) return false; \ + } while (0) + +#define DNS_PARSE_UINT(ret, str, sep, saveptr) do { \ + char *istr = strtok_r(str, sep, &saveptr); \ + int error = 0;\ + if ((istr) == NULL) return false; \ + (ret) = smb_strtoul(istr, NULL, 10, &error, SMB_STR_STANDARD); \ + if (error != 0) {\ + return false;\ + }\ + } while (0) + +/* + parse a record from bind9 + */ +static bool b9_parse(struct dlz_bind9_data *state, + const char *rdatastr, + struct dnsp_DnssrvRpcRecord *rec) +{ + char *full_name, *dclass, *type; + char *str, *tmp, *saveptr=NULL; + int i; + + str = talloc_strdup(rec, rdatastr); + if (str == NULL) { + return false; + } + + /* parse the SDLZ string form */ + DNS_PARSE_STR(full_name, str, "\t", saveptr); + DNS_PARSE_UINT(rec->dwTtlSeconds, NULL, "\t", saveptr); + DNS_PARSE_STR(dclass, NULL, "\t", saveptr); + DNS_PARSE_STR(type, NULL, "\t", saveptr); + + /* construct the record */ + for (i=0; i<ARRAY_SIZE(dns_typemap); i++) { + if (strcasecmp(type, dns_typemap[i].typestr) == 0) { + rec->wType = dns_typemap[i].dns_type; + break; + } + } + if (i == ARRAY_SIZE(dns_typemap)) { + state->log(ISC_LOG_ERROR, "samba_dlz: unsupported record type '%s' for '%s'", + type, full_name); + return false; + } + + switch (rec->wType) { + case DNS_TYPE_A: + DNS_PARSE_STR(rec->data.ipv4, NULL, " ", saveptr); + break; + + case DNS_TYPE_AAAA: + DNS_PARSE_STR(rec->data.ipv6, NULL, " ", saveptr); + break; + + case DNS_TYPE_CNAME: + DNS_PARSE_STR(rec->data.cname, NULL, " ", saveptr); + break; + + case DNS_TYPE_TXT: + rec->data.txt.count = 0; + rec->data.txt.str = talloc_array(rec, const char *, rec->data.txt.count); + tmp = strtok_r(NULL, "\t", &saveptr); + while (tmp) { + rec->data.txt.str = talloc_realloc(rec, rec->data.txt.str, const char *, + rec->data.txt.count+1); + if (tmp[0] == '"') { + /* Strip quotes */ + rec->data.txt.str[rec->data.txt.count] = talloc_strndup(rec, &tmp[1], strlen(tmp)-2); + } else { + rec->data.txt.str[rec->data.txt.count] = talloc_strdup(rec, tmp); + } + rec->data.txt.count++; + tmp = strtok_r(NULL, " ", &saveptr); + } + break; + + case DNS_TYPE_PTR: + DNS_PARSE_STR(rec->data.ptr, NULL, " ", saveptr); + break; + + case DNS_TYPE_SRV: + DNS_PARSE_UINT(rec->data.srv.wPriority, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.srv.wWeight, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.srv.wPort, NULL, " ", saveptr); + DNS_PARSE_STR(rec->data.srv.nameTarget, NULL, " ", saveptr); + break; + + case DNS_TYPE_MX: + DNS_PARSE_UINT(rec->data.mx.wPriority, NULL, " ", saveptr); + DNS_PARSE_STR(rec->data.mx.nameTarget, NULL, " ", saveptr); + break; + + case DNS_TYPE_NS: + DNS_PARSE_STR(rec->data.ns, NULL, " ", saveptr); + break; + + case DNS_TYPE_SOA: + DNS_PARSE_STR(rec->data.soa.mname, NULL, " ", saveptr); + DNS_PARSE_STR(rec->data.soa.rname, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.soa.serial, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.soa.refresh, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.soa.retry, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.soa.expire, NULL, " ", saveptr); + DNS_PARSE_UINT(rec->data.soa.minimum, NULL, " ", saveptr); + break; + + default: + state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unhandled record type %u", + rec->wType); + return false; + } + + /* we should be at the end of the buffer now */ + if (strtok_r(NULL, "\t ", &saveptr) != NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unexpected data at end of string for '%s'", + rdatastr); + return false; + } + + return true; +} + +/* + send a resource record to bind9 + */ +static isc_result_t b9_putrr(struct dlz_bind9_data *state, + void *handle, struct dnsp_DnssrvRpcRecord *rec, + const char **types) +{ + isc_result_t result; + const char *type, *data; + TALLOC_CTX *tmp_ctx = talloc_new(state); + + if (!b9_format(state, tmp_ctx, rec, &type, &data)) { + return ISC_R_FAILURE; + } + + if (data == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + if (types) { + int i; + for (i=0; types[i]; i++) { + if (strcmp(types[i], type) == 0) break; + } + if (types[i] == NULL) { + /* skip it */ + return ISC_R_SUCCESS; + } + } + + result = state->putrr(handle, type, rec->dwTtlSeconds, data); + if (result != ISC_R_SUCCESS) { + state->log(ISC_LOG_ERROR, "Failed to put rr"); + } + talloc_free(tmp_ctx); + return result; +} + + +/* + send a named resource record to bind9 + */ +static isc_result_t b9_putnamedrr(struct dlz_bind9_data *state, + void *handle, const char *name, + struct dnsp_DnssrvRpcRecord *rec) +{ + isc_result_t result; + const char *type, *data; + TALLOC_CTX *tmp_ctx = talloc_new(state); + + if (!b9_format(state, tmp_ctx, rec, &type, &data)) { + return ISC_R_FAILURE; + } + + if (data == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + result = state->putnamedrr(handle, name, type, rec->dwTtlSeconds, data); + if (result != ISC_R_SUCCESS) { + state->log(ISC_LOG_ERROR, "Failed to put named rr '%s'", name); + } + talloc_free(tmp_ctx); + return result; +} + +/* + parse options + */ +static isc_result_t parse_options(struct dlz_bind9_data *state, + unsigned int argc, const char **argv, + struct b9_options *options) +{ + int opt; + poptContext pc; + struct poptOption long_options[] = { + { "url", 'H', POPT_ARG_STRING, &options->url, 0, "database URL", "URL" }, + { "debug", 'd', POPT_ARG_STRING, &options->debug, 0, "debug level", "DEBUG" }, + {0} + }; + + pc = poptGetContext("dlz_bind9", argc, argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + state->log(ISC_LOG_ERROR, "dlz_bind9: Invalid option %s: %s", + poptBadOption(pc, 0), poptStrerror(opt)); + poptFreeContext(pc); + return ISC_R_FAILURE; + } + } + + poptFreeContext(pc); + return ISC_R_SUCCESS; +} + + +/* + * Create session info from PAC + * This is called as auth_context->generate_session_info_pac() + */ +static NTSTATUS b9_generate_session_info_pac(struct auth4_context *auth_context, + TALLOC_CTX *mem_ctx, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_addr, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + NTSTATUS status; + struct auth_user_info_dc *user_info_dc; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + status = kerberos_pac_blob_to_user_info_dc(tmp_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, + NULL, + NULL); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return status; + } + + if (user_info_dc->info->authenticated) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + + status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc, + session_info_flags, session_info); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return status; + } + + talloc_free(tmp_ctx); + return status; +} + +/* Callback for the DEBUG() system, to catch the remaining messages */ +static void b9_debug(void *private_ptr, int msg_level, const char *msg) +{ + static const int isc_log_map[] = { + ISC_LOG_CRITICAL, /* 0 */ + ISC_LOG_ERROR, /* 1 */ + ISC_LOG_WARNING, /* 2 */ + ISC_LOG_NOTICE /* 3 */ + }; + struct dlz_bind9_data *state = private_ptr; + int isc_log_level; + + if (msg_level >= ARRAY_SIZE(isc_log_map) || msg_level < 0) { + isc_log_level = ISC_LOG_INFO; + } else { + isc_log_level = isc_log_map[msg_level]; + } + state->log(isc_log_level, "samba_dlz: %s", msg); +} + +static int dlz_state_debug_unregister(struct dlz_bind9_data *state) +{ + /* Stop logging (to the bind9 logs) */ + debug_set_callback(NULL, NULL); + return 0; +} + +/* + called to initialise the driver + */ +_PUBLIC_ isc_result_t dlz_create(const char *dlzname, + unsigned int argc, const char **argv, + void **dbdata, ...) +{ + struct dlz_bind9_data *state; + const char *helper_name; + va_list ap; + isc_result_t result; + struct ldb_dn *dn; + NTSTATUS nt_status; + int ret; + char *errstring = NULL; + + if (dlz_bind9_state != NULL) { + dlz_bind9_state->log(ISC_LOG_ERROR, + "samba_dlz: dlz_create ignored, #refs=%d", + dlz_bind9_state_ref_count); + *dbdata = dlz_bind9_state; + dlz_bind9_state_ref_count++; + return ISC_R_SUCCESS; + } + + state = talloc_zero(NULL, struct dlz_bind9_data); + if (state == NULL) { + return ISC_R_NOMEMORY; + } + + talloc_set_destructor(state, dlz_state_debug_unregister); + + /* fill in the helper functions */ + va_start(ap, dbdata); + while ((helper_name = va_arg(ap, const char *)) != NULL) { + b9_add_helper(state, helper_name, va_arg(ap, void*)); + } + va_end(ap); + + /* Do not install samba signal handlers */ + fault_setup_disable(); + + /* Start logging (to the bind9 logs) */ + debug_set_callback(state, b9_debug); + + state->ev_ctx = s4_event_context_init(state); + if (state->ev_ctx == NULL) { + result = ISC_R_NOMEMORY; + goto failed; + } + + result = parse_options(state, argc, argv, &state->options); + if (result != ISC_R_SUCCESS) { + goto failed; + } + + state->lp = loadparm_init_global(true); + if (state->lp == NULL) { + result = ISC_R_NOMEMORY; + goto failed; + } + + if (state->options.debug) { + lpcfg_do_global_parameter(state->lp, "log level", state->options.debug); + } else { + lpcfg_do_global_parameter(state->lp, "log level", "0"); + } + + if (smb_krb5_init_context(state, state->lp, &state->smb_krb5_ctx) != 0) { + result = ISC_R_NOMEMORY; + goto failed; + } + + nt_status = gensec_init(); + if (!NT_STATUS_IS_OK(nt_status)) { + result = ISC_R_NOMEMORY; + goto failed; + } + + state->auth_context = talloc_zero(state, struct auth4_context); + if (state->auth_context == NULL) { + result = ISC_R_NOMEMORY; + goto failed; + } + + if (state->options.url == NULL) { + state->options.url = talloc_asprintf(state, + "%s/dns/sam.ldb", + lpcfg_binddns_dir(state->lp)); + if (state->options.url == NULL) { + result = ISC_R_NOMEMORY; + goto failed; + } + + if (!file_exist(state->options.url)) { + state->options.url = talloc_asprintf(state, + "%s/dns/sam.ldb", + lpcfg_private_dir(state->lp)); + if (state->options.url == NULL) { + result = ISC_R_NOMEMORY; + goto failed; + } + } + } + + ret = samdb_connect_url(state, + state->ev_ctx, + state->lp, + system_session(state->lp), + 0, + state->options.url, + NULL, + &state->samdb, + &errstring); + if (ret != LDB_SUCCESS) { + state->log(ISC_LOG_ERROR, + "samba_dlz: Failed to connect to %s: %s", + errstring, ldb_strerror(ret)); + result = ISC_R_FAILURE; + goto failed; + } + + dn = ldb_get_default_basedn(state->samdb); + if (dn == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: Unable to get basedn for %s - %s", + state->options.url, ldb_errstring(state->samdb)); + result = ISC_R_FAILURE; + goto failed; + } + + state->log(ISC_LOG_INFO, "samba_dlz: started for DN %s", + ldb_dn_get_linearized(dn)); + + state->auth_context->event_ctx = state->ev_ctx; + state->auth_context->lp_ctx = state->lp; + state->auth_context->sam_ctx = state->samdb; + state->auth_context->generate_session_info_pac = b9_generate_session_info_pac; + + *dbdata = state; + dlz_bind9_state = state; + dlz_bind9_state_ref_count++; + + return ISC_R_SUCCESS; + +failed: + state->log(ISC_LOG_INFO, + "samba_dlz: FAILED dlz_create call result=%d #refs=%d", + result, + dlz_bind9_state_ref_count); + talloc_free(state); + return result; +} + +/* + shutdown the backend + */ +_PUBLIC_ void dlz_destroy(void *dbdata) +{ + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + + dlz_bind9_state_ref_count--; + if (dlz_bind9_state_ref_count == 0) { + state->log(ISC_LOG_INFO, "samba_dlz: shutting down"); + talloc_unlink(state, state->samdb); + talloc_free(state); + dlz_bind9_state = NULL; + } else { + state->log(ISC_LOG_INFO, + "samba_dlz: dlz_destroy called. %d refs remaining.", + dlz_bind9_state_ref_count); + } +} + + +/* + return the base DN for a zone + */ +static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zone_name, + TALLOC_CTX *mem_ctx, struct ldb_dn **zone_dn) +{ + int ret; + TALLOC_CTX *tmp_ctx = talloc_new(state); + const char *attrs[] = { NULL }; + int i; + + for (i=0; zone_prefixes[i]; i++) { + const char *casefold; + struct ldb_dn *dn; + struct ldb_result *res; + struct ldb_val zone_name_val + = data_blob_string_const(zone_name); + + dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); + if (dn == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_fmt(dn, + "DC=X,%s", + zone_prefixes[i])) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_dn_set_component(dn, + 0, + "DC", + zone_name_val); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(dn); + + if (casefold == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOTFOUND; + } + + ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone"); + if (ret == LDB_SUCCESS) { + if (zone_dn != NULL) { + *zone_dn = talloc_steal(mem_ctx, dn); + } + talloc_free(tmp_ctx); + return ISC_R_SUCCESS; + } + talloc_free(dn); + } + + talloc_free(tmp_ctx); + return ISC_R_NOTFOUND; +} + + +/* + return the DN for a name. The record does not need to exist, but the + zone must exist + */ +static isc_result_t b9_find_name_dn(struct dlz_bind9_data *state, const char *name, + TALLOC_CTX *mem_ctx, struct ldb_dn **dn) +{ + const char *p; + + /* work through the name piece by piece, until we find a zone */ + for (p=name; p; ) { + isc_result_t result; + result = b9_find_zone_dn(state, p, mem_ctx, dn); + if (result == ISC_R_SUCCESS) { + const char *casefold; + + /* we found a zone, now extend the DN to get + * the full DN + */ + bool ret; + if (p == name) { + ret = ldb_dn_add_child_fmt(*dn, "DC=@"); + if (ret == false) { + talloc_free(*dn); + return ISC_R_NOMEMORY; + } + } else { + struct ldb_val name_val + = data_blob_const(name, + (int)(p-name)-1); + + if (!ldb_dn_add_child_val(*dn, + "DC", + name_val)) { + talloc_free(*dn); + return ISC_R_NOMEMORY; + } + } + + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(*dn); + + if (casefold == NULL) { + return ISC_R_NOTFOUND; + } + + return ISC_R_SUCCESS; + } + p = strchr(p, '.'); + if (p == NULL) { + break; + } + p++; + } + return ISC_R_NOTFOUND; +} + + +/* + see if we handle a given zone + */ +_PUBLIC_ isc_result_t dlz_findzonedb(void *dbdata, const char *name, + dns_clientinfomethods_t *methods, + dns_clientinfo_t *clientinfo) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + isc_result_t result = ISC_R_SUCCESS; + + result = b9_find_zone_dn(state, name, NULL, NULL); + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + NULL, + name, + NULL); + return result; +} + + +/* + lookup one record + */ +static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state, + const char *zone, const char *name, + dns_sdlzlookup_t *lookup, + const char **types) +{ + TALLOC_CTX *tmp_ctx = talloc_new(state); + struct ldb_dn *dn; + WERROR werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST; + struct dnsp_DnssrvRpcRecord *records = NULL; + uint16_t num_records = 0, i; + struct ldb_val zone_name_val + = data_blob_string_const(zone); + struct ldb_val name_val + = data_blob_string_const(name); + + for (i=0; zone_prefixes[i]; i++) { + int ret; + const char *casefold; + dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); + if (dn == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_fmt(dn, + "DC=X,DC=X,%s", + zone_prefixes[i])) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_dn_set_component(dn, + 1, + "DC", + zone_name_val); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_dn_set_component(dn, + 0, + "DC", + name_val); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(dn); + + if (casefold == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOTFOUND; + } + + werr = dns_common_wildcard_lookup(state->samdb, tmp_ctx, dn, + &records, &num_records); + if (W_ERROR_IS_OK(werr)) { + break; + } + } + if (!W_ERROR_IS_OK(werr)) { + talloc_free(tmp_ctx); + return ISC_R_NOTFOUND; + } + + for (i=0; i < num_records; i++) { + isc_result_t result; + + result = b9_putrr(state, lookup, &records[i], types); + if (result != ISC_R_SUCCESS) { + talloc_free(tmp_ctx); + return result; + } + } + + talloc_free(tmp_ctx); + return ISC_R_SUCCESS; +} + +/* + lookup one record + */ +_PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name, + void *dbdata, dns_sdlzlookup_t *lookup, + dns_clientinfomethods_t *methods, + dns_clientinfo_t *clientinfo) +{ + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + isc_result_t result = ISC_R_SUCCESS; + struct timeval start = timeval_current(); + + result = dlz_lookup_types(state, zone, name, lookup, NULL); + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + zone, + name, + NULL); + + return result; +} + + +/* + see if a zone transfer is allowed + */ +_PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client) +{ + struct dlz_bind9_data *state = talloc_get_type( + dbdata, struct dlz_bind9_data); + isc_result_t ret; + const char **authorized_clients, **denied_clients; + const char *cname=""; + + /* check that the zone is known */ + ret = b9_find_zone_dn(state, name, NULL, NULL); + if (ret != ISC_R_SUCCESS) { + return ret; + } + + /* default is to deny all transfers */ + + authorized_clients = lpcfg_dns_zone_transfer_clients_allow(state->lp); + denied_clients = lpcfg_dns_zone_transfer_clients_deny(state->lp); + + /* The logic of allow_access() when both allow and deny lists are given + * does not match our expectation here: it would allow clients thar are + * neither allowed nor denied. + * Here, we want to deny clients by default. + * Using the allow_access() function is still useful as it takes care of + * parsing IP adresses and subnets in a consistent way with other options + * from smb.conf. + * + * We will then check the deny list first, then the allow list, so that + * we accept only clients that are explicitely allowed AND not explicitely + * denied. + */ + if ((authorized_clients == NULL) && (denied_clients == NULL)) { + /* No "allow" or "deny" lists given. Deny by default. */ + return ISC_R_NOPERM; + } + + if (denied_clients != NULL) { + bool ok = allow_access(denied_clients, NULL, cname, client); + if (!ok) { + /* client on deny list. Deny. */ + return ISC_R_NOPERM; + } + } + + if (authorized_clients != NULL) { + bool ok = allow_access(NULL, authorized_clients, cname, client); + if (ok) { + /* + * client is not on deny list and is on allow list. + * This is the only place we should return "allow". + */ + return ISC_R_SUCCESS; + } + } + /* We shouldn't get here, but deny by default. */ + return ISC_R_NOPERM; +} + +/* + perform a zone transfer + */ +_PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata, + dns_sdlzallnodes_t *allnodes) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + const char *attrs[] = { "dnsRecord", NULL }; + int ret = LDB_ERR_NO_SUCH_OBJECT; + size_t i, j; + struct ldb_dn *dn = NULL; + struct ldb_result *res; + TALLOC_CTX *tmp_ctx = talloc_new(state); + struct ldb_val zone_name_val = data_blob_string_const(zone); + isc_result_t result = ISC_R_SUCCESS; + + for (i=0; zone_prefixes[i]; i++) { + const char *casefold; + + dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); + if (dn == NULL) { + talloc_free(tmp_ctx); + result = ISC_R_NOMEMORY; + goto exit; + } + + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_fmt(dn, + "DC=X,%s", + zone_prefixes[i])) { + talloc_free(tmp_ctx); + result = ISC_R_NOMEMORY; + goto exit; + } + + ret = ldb_dn_set_component(dn, + 0, + "DC", + zone_name_val); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + result = ISC_R_NOMEMORY; + goto exit; + } + + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(dn); + + if (casefold == NULL) { + result = ISC_R_NOTFOUND; + goto exit; + } + + ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, + attrs, "objectClass=dnsNode"); + if (ret == LDB_SUCCESS) { + break; + } + } + if (ret != LDB_SUCCESS || dn == NULL) { + talloc_free(tmp_ctx); + result = ISC_R_NOTFOUND; + goto exit; + } + + for (i=0; i<res->count; i++) { + struct ldb_message_element *el; + TALLOC_CTX *el_ctx = talloc_new(tmp_ctx); + const char *rdn, *name; + const struct ldb_val *v; + WERROR werr; + struct dnsp_DnssrvRpcRecord *recs = NULL; + uint16_t num_recs = 0; + + el = ldb_msg_find_element(res->msgs[i], "dnsRecord"); + if (el == NULL || el->num_values == 0) { + state->log(ISC_LOG_INFO, "failed to find dnsRecord for %s", + ldb_dn_get_linearized(dn)); + talloc_free(el_ctx); + continue; + } + + v = ldb_dn_get_rdn_val(res->msgs[i]->dn); + if (v == NULL) { + state->log(ISC_LOG_INFO, "failed to find RDN for %s", + ldb_dn_get_linearized(dn)); + talloc_free(el_ctx); + continue; + } + + rdn = talloc_strndup(el_ctx, (char *)v->data, v->length); + if (rdn == NULL) { + talloc_free(tmp_ctx); + result = ISC_R_NOMEMORY; + goto exit; + } + + if (strcmp(rdn, "@") == 0) { + name = zone; + } else { + name = talloc_asprintf(el_ctx, "%s.%s", rdn, zone); + } + name = b9_format_fqdn(el_ctx, name); + if (name == NULL) { + talloc_free(tmp_ctx); + result = ISC_R_NOMEMORY; + goto exit; + } + + werr = dns_common_extract(state->samdb, el, el_ctx, &recs, &num_recs); + if (!W_ERROR_IS_OK(werr)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s", + ldb_dn_get_linearized(dn), win_errstr(werr)); + talloc_free(el_ctx); + continue; + } + + for (j=0; j < num_recs; j++) { + isc_result_t rc; + + rc = b9_putnamedrr(state, allnodes, name, &recs[j]); + if (rc != ISC_R_SUCCESS) { + continue; + } + } + + talloc_free(el_ctx); + } + + talloc_free(tmp_ctx); +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + zone, + NULL, + NULL); + return result; +} + + +/* + start a transaction + */ +_PUBLIC_ isc_result_t dlz_newversion(const char *zone, void *dbdata, void **versionp) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + isc_result_t result = ISC_R_SUCCESS; + + state->log(ISC_LOG_INFO, "samba_dlz: starting transaction on zone %s", zone); + + if (state->transaction_token != NULL) { + state->log(ISC_LOG_INFO, "samba_dlz: transaction already started for zone %s", zone); + result = ISC_R_FAILURE; + goto exit; + } + + state->transaction_token = talloc_zero(state, int); + if (state->transaction_token == NULL) { + result = ISC_R_NOMEMORY; + goto exit; + } + + if (ldb_transaction_start(state->samdb) != LDB_SUCCESS) { + state->log(ISC_LOG_INFO, "samba_dlz: failed to start a transaction for zone %s", zone); + talloc_free(state->transaction_token); + state->transaction_token = NULL; + result = ISC_R_FAILURE; + goto exit; + } + + *versionp = (void *)state->transaction_token; +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + zone, + NULL, + NULL); + return result; +} + +/* + end a transaction + */ +_PUBLIC_ void dlz_closeversion(const char *zone, isc_boolean_t commit, + void *dbdata, void **versionp) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + const char *data = NULL; + + data = commit ? "commit" : "cancel"; + + if (state->transaction_token != (int *)*versionp) { + state->log(ISC_LOG_INFO, "samba_dlz: transaction not started for zone %s", zone); + goto exit; + } + + if (commit) { + if (ldb_transaction_commit(state->samdb) != LDB_SUCCESS) { + state->log(ISC_LOG_INFO, "samba_dlz: failed to commit a transaction for zone %s", zone); + goto exit; + } + state->log(ISC_LOG_INFO, "samba_dlz: committed transaction on zone %s", zone); + } else { + if (ldb_transaction_cancel(state->samdb) != LDB_SUCCESS) { + state->log(ISC_LOG_INFO, "samba_dlz: failed to cancel a transaction for zone %s", zone); + goto exit; + } + state->log(ISC_LOG_INFO, "samba_dlz: cancelling transaction on zone %s", zone); + } + + talloc_free(state->transaction_token); + state->transaction_token = NULL; + *versionp = NULL; + +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(ISC_R_SUCCESS), + &start, + zone, + NULL, + data); +} + + +/* + see if there is a SOA record for a zone + */ +static bool b9_has_soa(struct dlz_bind9_data *state, struct ldb_dn *dn, const char *zone) +{ + TALLOC_CTX *tmp_ctx = talloc_new(state); + WERROR werr; + struct dnsp_DnssrvRpcRecord *records = NULL; + uint16_t num_records = 0, i; + struct ldb_val zone_name_val + = data_blob_string_const(zone); + + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_val(dn, + "DC", + zone_name_val)) { + talloc_free(tmp_ctx); + return false; + } + + /* + * The SOA record is alwas stored under DC=@,DC=zonename + * This can probably be removed when dns_common_lookup makes a fallback + * lookup on @ pseudo record + */ + + if (!ldb_dn_add_child_fmt(dn,"DC=@")) { + talloc_free(tmp_ctx); + return false; + } + + werr = dns_common_lookup(state->samdb, tmp_ctx, dn, + &records, &num_records, NULL); + if (!W_ERROR_IS_OK(werr)) { + talloc_free(tmp_ctx); + return false; + } + + for (i=0; i < num_records; i++) { + if (records[i].wType == DNS_TYPE_SOA) { + talloc_free(tmp_ctx); + return true; + } + } + + talloc_free(tmp_ctx); + return false; +} + +static bool b9_zone_add(struct dlz_bind9_data *state, const char *name) +{ + struct b9_zone *zone; + + zone = talloc_zero(state, struct b9_zone); + if (zone == NULL) { + return false; + } + + zone->name = talloc_strdup(zone, name); + if (zone->name == NULL) { + talloc_free(zone); + return false; + } + + DLIST_ADD(state->zonelist, zone); + return true; +} + +static bool b9_zone_exists(struct dlz_bind9_data *state, const char *name) +{ + struct b9_zone *zone = state->zonelist; + bool found = false; + + while (zone != NULL) { + if (strcasecmp(name, zone->name) == 0) { + found = true; + break; + } + zone = zone->next; + } + + return found; +} + + +/* + configure a writeable zone + */ +_PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, + void *dbdata) +{ + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + TALLOC_CTX *tmp_ctx; + struct ldb_dn *dn; + int i; + + state->log(ISC_LOG_INFO, "samba_dlz: starting configure"); + if (state->writeable_zone == NULL) { + state->log(ISC_LOG_INFO, "samba_dlz: no writeable_zone method available"); + return ISC_R_FAILURE; + } + + tmp_ctx = talloc_new(state); + + for (i=0; zone_prefixes[i]; i++) { + const char *attrs[] = { "name", NULL }; + int j, ret; + struct ldb_result *res; + + dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); + if (dn == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + if (!ldb_dn_add_child_fmt(dn, "%s", zone_prefixes[i])) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, + attrs, "objectClass=dnsZone"); + if (ret != LDB_SUCCESS) { + continue; + } + + for (j=0; j<res->count; j++) { + isc_result_t result; + const char *zone = ldb_msg_find_attr_as_string(res->msgs[j], "name", NULL); + struct ldb_dn *zone_dn; + + if (zone == NULL) { + continue; + } + /* Ignore zones that are not handled in BIND */ + if ((strcmp(zone, "RootDNSServers") == 0) || + (strcmp(zone, "..TrustAnchors") == 0)) { + continue; + } + zone_dn = ldb_dn_copy(tmp_ctx, dn); + if (zone_dn == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + if (!b9_has_soa(state, zone_dn, zone)) { + continue; + } + + if (b9_zone_exists(state, zone)) { + state->log(ISC_LOG_WARNING, "samba_dlz: Ignoring duplicate zone '%s' from '%s'", + zone, ldb_dn_get_linearized(zone_dn)); + continue; + } + + if (!b9_zone_add(state, zone)) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + result = state->writeable_zone(view, dlzdb, zone); + if (result != ISC_R_SUCCESS) { + state->log(ISC_LOG_ERROR, "samba_dlz: Failed to configure zone '%s'", + zone); + talloc_free(tmp_ctx); + return result; + } + state->log(ISC_LOG_INFO, "samba_dlz: configured writeable zone '%s'", zone); + } + } + + talloc_free(tmp_ctx); + return ISC_R_SUCCESS; +} + +/* + authorize a zone update + */ +_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr, + const char *type, const char *key, uint32_t keydatalen, uint8_t *keydata, + void *dbdata) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + TALLOC_CTX *tmp_ctx; + DATA_BLOB ap_req; + struct cli_credentials *server_credentials; + char *keytab_name; + char *keytab_file = NULL; + int ret; + int ldb_ret; + NTSTATUS nt_status; + struct gensec_security *gensec_ctx; + struct auth_session_info *session_info; + struct ldb_dn *dn; + isc_result_t rc; + struct ldb_result *res; + const char * attrs[] = { NULL }; + uint32_t access_mask; + struct gensec_settings *settings = NULL; + const struct gensec_security_ops **backends = NULL; + size_t idx = 0; + isc_boolean_t result = ISC_FALSE; + NTSTATUS status; + bool ok; + + /* Remove cached credentials, if any */ + if (state->session_info) { + talloc_free(state->session_info); + state->session_info = NULL; + } + if (state->update_name) { + talloc_free(state->update_name); + state->update_name = NULL; + } + + tmp_ctx = talloc_new(state); + if (tmp_ctx == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: no memory"); + result = ISC_FALSE; + goto exit; + } + + ap_req = data_blob_const(keydata, keydatalen); + server_credentials = cli_credentials_init(tmp_ctx); + if (!server_credentials) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to init server credentials"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + status = cli_credentials_set_krb5_context(server_credentials, + state->smb_krb5_ctx); + if (!NT_STATUS_IS_OK(status)) { + state->log(ISC_LOG_ERROR, + "samba_dlz: failed to set krb5 context"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + ok = cli_credentials_set_conf(server_credentials, state->lp); + if (!ok) { + state->log(ISC_LOG_ERROR, + "samba_dlz: failed to load smb.conf"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + keytab_file = talloc_asprintf(tmp_ctx, + "%s/dns.keytab", + lpcfg_binddns_dir(state->lp)); + if (keytab_file == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + if (!file_exist(keytab_file)) { + keytab_file = talloc_asprintf(tmp_ctx, + "%s/dns.keytab", + lpcfg_private_dir(state->lp)); + if (keytab_file == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + } + + keytab_name = talloc_asprintf(tmp_ctx, "FILE:%s", keytab_file); + if (keytab_name == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name, + CRED_SPECIFIED); + if (ret != 0) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s", + keytab_name); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + talloc_free(keytab_name); + + settings = lpcfg_gensec_settings(tmp_ctx, state->lp); + if (settings == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: lpcfg_gensec_settings failed"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + backends = talloc_zero_array(settings, + const struct gensec_security_ops *, 3); + if (backends == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: talloc_zero_array gensec_security_ops failed"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + settings->backends = backends; + + gensec_init(); + + backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5); + backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO); + + nt_status = gensec_server_start(tmp_ctx, settings, + state->auth_context, &gensec_ctx); + if (!NT_STATUS_IS_OK(nt_status)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to start gensec server"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + gensec_set_credentials(gensec_ctx, server_credentials); + + nt_status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO); + if (!NT_STATUS_IS_OK(nt_status)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to start spnego"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + /* + * We only allow SPNEGO/KRB5 and make sure the backend + * to is RPC/IPC free. + * + * See gensec_gssapi_update_internal() as + * GENSEC_SERVER. + * + * It allows gensec_update() not to block. + * + * If that changes in future we need to use + * gensec_update_send/recv here! + */ + nt_status = gensec_update(gensec_ctx, tmp_ctx, ap_req, &ap_req); + if (!NT_STATUS_IS_OK(nt_status)) { + state->log(ISC_LOG_ERROR, "samba_dlz: spnego update failed"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + nt_status = gensec_session_info(gensec_ctx, tmp_ctx, &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to create session info"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + /* Get the DN from name */ + rc = b9_find_name_dn(state, name, tmp_ctx, &dn); + if (rc != ISC_R_SUCCESS) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to find name %s", name); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + /* make sure the dn exists, or find parent dn in case new object is being added */ + ldb_ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, + attrs, "objectClass=dnsNode"); + if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT) { + ldb_dn_remove_child_components(dn, 1); + access_mask = SEC_ADS_CREATE_CHILD; + talloc_free(res); + } else if (ldb_ret == LDB_SUCCESS) { + access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE; + talloc_free(res); + } else { + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + /* Do ACL check */ + ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, + session_info->security_token, + access_mask, NULL); + if (ldb_ret != LDB_SUCCESS) { + state->log(ISC_LOG_INFO, + "samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s", + signer, name, type, ldb_strerror(ldb_ret)); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + + /* Cache session_info, so it can be used in the actual add/delete operation */ + state->update_name = talloc_strdup(state, name); + if (state->update_name == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: memory allocation error"); + talloc_free(tmp_ctx); + result = ISC_FALSE; + goto exit; + } + state->session_info = talloc_steal(state, session_info); + + state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s", + signer, name, tcpaddr, type, key); + + talloc_free(tmp_ctx); + result = ISC_TRUE; +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + NULL, + name, + NULL); + return result; +} + + +/* + see if two dns records match + */ +static bool b9_record_match(struct dnsp_DnssrvRpcRecord *rec1, + struct dnsp_DnssrvRpcRecord *rec2) +{ + if (rec1->wType != rec2->wType) { + return false; + } + /* see if this type is single valued */ + if (b9_single_valued(rec1->wType)) { + return true; + } + + return dns_record_match(rec1, rec2); +} + +/* + * Update session_info on samdb using the cached credentials + */ +static bool b9_set_session_info(struct dlz_bind9_data *state, const char *name) +{ + int ret; + + if (state->update_name == NULL || state->session_info == NULL) { + state->log(ISC_LOG_ERROR, "samba_dlz: invalid credentials"); + return false; + } + + /* Do not use client credentials, if we're not updating the client specified name */ + if (strcmp(state->update_name, name) != 0) { + return true; + } + + ret = ldb_set_opaque( + state->samdb, + DSDB_SESSION_INFO, + state->session_info); + if (ret != LDB_SUCCESS) { + state->log(ISC_LOG_ERROR, "samba_dlz: unable to set session info"); + return false; + } + + return true; +} + +/* + * Reset session_info on samdb as system session + */ +static void b9_reset_session_info(struct dlz_bind9_data *state) +{ + ldb_set_opaque( + state->samdb, + DSDB_SESSION_INFO, + system_session(state->lp)); +} + +/* + add or modify a rdataset + */ +_PUBLIC_ isc_result_t dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata, void *version) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + struct dnsp_DnssrvRpcRecord *rec; + struct ldb_dn *dn; + isc_result_t result = ISC_R_SUCCESS; + bool tombstoned = false; + bool needs_add = false; + struct dnsp_DnssrvRpcRecord *recs = NULL; + uint16_t num_recs = 0; + uint16_t first = 0; + uint16_t i; + WERROR werr; + + if (state->transaction_token != (void*)version) { + state->log(ISC_LOG_INFO, "samba_dlz: bad transaction version"); + result = ISC_R_FAILURE; + goto exit; + } + + rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord); + if (rec == NULL) { + result = ISC_R_NOMEMORY; + goto exit; + } + + rec->rank = DNS_RANK_ZONE; + + if (!b9_parse(state, rdatastr, rec)) { + state->log(ISC_LOG_INFO, "samba_dlz: failed to parse rdataset '%s'", rdatastr); + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + /* find the DN of the record */ + result = b9_find_name_dn(state, name, rec, &dn); + if (result != ISC_R_SUCCESS) { + talloc_free(rec); + goto exit; + } + + /* get any existing records */ + werr = dns_common_lookup(state->samdb, rec, dn, + &recs, &num_recs, &tombstoned); + if (W_ERROR_EQUAL(werr, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + needs_add = true; + werr = WERR_OK; + } + if (!W_ERROR_IS_OK(werr)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s", + ldb_dn_get_linearized(dn), win_errstr(werr)); + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + if (tombstoned) { + /* + * we need to keep the existing tombstone record + * and ignore it + */ + first = num_recs; + } + + /* there may be existing records. We need to see if this will + * replace a record or add to it + */ + for (i=first; i < num_recs; i++) { + if (b9_record_match(rec, &recs[i])) { + break; + } + } + if (i == UINT16_MAX) { + state->log(ISC_LOG_ERROR, + "samba_dlz: failed to find record to modify, and " + "there are already %u dnsRecord values for %s", + i, ldb_dn_get_linearized(dn)); + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + if (i == num_recs) { + /* set dwTimeStamp before increasing num_recs */ + if (dns_name_is_static(recs, num_recs)) { + rec->dwTimeStamp = 0; + } else { + rec->dwTimeStamp = unix_to_dns_timestamp(time(NULL)); + } + /* adding space for a new value */ + recs = talloc_realloc(rec, recs, + struct dnsp_DnssrvRpcRecord, + num_recs + 1); + if (recs == NULL) { + talloc_free(rec); + result = ISC_R_NOMEMORY; + goto exit; + } + num_recs++; + } else { + /* + * We are updating a record. Depending on whether aging is + * enabled, and how old the old timestamp is, + * dns_common_replace() will work out whether to bump the + * timestamp or not. But to do that, we need to tell it the + * old timestamp. + */ + if (! dns_name_is_static(recs, num_recs)) { + rec->dwTimeStamp = recs[i].dwTimeStamp; + } + } + + recs[i] = *rec; + + if (!b9_set_session_info(state, name)) { + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + /* modify the record */ + werr = dns_common_replace(state->samdb, rec, dn, + needs_add, + state->soa_serial, + recs, num_recs); + b9_reset_session_info(state); + if (!W_ERROR_IS_OK(werr)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to %s %s - %s", + needs_add ? "add" : "modify", + ldb_dn_get_linearized(dn), win_errstr(werr)); + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + state->log(ISC_LOG_INFO, "samba_dlz: added rdataset %s '%s'", name, rdatastr); + + talloc_free(rec); +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + NULL, + name, + rdatastr); + return result; +} + +/* + remove a rdataset + */ +_PUBLIC_ isc_result_t dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata, void *version) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + struct dnsp_DnssrvRpcRecord *rec; + struct ldb_dn *dn; + isc_result_t result = ISC_R_SUCCESS; + struct dnsp_DnssrvRpcRecord *recs = NULL; + uint16_t num_recs = 0; + uint16_t i; + WERROR werr; + + if (state->transaction_token != (void*)version) { + state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version"); + result = ISC_R_FAILURE; + goto exit; + } + + rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord); + if (rec == NULL) { + result = ISC_R_NOMEMORY; + goto exit; + } + + if (!b9_parse(state, rdatastr, rec)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse rdataset '%s'", rdatastr); + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + /* find the DN of the record */ + result = b9_find_name_dn(state, name, rec, &dn); + if (result != ISC_R_SUCCESS) { + talloc_free(rec); + goto exit; + } + + /* get the existing records */ + werr = dns_common_lookup(state->samdb, rec, dn, + &recs, &num_recs, NULL); + if (!W_ERROR_IS_OK(werr)) { + talloc_free(rec); + result = ISC_R_NOTFOUND; + goto exit; + } + + for (i=0; i < num_recs; i++) { + if (b9_record_match(rec, &recs[i])) { + recs[i] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + break; + } + } + if (i == num_recs) { + talloc_free(rec); + result = ISC_R_NOTFOUND; + goto exit; + } + + if (!b9_set_session_info(state, name)) { + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + /* modify the record */ + werr = dns_common_replace(state->samdb, rec, dn, + false,/* needs_add */ + state->soa_serial, + recs, num_recs); + b9_reset_session_info(state); + if (!W_ERROR_IS_OK(werr)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s", + ldb_dn_get_linearized(dn), win_errstr(werr)); + talloc_free(rec); + result = ISC_R_FAILURE; + goto exit; + } + + state->log(ISC_LOG_INFO, "samba_dlz: subtracted rdataset %s '%s'", name, rdatastr); + + talloc_free(rec); +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + NULL, + name, + rdatastr); + return result; +} + + +/* + delete all records of the given type + */ +_PUBLIC_ isc_result_t dlz_delrdataset(const char *name, const char *type, void *dbdata, void *version) +{ + struct timeval start = timeval_current(); + struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data); + TALLOC_CTX *tmp_ctx; + struct ldb_dn *dn; + isc_result_t result = ISC_R_SUCCESS; + enum dns_record_type dns_type; + bool found = false; + struct dnsp_DnssrvRpcRecord *recs = NULL; + uint16_t num_recs = 0; + uint16_t ri = 0; + WERROR werr; + + if (state->transaction_token != (void*)version) { + state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version"); + result = ISC_R_FAILURE; + goto exit; + } + + if (!b9_dns_type(type, &dns_type)) { + state->log(ISC_LOG_ERROR, "samba_dlz: bad dns type %s in delete", type); + result = ISC_R_FAILURE; + goto exit; + } + + tmp_ctx = talloc_new(state); + + /* find the DN of the record */ + result = b9_find_name_dn(state, name, tmp_ctx, &dn); + if (result != ISC_R_SUCCESS) { + talloc_free(tmp_ctx); + goto exit; + } + + /* get the existing records */ + werr = dns_common_lookup(state->samdb, tmp_ctx, dn, + &recs, &num_recs, NULL); + if (!W_ERROR_IS_OK(werr)) { + talloc_free(tmp_ctx); + result = ISC_R_NOTFOUND; + goto exit; + } + + for (ri=0; ri < num_recs; ri++) { + if (dns_type != recs[ri].wType) { + continue; + } + + found = true; + recs[ri] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + } + + if (!found) { + talloc_free(tmp_ctx); + result = ISC_R_FAILURE; + goto exit; + } + + if (!b9_set_session_info(state, name)) { + talloc_free(tmp_ctx); + result = ISC_R_FAILURE; + goto exit; + } + + /* modify the record */ + werr = dns_common_replace(state->samdb, tmp_ctx, dn, + false,/* needs_add */ + state->soa_serial, + recs, num_recs); + b9_reset_session_info(state); + if (!W_ERROR_IS_OK(werr)) { + state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s", + ldb_dn_get_linearized(dn), win_errstr(werr)); + talloc_free(tmp_ctx); + result = ISC_R_FAILURE; + goto exit; + } + + state->log(ISC_LOG_INFO, "samba_dlz: deleted rdataset %s of type %s", name, type); + + talloc_free(tmp_ctx); +exit: + DNS_COMMON_LOG_OPERATION( + isc_result_str(result), + &start, + NULL, + name, + type); + return result; +} diff --git a/source4/dns_server/dlz_minimal.h b/source4/dns_server/dlz_minimal.h new file mode 100644 index 0000000..b7e36e7 --- /dev/null +++ b/source4/dns_server/dlz_minimal.h @@ -0,0 +1,317 @@ +/* + * Copyright (C) 2010 Andrew Tridgell + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the + * above copyright notice and this permission notice appear in all + * copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR + * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS + * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE + * USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* This header is updated based on BIND 9.10.1 source. + * contrib/dlz/modules/include/dlz_minimal.h + */ + +#ifndef DLZ_MINIMAL_H +#define DLZ_MINIMAL_H 1 + +#include <stdint.h> +#include <stdbool.h> + +#if defined (BIND_VERSION_9_8) +# error Bind 9.8 is not supported! +#elif defined (BIND_VERSION_9_9) +# error Bind 9.9 is not supported! +#elif defined (BIND_VERSION_9_10) +# define DLZ_DLOPEN_VERSION 3 +# define DNS_CLIENTINFO_VERSION 1 +# define ISC_BOOLEAN_AS_BOOL 0 +#elif defined (BIND_VERSION_9_11) +# define DLZ_DLOPEN_VERSION 3 +# define DNS_CLIENTINFO_VERSION 2 +# define ISC_BOOLEAN_AS_BOOL 0 +#elif defined (BIND_VERSION_9_12) +# define DLZ_DLOPEN_VERSION 3 +# define DNS_CLIENTINFO_VERSION 2 +# define ISC_BOOLEAN_AS_BOOL 0 +#elif defined (BIND_VERSION_9_14) +# define DLZ_DLOPEN_VERSION 3 +# define DNS_CLIENTINFO_VERSION 2 +#elif defined (BIND_VERSION_9_16) +# define DLZ_DLOPEN_VERSION 3 +# define DNS_CLIENTINFO_VERSION 2 +#elif defined (BIND_VERSION_9_18) +# define DLZ_DLOPEN_VERSION 3 +# define DNS_CLIENTINFO_VERSION 2 +#else +# error Unsupported BIND version +#endif + +#ifndef ISC_BOOLEAN_AS_BOOL +#define ISC_BOOLEAN_AS_BOOL 1 +#endif + +# define DLZ_DLOPEN_AGE 0 + +typedef unsigned int isc_result_t; +#if ISC_BOOLEAN_AS_BOOL == 1 +typedef bool isc_boolean_t; +#else +typedef int isc_boolean_t; +#endif +typedef uint32_t dns_ttl_t; + +/* return these in flags from dlz_version() */ +#define DNS_SDLZFLAG_THREADSAFE 0x00000001U +#define DNS_SDLZFLAG_RELATIVEOWNER 0x00000002U +#define DNS_SDLZFLAG_RELATIVERDATA 0x00000004U + +/* result codes */ +#define ISC_R_SUCCESS 0 +#define ISC_R_NOMEMORY 1 +#define ISC_R_NOPERM 6 +#define ISC_R_NOSPACE 19 +#define ISC_R_NOTFOUND 23 +#define ISC_R_FAILURE 25 +#define ISC_R_NOTIMPLEMENTED 27 +#define ISC_R_NOMORE 29 +#define ISC_R_INVALIDFILE 30 +#define ISC_R_UNEXPECTED 34 +#define ISC_R_FILENOTFOUND 38 + +/* boolean values */ +#if ISC_BOOLEAN_AS_BOOL == 1 +#define ISC_TRUE true +#define ISC_FALSE false +#else +#define ISC_TRUE 1 +#define ISC_FALSE 0 +#endif + +/* log levels */ +#define ISC_LOG_INFO (-1) +#define ISC_LOG_NOTICE (-2) +#define ISC_LOG_WARNING (-3) +#define ISC_LOG_ERROR (-4) +#define ISC_LOG_CRITICAL (-5) +#define ISC_LOG_DEBUG(level) (level) + +/* opaque structures */ +typedef void *dns_sdlzlookup_t; +typedef void *dns_sdlzallnodes_t; +typedef void *dns_view_t; +typedef void *dns_dlzdb_t; + +/* + * Method and type definitions needed for retrieval of client info + * from the caller. + */ +typedef struct isc_sockaddr { + union { + struct sockaddr sa; + struct sockaddr_in sin; + struct sockaddr_in6 sin6; + struct sockaddr_un sunix; + } type; + unsigned int length; + void * link; +} isc_sockaddr_t; + +#if DNS_CLIENTINFO_VERSION == 1 + +typedef struct dns_clientinfo { + uint16_t version; + void *data; +} dns_clientinfo_t; + +typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client, + isc_sockaddr_t **addrp); + +#define DNS_CLIENTINFOMETHODS_VERSION 1 +#define DNS_CLIENTINFOMETHODS_AGE 0 + +typedef struct dns_clientinfomethods { + uint16_t version; + uint16_t age; + dns_clientinfo_sourceip_t sourceip; +} dns_clientinfomethods_t; + +#elif DNS_CLIENTINFO_VERSION == 2 + +typedef struct dns_clientinfo { + uint16_t version; + void *data; + void *dbversion; +} dns_clientinfo_t; + +typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client, + isc_sockaddr_t **addrp); + +typedef isc_result_t (*dns_clientinfo_version_t)(dns_clientinfo_t *client, + void **addrp); + +#define DNS_CLIENTINFOMETHODS_VERSION 2 +#define DNS_CLIENTINFOMETHODS_AGE 1 + +typedef struct dns_clientinfomethods { + uint16_t version; + uint16_t age; + dns_clientinfo_sourceip_t sourceip; + dns_clientinfo_version_t dbversion; +} dns_clientinfomethods_t; + +#endif /* DNS_CLIENTINFO_VERSION */ + + +/* + * Method definitions for callbacks provided by the dlopen driver + */ + +typedef void log_t(int level, const char *fmt, ...); + +typedef isc_result_t dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup, + const char *type, + dns_ttl_t ttl, + const char *data); + +typedef isc_result_t dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes, + const char *name, + const char *type, + dns_ttl_t ttl, + const char *data); + +typedef isc_result_t dns_dlz_writeablezone_t(dns_view_t *view, + dns_dlzdb_t *dlzdb, + const char *zone_name); + + +/* + * prototypes for the functions you can include in your module + */ + +/* + * dlz_version() is required for all DLZ external drivers. It should + * return DLZ_DLOPEN_VERSION. 'flags' is updated to indicate capabilities + * of the module. In particular, if the module is thread-safe then it + * sets 'flags' to include DNS_SDLZFLAG_THREADSAFE. Other capability + * flags may be added in the future. + */ +int +dlz_version(unsigned int *flags); + +/* + * dlz_create() is required for all DLZ external drivers. + */ +isc_result_t +dlz_create(const char *dlzname, unsigned int argc, const char *argv[], + void **dbdata, ...); + +/* + * dlz_destroy() is optional, and will be called when the driver is + * unloaded if supplied + */ +void +dlz_destroy(void *dbdata); + +/* + * dlz_findzonedb is required for all DLZ external drivers + */ +isc_result_t +dlz_findzonedb(void *dbdata, const char *name, + dns_clientinfomethods_t *methods, + dns_clientinfo_t *clientinfo); + +/* + * dlz_lookup is required for all DLZ external drivers + */ +isc_result_t +dlz_lookup(const char *zone, const char *name, void *dbdata, + dns_sdlzlookup_t *lookup, + dns_clientinfomethods_t *methods, + dns_clientinfo_t *clientinfo); + +/* + * dlz_authority() is optional if dlz_lookup() supplies + * authority information (i.e., SOA, NS) for the dns record + */ +isc_result_t +dlz_authority(const char *zone, void *dbdata, dns_sdlzlookup_t *lookup); + +/* + * dlz_allowzonexfr() is optional, and should be supplied if you want to + * support zone transfers + */ +isc_result_t +dlz_allowzonexfr(void *dbdata, const char *name, const char *client); + +/* + * dlz_allnodes() is optional, but must be supplied if supply a + * dlz_allowzonexfr() function + */ +isc_result_t +dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes); + +/* + * dlz_newversion() is optional. It should be supplied if you want to + * support dynamic updates. + */ +isc_result_t +dlz_newversion(const char *zone, void *dbdata, void **versionp); + +/* + * dlz_closeversion() is optional, but must be supplied if you supply a + * dlz_newversion() function + */ +void +dlz_closeversion(const char *zone, isc_boolean_t commit, void *dbdata, + void **versionp); + +/* + * dlz_configure() is optional, but must be supplied if you want to support + * dynamic updates + */ +isc_result_t +dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata); + +/* + * dlz_ssumatch() is optional, but must be supplied if you want to support + * dynamic updates + */ +isc_boolean_t +dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr, + const char *type, const char *key, uint32_t keydatalen, + uint8_t *keydata, void *dbdata); + +/* + * dlz_addrdataset() is optional, but must be supplied if you want to + * support dynamic updates + */ +isc_result_t +dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata, + void *version); + +/* + * dlz_subrdataset() is optional, but must be supplied if you want to + * support dynamic updates + */ +isc_result_t +dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata, + void *version); + +/* + * dlz_delrdataset() is optional, but must be supplied if you want to + * support dynamic updates + */ +isc_result_t +dlz_delrdataset(const char *name, const char *type, void *dbdata, + void *version); + +#endif /* DLZ_MINIMAL_H */ diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c new file mode 100644 index 0000000..b38eb8b --- /dev/null +++ b/source4/dns_server/dns_crypto.c @@ -0,0 +1,434 @@ +/* + Unix SMB/CIFS implementation. + + DNS server handler for signed packets + + Copyright (C) 2012 Kai Blin <kai@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/network.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_dns.h" +#include "dns_server/dns_server.h" +#include "libcli/util/ntstatus.h" +#include "auth/auth.h" +#include "auth/gensec/gensec.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DNS + +static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx, + struct dns_res_rec *old, + struct dns_res_rec *new_rec) +{ + new_rec->name = talloc_strdup(mem_ctx, old->name); + W_ERROR_HAVE_NO_MEMORY(new_rec->name); + + new_rec->rr_type = old->rr_type; + new_rec->rr_class = old->rr_class; + new_rec->ttl = old->ttl; + new_rec->length = old->length; + new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx, + old->rdata.tsig_record.algorithm_name); + W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name); + + new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix; + new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time; + new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge; + new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size; + new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx, + old->rdata.tsig_record.mac, + old->rdata.tsig_record.mac_size); + W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac); + + new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id; + new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error; + new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size; + new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx, + old->rdata.tsig_record.other_data, + old->rdata.tsig_record.other_size); + W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data); + + return WERR_OK; +} + +struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store, + const char *name) +{ + struct dns_server_tkey *tkey = NULL; + uint16_t i = 0; + + do { + struct dns_server_tkey *tmp_key = store->tkeys[i]; + + i++; + i %= TKEY_BUFFER_SIZE; + + if (tmp_key == NULL) { + continue; + } + if (samba_dns_name_equal(name, tmp_key->name)) { + tkey = tmp_key; + break; + } + } while (i != 0); + + return tkey; +} + +WERROR dns_verify_tsig(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct dns_request_state *state, + struct dns_name_packet *packet, + DATA_BLOB *in) +{ + WERROR werror; + NTSTATUS status; + enum ndr_err_code ndr_err; + uint16_t i, arcount = 0; + DATA_BLOB tsig_blob, fake_tsig_blob, sig; + uint8_t *buffer = NULL; + size_t buffer_len = 0, packet_len = 0; + struct dns_server_tkey *tkey = NULL; + struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx, + struct dns_fake_tsig_rec); + + + /* Find the first TSIG record in the additional records */ + for (i=0; i < packet->arcount; i++) { + if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) { + break; + } + } + + if (i == packet->arcount) { + /* no TSIG around */ + return WERR_OK; + } + + /* The TSIG record needs to be the last additional record */ + if (i + 1 != packet->arcount) { + DEBUG(1, ("TSIG record not the last additional record!\n")); + return DNS_ERR(FORMAT_ERROR); + } + + /* We got a TSIG, so we need to sign our reply */ + state->sign = true; + + state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec); + if (state->tsig == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + werror = dns_copy_tsig(state->tsig, &packet->additional[i], + state->tsig); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + + packet->arcount--; + + tkey = dns_find_tkey(dns->tkeys, state->tsig->name); + if (tkey == NULL) { + /* + * We must save the name for use in the TSIG error + * response and have no choice here but to save the + * keyname from the TSIG request. + */ + state->key_name = talloc_strdup(state->mem_ctx, + state->tsig->name); + if (state->key_name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + state->tsig_error = DNS_RCODE_BADKEY; + return DNS_ERR(NOTAUTH); + } + + /* + * Remember the keyname that found an existing tkey, used + * later to fetch the key with dns_find_tkey() when signing + * and adding a TSIG record with MAC. + */ + state->key_name = talloc_strdup(state->mem_ctx, tkey->name); + if (state->key_name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + /* FIXME: check TSIG here */ + if (check_rec == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + /* first build and verify check packet */ + check_rec->name = talloc_strdup(check_rec, tkey->name); + if (check_rec->name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + check_rec->rr_class = DNS_QCLASS_ANY; + check_rec->ttl = 0; + check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm); + if (check_rec->algorithm_name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + check_rec->time_prefix = 0; + check_rec->time = state->tsig->rdata.tsig_record.time; + check_rec->fudge = state->tsig->rdata.tsig_record.fudge; + check_rec->error = 0; + check_rec->other_size = 0; + check_rec->other_data = NULL; + + ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig, + (ndr_push_flags_fn_t)ndr_push_dns_res_rec); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1, ("Failed to push packet: %s!\n", + ndr_errstr(ndr_err))); + return DNS_ERR(SERVER_FAILURE); + } + + ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec, + (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1, ("Failed to push packet: %s!\n", + ndr_errstr(ndr_err))); + return DNS_ERR(SERVER_FAILURE); + } + + /* we need to work some magic here. we need to keep the input packet + * exactly like we got it, but we need to cut off the tsig record */ + packet_len = in->length - tsig_blob.length; + buffer_len = packet_len + fake_tsig_blob.length; + buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len); + if (buffer == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + memcpy(buffer, in->data, packet_len); + memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length); + + sig.length = state->tsig->rdata.tsig_record.mac_size; + sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length); + if (sig.data == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + /* Now we also need to count down the additional record counter */ + arcount = RSVAL(buffer, 10); + RSSVAL(buffer, 10, arcount-1); + + status = gensec_check_packet(tkey->gensec, buffer, buffer_len, + buffer, buffer_len, &sig); + if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) { + state->tsig_error = DNS_RCODE_BADSIG; + return DNS_ERR(NOTAUTH); + } + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status))); + return ntstatus_to_werror(status); + } + + state->authenticated = true; + + return WERR_OK; +} + +static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx, + struct dns_request_state *state, + struct dns_name_packet *packet, + struct dns_server_tkey *tkey, + time_t current_time, + DATA_BLOB *_psig) +{ + NTSTATUS status; + enum ndr_err_code ndr_err; + DATA_BLOB packet_blob, tsig_blob, sig; + uint8_t *buffer = NULL; + uint8_t *p = NULL; + size_t buffer_len = 0; + struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx, + struct dns_fake_tsig_rec); + size_t mac_size = 0; + + if (check_rec == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + /* first build and verify check packet */ + check_rec->name = talloc_strdup(check_rec, tkey->name); + if (check_rec->name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + check_rec->rr_class = DNS_QCLASS_ANY; + check_rec->ttl = 0; + check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm); + if (check_rec->algorithm_name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + check_rec->time_prefix = 0; + check_rec->time = current_time; + check_rec->fudge = 300; + check_rec->error = state->tsig_error; + check_rec->other_size = 0; + check_rec->other_data = NULL; + + ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet, + (ndr_push_flags_fn_t)ndr_push_dns_name_packet); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1, ("Failed to push packet: %s!\n", + ndr_errstr(ndr_err))); + return DNS_ERR(SERVER_FAILURE); + } + + ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec, + (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1, ("Failed to push packet: %s!\n", + ndr_errstr(ndr_err))); + return DNS_ERR(SERVER_FAILURE); + } + + if (state->tsig != NULL) { + mac_size = state->tsig->rdata.tsig_record.mac_size; + } + + buffer_len = mac_size; + + buffer_len += packet_blob.length; + if (buffer_len < packet_blob.length) { + return WERR_INVALID_PARAMETER; + } + buffer_len += tsig_blob.length; + if (buffer_len < tsig_blob.length) { + return WERR_INVALID_PARAMETER; + } + + buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len); + if (buffer == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + p = buffer; + + /* + * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer + * that we're going to sign: + * 1. MAC of request (if present) + * 2. Outgoing packet + * 3. TSIG record + */ + if (mac_size > 0) { + memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size); + p += mac_size; + } + + memcpy(p, packet_blob.data, packet_blob.length); + p += packet_blob.length; + + memcpy(p, tsig_blob.data, tsig_blob.length); + + status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len, + buffer, buffer_len, &sig); + if (!NT_STATUS_IS_OK(status)) { + return ntstatus_to_werror(status); + } + + *_psig = sig; + return WERR_OK; +} + +WERROR dns_sign_tsig(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct dns_request_state *state, + struct dns_name_packet *packet, + uint16_t error) +{ + WERROR werror; + time_t current_time = time(NULL); + struct dns_res_rec *tsig = NULL; + DATA_BLOB sig = (DATA_BLOB) { + .data = NULL, + .length = 0 + }; + + tsig = talloc_zero(mem_ctx, struct dns_res_rec); + if (tsig == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + if (state->tsig_error == DNS_RCODE_OK) { + struct dns_server_tkey *tkey = dns_find_tkey( + dns->tkeys, state->key_name); + if (tkey == NULL) { + return DNS_ERR(SERVER_FAILURE); + } + + werror = dns_tsig_compute_mac(mem_ctx, state, packet, + tkey, current_time, &sig); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + } + + tsig->name = talloc_strdup(tsig, state->key_name); + if (tsig->name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + tsig->rr_class = DNS_QCLASS_ANY; + tsig->rr_type = DNS_QTYPE_TSIG; + tsig->ttl = 0; + tsig->length = UINT16_MAX; + tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig"); + if (tsig->rdata.tsig_record.algorithm_name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + tsig->rdata.tsig_record.time_prefix = 0; + tsig->rdata.tsig_record.time = current_time; + tsig->rdata.tsig_record.fudge = 300; + tsig->rdata.tsig_record.error = state->tsig_error; + tsig->rdata.tsig_record.original_id = packet->id; + tsig->rdata.tsig_record.other_size = 0; + tsig->rdata.tsig_record.other_data = NULL; + if (sig.length > 0) { + tsig->rdata.tsig_record.mac_size = sig.length; + tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length); + if (tsig->rdata.tsig_record.mac == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + } + + if (packet->arcount == 0) { + packet->additional = talloc_zero(mem_ctx, struct dns_res_rec); + if (packet->additional == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + } + packet->additional = talloc_realloc(mem_ctx, packet->additional, + struct dns_res_rec, + packet->arcount + 1); + if (packet->additional == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + werror = dns_copy_tsig(mem_ctx, tsig, + &packet->additional[packet->arcount]); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + packet->arcount++; + + return WERR_OK; +} diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c new file mode 100644 index 0000000..181beda --- /dev/null +++ b/source4/dns_server/dns_query.c @@ -0,0 +1,1176 @@ +/* + Unix SMB/CIFS implementation. + + DNS server handler for queries + + Copyright (C) 2010 Kai Blin <kai@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "samba/service_task.h" +#include "libcli/util/werror.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_dns.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include <ldb.h> +#include "param/param.h" +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "dns_server/dns_server.h" +#include "libcli/dns/libdns.h" +#include "lib/util/dlinklist.h" +#include "lib/util/util_net.h" +#include "lib/util/tevent_werror.h" +#include "auth/auth.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DNS +#define MAX_Q_RECURSION_DEPTH 20 + +struct forwarder_string { + const char *forwarder; + struct forwarder_string *prev, *next; +}; + +static WERROR add_response_rr(const char *name, + const struct dnsp_DnssrvRpcRecord *rec, + struct dns_res_rec **answers) +{ + struct dns_res_rec *ans = *answers; + uint16_t ai = talloc_array_length(ans); + enum ndr_err_code ndr_err; + + if (ai == UINT16_MAX) { + return WERR_BUFFER_OVERFLOW; + } + + /* + * "ans" is always non-NULL and thus its own talloc context + */ + ans = talloc_realloc(ans, ans, struct dns_res_rec, ai+1); + if (ans == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + ZERO_STRUCT(ans[ai]); + + switch (rec->wType) { + case DNS_QTYPE_CNAME: + ans[ai].rdata.cname_record = talloc_strdup(ans, rec->data.cname); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.cname_record); + break; + case DNS_QTYPE_A: + ans[ai].rdata.ipv4_record = talloc_strdup(ans, rec->data.ipv4); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.ipv4_record); + break; + case DNS_QTYPE_AAAA: + ans[ai].rdata.ipv6_record = talloc_strdup(ans, rec->data.ipv6); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.ipv6_record); + break; + case DNS_TYPE_NS: + ans[ai].rdata.ns_record = talloc_strdup(ans, rec->data.ns); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.ns_record); + break; + case DNS_QTYPE_SRV: + ans[ai].rdata.srv_record.priority = rec->data.srv.wPriority; + ans[ai].rdata.srv_record.weight = rec->data.srv.wWeight; + ans[ai].rdata.srv_record.port = rec->data.srv.wPort; + ans[ai].rdata.srv_record.target = talloc_strdup( + ans, rec->data.srv.nameTarget); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.srv_record.target); + break; + case DNS_QTYPE_SOA: + ans[ai].rdata.soa_record.mname = talloc_strdup( + ans, rec->data.soa.mname); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.soa_record.mname); + ans[ai].rdata.soa_record.rname = talloc_strdup( + ans, rec->data.soa.rname); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.soa_record.rname); + ans[ai].rdata.soa_record.serial = rec->data.soa.serial; + ans[ai].rdata.soa_record.refresh = rec->data.soa.refresh; + ans[ai].rdata.soa_record.retry = rec->data.soa.retry; + ans[ai].rdata.soa_record.expire = rec->data.soa.expire; + ans[ai].rdata.soa_record.minimum = rec->data.soa.minimum; + break; + case DNS_QTYPE_PTR: + ans[ai].rdata.ptr_record = talloc_strdup(ans, rec->data.ptr); + W_ERROR_HAVE_NO_MEMORY(ans[ai].rdata.ptr_record); + break; + case DNS_QTYPE_MX: + ans[ai].rdata.mx_record.preference = rec->data.mx.wPriority; + ans[ai].rdata.mx_record.exchange = talloc_strdup( + ans, rec->data.mx.nameTarget); + if (ans[ai].rdata.mx_record.exchange == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_TXT: + ndr_err = ndr_dnsp_string_list_copy(ans, + &rec->data.txt, + &ans[ai].rdata.txt_record.txt); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + default: + DEBUG(0, ("Got unhandled type %u query.\n", rec->wType)); + return DNS_ERR(NOT_IMPLEMENTED); + } + + ans[ai].name = talloc_strdup(ans, name); + W_ERROR_HAVE_NO_MEMORY(ans[ai].name); + ans[ai].rr_type = (enum dns_qtype)rec->wType; + ans[ai].rr_class = DNS_QCLASS_IN; + ans[ai].ttl = rec->dwTtlSeconds; + ans[ai].length = UINT16_MAX; + + *answers = ans; + + return WERR_OK; +} + +static WERROR add_dns_res_rec(struct dns_res_rec **pdst, + const struct dns_res_rec *src) +{ + struct dns_res_rec *dst = *pdst; + uint16_t di = talloc_array_length(dst); + enum ndr_err_code ndr_err; + + if (di == UINT16_MAX) { + return WERR_BUFFER_OVERFLOW; + } + + dst = talloc_realloc(dst, dst, struct dns_res_rec, di+1); + if (dst == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + ZERO_STRUCT(dst[di]); + + dst[di] = (struct dns_res_rec) { + .name = talloc_strdup(dst, src->name), + .rr_type = src->rr_type, + .rr_class = src->rr_class, + .ttl = src->ttl, + .length = src->length + }; + + if (dst[di].name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + switch (src->rr_type) { + case DNS_QTYPE_CNAME: + dst[di].rdata.cname_record = talloc_strdup( + dst, src->rdata.cname_record); + if (dst[di].rdata.cname_record == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_A: + dst[di].rdata.ipv4_record = talloc_strdup( + dst, src->rdata.ipv4_record); + if (dst[di].rdata.ipv4_record == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_AAAA: + dst[di].rdata.ipv6_record = talloc_strdup( + dst, src->rdata.ipv6_record); + if (dst[di].rdata.ipv6_record == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_TYPE_NS: + dst[di].rdata.ns_record = talloc_strdup( + dst, src->rdata.ns_record); + if (dst[di].rdata.ns_record == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_SRV: + dst[di].rdata.srv_record = (struct dns_srv_record) { + .priority = src->rdata.srv_record.priority, + .weight = src->rdata.srv_record.weight, + .port = src->rdata.srv_record.port, + .target = talloc_strdup( + dst, src->rdata.srv_record.target) + }; + if (dst[di].rdata.srv_record.target == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_SOA: + dst[di].rdata.soa_record = (struct dns_soa_record) { + .mname = talloc_strdup( + dst, src->rdata.soa_record.mname), + .rname = talloc_strdup( + dst, src->rdata.soa_record.rname), + .serial = src->rdata.soa_record.serial, + .refresh = src->rdata.soa_record.refresh, + .retry = src->rdata.soa_record.retry, + .expire = src->rdata.soa_record.expire, + .minimum = src->rdata.soa_record.minimum + }; + + if ((dst[di].rdata.soa_record.mname == NULL) || + (dst[di].rdata.soa_record.rname == NULL)) { + return WERR_NOT_ENOUGH_MEMORY; + } + + break; + case DNS_QTYPE_PTR: + dst[di].rdata.ptr_record = talloc_strdup( + dst, src->rdata.ptr_record); + if (dst[di].rdata.ptr_record == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_MX: + dst[di].rdata.mx_record = (struct dns_mx_record) { + .preference = src->rdata.mx_record.preference, + .exchange = talloc_strdup( + src, src->rdata.mx_record.exchange) + }; + + if (dst[di].rdata.mx_record.exchange == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + case DNS_QTYPE_TXT: + ndr_err = ndr_dnsp_string_list_copy(dst, + &src->rdata.txt_record.txt, + &dst[di].rdata.txt_record.txt); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return WERR_NOT_ENOUGH_MEMORY; + } + break; + default: + DBG_WARNING("Got unhandled type %u query.\n", src->rr_type); + return DNS_ERR(NOT_IMPLEMENTED); + } + + *pdst = dst; + + return WERR_OK; +} + +struct ask_forwarder_state { + struct dns_name_packet *reply; +}; + +static void ask_forwarder_done(struct tevent_req *subreq); + +static struct tevent_req *ask_forwarder_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + const char *forwarder, struct dns_name_question *question) +{ + struct tevent_req *req, *subreq; + struct ask_forwarder_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ask_forwarder_state); + if (req == NULL) { + return NULL; + } + + subreq = dns_cli_request_send(state, ev, forwarder, + question->name, question->question_class, + question->question_type); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, ask_forwarder_done, req); + return req; +} + +static void ask_forwarder_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct ask_forwarder_state *state = tevent_req_data( + req, struct ask_forwarder_state); + int ret; + + ret = dns_cli_request_recv(subreq, state, &state->reply); + TALLOC_FREE(subreq); + + if (ret != 0) { + tevent_req_werror(req, unix_to_werror(ret)); + return; + } + + tevent_req_done(req); +} + +static WERROR ask_forwarder_recv( + struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct dns_res_rec **answers, uint16_t *ancount, + struct dns_res_rec **nsrecs, uint16_t *nscount, + struct dns_res_rec **additional, uint16_t *arcount) +{ + struct ask_forwarder_state *state = tevent_req_data( + req, struct ask_forwarder_state); + struct dns_name_packet *in_packet = state->reply; + WERROR err; + + if (tevent_req_is_werror(req, &err)) { + return err; + } + + *ancount = in_packet->ancount; + *answers = talloc_move(mem_ctx, &in_packet->answers); + + *nscount = in_packet->nscount; + *nsrecs = talloc_move(mem_ctx, &in_packet->nsrecs); + + *arcount = in_packet->arcount; + *additional = talloc_move(mem_ctx, &in_packet->additional); + + return WERR_OK; +} + +static WERROR add_zone_authority_record(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_question *question, + struct dns_res_rec **nsrecs) +{ + const char *zone = NULL; + struct dnsp_DnssrvRpcRecord *recs; + struct dns_res_rec *ns = *nsrecs; + uint16_t rec_count; + struct ldb_dn *dn = NULL; + unsigned int ri; + WERROR werror; + + zone = dns_get_authoritative_zone(dns, question->name); + DEBUG(10, ("Creating zone authority record for '%s'\n", zone)); + + werror = dns_name2dn(dns, mem_ctx, zone, &dn); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + + werror = dns_lookup_records(dns, mem_ctx, dn, &recs, &rec_count); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + + for (ri = 0; ri < rec_count; ri++) { + if (recs[ri].wType == DNS_TYPE_SOA) { + werror = add_response_rr(zone, &recs[ri], &ns); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + } + } + + *nsrecs = ns; + + return WERR_OK; +} + +static struct tevent_req *handle_authoritative_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, const char *forwarder, + struct dns_name_question *question, + struct dns_res_rec **answers, struct dns_res_rec **nsrecs, + size_t cname_depth); +static WERROR handle_authoritative_recv(struct tevent_req *req); + +struct handle_dnsrpcrec_state { + struct dns_res_rec **answers; + struct dns_res_rec **nsrecs; +}; + +static void handle_dnsrpcrec_gotauth(struct tevent_req *subreq); +static void handle_dnsrpcrec_gotforwarded(struct tevent_req *subreq); + +static struct tevent_req *handle_dnsrpcrec_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, const char *forwarder, + const struct dns_name_question *question, + struct dnsp_DnssrvRpcRecord *rec, + struct dns_res_rec **answers, struct dns_res_rec **nsrecs, + size_t cname_depth) +{ + struct tevent_req *req, *subreq; + struct handle_dnsrpcrec_state *state; + struct dns_name_question *new_q; + bool resolve_cname; + WERROR werr; + + req = tevent_req_create(mem_ctx, &state, + struct handle_dnsrpcrec_state); + if (req == NULL) { + return NULL; + } + state->answers = answers; + state->nsrecs = nsrecs; + + if (cname_depth >= MAX_Q_RECURSION_DEPTH) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && + ((question->question_type == DNS_QTYPE_A) || + (question->question_type == DNS_QTYPE_AAAA))); + + if (!resolve_cname) { + if ((question->question_type != DNS_QTYPE_ALL) && + (rec->wType != + (enum dns_record_type) question->question_type)) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + werr = add_response_rr(question->name, rec, state->answers); + if (tevent_req_werror(req, werr)) { + return tevent_req_post(req, ev); + } + + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + werr = add_response_rr(question->name, rec, state->answers); + if (tevent_req_werror(req, werr)) { + return tevent_req_post(req, ev); + } + + new_q = talloc(state, struct dns_name_question); + if (tevent_req_nomem(new_q, req)) { + return tevent_req_post(req, ev); + } + + *new_q = (struct dns_name_question) { + .question_type = question->question_type, + .question_class = question->question_class, + .name = rec->data.cname + }; + + if (dns_authoritative_for_zone(dns, new_q->name)) { + subreq = handle_authoritative_send( + state, ev, dns, forwarder, new_q, + state->answers, state->nsrecs, + cname_depth + 1); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, handle_dnsrpcrec_gotauth, req); + return req; + } + + subreq = ask_forwarder_send(state, ev, forwarder, new_q); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, handle_dnsrpcrec_gotforwarded, req); + + return req; +} + +static void handle_dnsrpcrec_gotauth(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + WERROR werr; + + werr = handle_authoritative_recv(subreq); + TALLOC_FREE(subreq); + if (tevent_req_werror(req, werr)) { + return; + } + tevent_req_done(req); +} + +static void handle_dnsrpcrec_gotforwarded(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct handle_dnsrpcrec_state *state = tevent_req_data( + req, struct handle_dnsrpcrec_state); + struct dns_res_rec *answers, *nsrecs, *additional; + uint16_t ancount = 0; + uint16_t nscount = 0; + uint16_t arcount = 0; + uint16_t i; + WERROR werr; + + werr = ask_forwarder_recv(subreq, state, &answers, &ancount, + &nsrecs, &nscount, &additional, &arcount); + if (tevent_req_werror(req, werr)) { + return; + } + + for (i=0; i<ancount; i++) { + werr = add_dns_res_rec(state->answers, &answers[i]); + if (tevent_req_werror(req, werr)) { + return; + } + } + + for (i=0; i<nscount; i++) { + werr = add_dns_res_rec(state->nsrecs, &nsrecs[i]); + if (tevent_req_werror(req, werr)) { + return; + } + } + + tevent_req_done(req); +} + +static WERROR handle_dnsrpcrec_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_werror(req); +} + +struct handle_authoritative_state { + struct tevent_context *ev; + struct dns_server *dns; + struct dns_name_question *question; + const char *forwarder; + + struct dnsp_DnssrvRpcRecord *recs; + uint16_t rec_count; + uint16_t recs_done; + + struct dns_res_rec **answers; + struct dns_res_rec **nsrecs; + + size_t cname_depth; +}; + +static void handle_authoritative_done(struct tevent_req *subreq); + +static struct tevent_req *handle_authoritative_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, const char *forwarder, + struct dns_name_question *question, + struct dns_res_rec **answers, struct dns_res_rec **nsrecs, + size_t cname_depth) +{ + struct tevent_req *req, *subreq; + struct handle_authoritative_state *state; + struct ldb_dn *dn = NULL; + WERROR werr; + + req = tevent_req_create(mem_ctx, &state, + struct handle_authoritative_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->dns = dns; + state->question = question; + state->forwarder = forwarder; + state->answers = answers; + state->nsrecs = nsrecs; + state->cname_depth = cname_depth; + + werr = dns_name2dn(dns, state, question->name, &dn); + if (tevent_req_werror(req, werr)) { + return tevent_req_post(req, ev); + } + werr = dns_lookup_records_wildcard(dns, state, dn, &state->recs, + &state->rec_count); + TALLOC_FREE(dn); + if (tevent_req_werror(req, werr)) { + return tevent_req_post(req, ev); + } + + if (state->rec_count == 0) { + tevent_req_werror(req, DNS_ERR(NAME_ERROR)); + return tevent_req_post(req, ev); + } + + subreq = handle_dnsrpcrec_send( + state, state->ev, state->dns, state->forwarder, + state->question, &state->recs[state->recs_done], + state->answers, state->nsrecs, + state->cname_depth); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, handle_authoritative_done, req); + return req; +} + +static void handle_authoritative_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct handle_authoritative_state *state = tevent_req_data( + req, struct handle_authoritative_state); + WERROR werr; + + werr = handle_dnsrpcrec_recv(subreq); + TALLOC_FREE(subreq); + if (tevent_req_werror(req, werr)) { + return; + } + + state->recs_done += 1; + + if (state->recs_done == state->rec_count) { + tevent_req_done(req); + return; + } + + subreq = handle_dnsrpcrec_send( + state, state->ev, state->dns, state->forwarder, + state->question, &state->recs[state->recs_done], + state->answers, state->nsrecs, + state->cname_depth); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, handle_authoritative_done, req); +} + +static WERROR handle_authoritative_recv(struct tevent_req *req) +{ + WERROR werr; + + if (tevent_req_is_werror(req, &werr)) { + return werr; + } + + return WERR_OK; +} + +static NTSTATUS create_tkey(struct dns_server *dns, + const char* name, + const char* algorithm, + const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, + struct dns_server_tkey **tkey) +{ + NTSTATUS status; + struct dns_server_tkey_store *store = dns->tkeys; + struct dns_server_tkey *k = talloc_zero(store, struct dns_server_tkey); + + if (k == NULL) { + return NT_STATUS_NO_MEMORY; + } + + k->name = talloc_strdup(k, name); + + if (k->name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + k->algorithm = talloc_strdup(k, algorithm); + if (k->algorithm == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + * We only allow SPNEGO/KRB5 currently + * and rely on the backend to be RPC/IPC free. + * + * It allows gensec_update() not to block. + */ + status = samba_server_gensec_krb5_start(k, + dns->task->event_ctx, + dns->task->msg_ctx, + dns->task->lp_ctx, + dns->server_credentials, + "dns", + &k->gensec); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + *tkey = NULL; + return status; + } + + gensec_want_feature(k->gensec, GENSEC_FEATURE_SIGN); + + status = gensec_set_remote_address(k->gensec, + remote_address); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to set remote address into GENSEC: %s\n", + nt_errstr(status))); + *tkey = NULL; + return status; + } + + status = gensec_set_local_address(k->gensec, + local_address); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to set local address into GENSEC: %s\n", + nt_errstr(status))); + *tkey = NULL; + return status; + } + + status = gensec_start_mech_by_oid(k->gensec, GENSEC_OID_SPNEGO); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", + nt_errstr(status))); + *tkey = NULL; + return status; + } + + TALLOC_FREE(store->tkeys[store->next_idx]); + + store->tkeys[store->next_idx] = k; + (store->next_idx)++; + store->next_idx %= store->size; + + *tkey = k; + return NT_STATUS_OK; +} + +static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx, + struct dns_server *dns, + struct dns_server_tkey *tkey, + const DATA_BLOB *key, + DATA_BLOB *reply, + uint16_t *dns_auth_error) +{ + NTSTATUS status; + + /* + * We use samba_server_gensec_krb5_start(), + * which only allows SPNEGO/KRB5 currently + * and makes sure the backend to be RPC/IPC free. + * + * See gensec_gssapi_update_internal() as + * GENSEC_SERVER. + * + * It allows gensec_update() not to block. + * + * If that changes in future we need to use + * gensec_update_send/recv here! + */ + status = gensec_update(tkey->gensec, mem_ctx, + *key, reply); + + if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { + *dns_auth_error = DNS_RCODE_OK; + return status; + } + + if (NT_STATUS_IS_OK(status)) { + + status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info); + if (!NT_STATUS_IS_OK(status)) { + *dns_auth_error = DNS_RCODE_BADKEY; + return status; + } + *dns_auth_error = DNS_RCODE_OK; + } + + return status; +} + +static WERROR handle_tkey(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_packet *in, + struct dns_request_state *state, + struct dns_res_rec **answers, + uint16_t *ancount) +{ + struct dns_res_rec *in_tkey = NULL; + struct dns_res_rec *ret_tkey; + uint16_t i; + + for (i = 0; i < in->arcount; i++) { + if (in->additional[i].rr_type == DNS_QTYPE_TKEY) { + in_tkey = &in->additional[i]; + break; + } + } + + /* If this is a TKEY query, it should have a TKEY RR. + * Behaviour is not really specified in RFC 2930 or RFC 3645, but + * FORMAT_ERROR seems to be what BIND uses .*/ + if (in_tkey == NULL) { + return DNS_ERR(FORMAT_ERROR); + } + + ret_tkey = talloc_zero(mem_ctx, struct dns_res_rec); + if (ret_tkey == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + ret_tkey->name = talloc_strdup(ret_tkey, in_tkey->name); + if (ret_tkey->name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + ret_tkey->rr_type = DNS_QTYPE_TKEY; + ret_tkey->rr_class = DNS_QCLASS_ANY; + ret_tkey->length = UINT16_MAX; + + ret_tkey->rdata.tkey_record.algorithm = talloc_strdup(ret_tkey, + in_tkey->rdata.tkey_record.algorithm); + if (ret_tkey->rdata.tkey_record.algorithm == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + + ret_tkey->rdata.tkey_record.inception = in_tkey->rdata.tkey_record.inception; + ret_tkey->rdata.tkey_record.expiration = in_tkey->rdata.tkey_record.expiration; + ret_tkey->rdata.tkey_record.mode = in_tkey->rdata.tkey_record.mode; + + switch (in_tkey->rdata.tkey_record.mode) { + case DNS_TKEY_MODE_DH: + /* FIXME: According to RFC 2930, we MUST support this, but we don't. + * Still, claim it's a bad key instead of a bad mode */ + ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY; + break; + case DNS_TKEY_MODE_GSSAPI: { + NTSTATUS status; + struct dns_server_tkey *tkey; + DATA_BLOB key; + DATA_BLOB reply; + + tkey = dns_find_tkey(dns->tkeys, in->questions[0].name); + if (tkey != NULL && tkey->complete) { + /* TODO: check if the key is still valid */ + DEBUG(1, ("Rejecting tkey negotiation for already established key\n")); + ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADNAME; + break; + } + + if (tkey == NULL) { + status = create_tkey(dns, in->questions[0].name, + in_tkey->rdata.tkey_record.algorithm, + state->remote_address, + state->local_address, + &tkey); + if (!NT_STATUS_IS_OK(status)) { + ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY; + return ntstatus_to_werror(status); + } + } + + key.data = in_tkey->rdata.tkey_record.key_data; + key.length = in_tkey->rdata.tkey_record.key_size; + + status = accept_gss_ticket(ret_tkey, dns, tkey, &key, &reply, + &ret_tkey->rdata.tkey_record.error); + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(1, ("More processing required\n")); + ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY; + } else if (NT_STATUS_IS_OK(status)) { + DBG_DEBUG("Tkey handshake completed\n"); + ret_tkey->rdata.tkey_record.key_size = reply.length; + ret_tkey->rdata.tkey_record.key_data = talloc_memdup(ret_tkey, + reply.data, + reply.length); + if (ret_tkey->rdata.tkey_record.key_data == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + state->sign = true; + state->key_name = talloc_strdup(state->mem_ctx, tkey->name); + if (state->key_name == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + } else { + DEBUG(1, ("GSS key negotiation returned %s\n", nt_errstr(status))); + ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADKEY; + } + + break; + } + case DNS_TKEY_MODE_DELETE: + /* TODO: implement me */ + DEBUG(1, ("Should delete tkey here\n")); + ret_tkey->rdata.tkey_record.error = DNS_RCODE_OK; + break; + case DNS_TKEY_MODE_NULL: + case DNS_TKEY_MODE_SERVER: + case DNS_TKEY_MODE_CLIENT: + case DNS_TKEY_MODE_LAST: + /* We don't have to implement these, return a mode error */ + ret_tkey->rdata.tkey_record.error = DNS_RCODE_BADMODE; + break; + default: + DEBUG(1, ("Unsupported TKEY mode %d\n", + in_tkey->rdata.tkey_record.mode)); + } + + *answers = ret_tkey; + *ancount = 1; + + return WERR_OK; +} + +struct dns_server_process_query_state { + struct tevent_context *ev; + struct dns_server *dns; + struct dns_name_question *question; + + struct dns_res_rec *answers; + uint16_t ancount; + struct dns_res_rec *nsrecs; + uint16_t nscount; + struct dns_res_rec *additional; + uint16_t arcount; + struct forwarder_string *forwarders; +}; + +static void dns_server_process_query_got_auth(struct tevent_req *subreq); +static void dns_server_process_query_got_response(struct tevent_req *subreq); + +struct tevent_req *dns_server_process_query_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, struct dns_request_state *req_state, + const struct dns_name_packet *in) +{ + struct tevent_req *req, *subreq; + struct dns_server_process_query_state *state; + const char **forwarders = NULL; + unsigned int i; + + req = tevent_req_create(mem_ctx, &state, + struct dns_server_process_query_state); + if (req == NULL) { + return NULL; + } + if (in->qdcount != 1) { + tevent_req_werror(req, DNS_ERR(FORMAT_ERROR)); + return tevent_req_post(req, ev); + } + + /* Windows returns NOT_IMPLEMENTED on this as well */ + if (in->questions[0].question_class == DNS_QCLASS_NONE) { + tevent_req_werror(req, DNS_ERR(NOT_IMPLEMENTED)); + return tevent_req_post(req, ev); + } + + if (in->questions[0].question_type == DNS_QTYPE_TKEY) { + WERROR err; + + err = handle_tkey(dns, state, in, req_state, + &state->answers, &state->ancount); + if (tevent_req_werror(req, err)) { + return tevent_req_post(req, ev); + } + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + state->dns = dns; + state->ev = ev; + state->question = &in->questions[0]; + + forwarders = lpcfg_dns_forwarder(dns->task->lp_ctx); + for (i = 0; forwarders != NULL && forwarders[i] != NULL; i++) { + struct forwarder_string *f = talloc_zero(state, + struct forwarder_string); + f->forwarder = forwarders[i]; + DLIST_ADD_END(state->forwarders, f); + } + + if (dns_authoritative_for_zone(dns, in->questions[0].name)) { + + req_state->flags |= DNS_FLAG_AUTHORITATIVE; + + /* + * Initialize the response arrays, so that we can use + * them as their own talloc contexts when doing the + * realloc + */ + state->answers = talloc_array(state, struct dns_res_rec, 0); + if (tevent_req_nomem(state->answers, req)) { + return tevent_req_post(req, ev); + } + state->nsrecs = talloc_array(state, struct dns_res_rec, 0); + if (tevent_req_nomem(state->nsrecs, req)) { + return tevent_req_post(req, ev); + } + + subreq = handle_authoritative_send( + state, ev, dns, (forwarders == NULL ? NULL : forwarders[0]), + &in->questions[0], &state->answers, &state->nsrecs, + 0); /* cname_depth */ + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback( + subreq, dns_server_process_query_got_auth, req); + return req; + } + + if ((req_state->flags & DNS_FLAG_RECURSION_DESIRED) && + (req_state->flags & DNS_FLAG_RECURSION_AVAIL)) { + DEBUG(5, ("Not authoritative for '%s', forwarding\n", + in->questions[0].name)); + + subreq = ask_forwarder_send(state, ev, + (forwarders == NULL ? NULL : forwarders[0]), + &in->questions[0]); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback( + subreq, dns_server_process_query_got_response, req); + return req; + } + + tevent_req_werror(req, DNS_ERR(NAME_ERROR)); + return tevent_req_post(req, ev); +} + +static void dns_server_process_query_got_response(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct dns_server_process_query_state *state = tevent_req_data( + req, struct dns_server_process_query_state); + WERROR werr; + + werr = ask_forwarder_recv(subreq, state, + &state->answers, &state->ancount, + &state->nsrecs, &state->nscount, + &state->additional, &state->arcount); + TALLOC_FREE(subreq); + + /* If you get an error, attempt a different forwarder */ + if (!W_ERROR_IS_OK(werr)) { + if (state->forwarders != NULL) { + DLIST_REMOVE(state->forwarders, state->forwarders); + } + + /* If you have run out of forwarders, simply finish */ + if (state->forwarders == NULL) { + tevent_req_werror(req, werr); + return; + } + + DEBUG(5, ("DNS query returned %s, trying another forwarder.\n", + win_errstr(werr))); + subreq = ask_forwarder_send(state, state->ev, + state->forwarders->forwarder, + state->question); + + if (tevent_req_nomem(subreq, req)) { + return; + } + + tevent_req_set_callback(subreq, + dns_server_process_query_got_response, + req); + return; + } + + tevent_req_done(req); +} + +static void dns_server_process_query_got_auth(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct dns_server_process_query_state *state = tevent_req_data( + req, struct dns_server_process_query_state); + WERROR werr; + WERROR werr2; + + werr = handle_authoritative_recv(subreq); + TALLOC_FREE(subreq); + + /* If you get an error, attempt a different forwarder */ + if (!W_ERROR_IS_OK(werr)) { + if (state->forwarders != NULL) { + DLIST_REMOVE(state->forwarders, state->forwarders); + } + + /* If you have run out of forwarders, simply finish */ + if (state->forwarders == NULL) { + werr2 = add_zone_authority_record(state->dns, + state, + state->question, + &state->nsrecs); + if (tevent_req_werror(req, werr2)) { + DBG_WARNING("Failed to add SOA record: %s\n", + win_errstr(werr2)); + return; + } + + state->ancount = talloc_array_length(state->answers); + state->nscount = talloc_array_length(state->nsrecs); + state->arcount = talloc_array_length(state->additional); + + tevent_req_werror(req, werr); + return; + } + + DEBUG(5, ("Error: %s, trying a different forwarder.\n", + win_errstr(werr))); + subreq = handle_authoritative_send(state, state->ev, state->dns, + state->forwarders->forwarder, + state->question, &state->answers, + &state->nsrecs, + 0); /* cname_depth */ + + if (tevent_req_nomem(subreq, req)) { + return; + } + + tevent_req_set_callback(subreq, + dns_server_process_query_got_auth, + req); + return; + } + + werr2 = add_zone_authority_record(state->dns, + state, + state->question, + &state->nsrecs); + if (tevent_req_werror(req, werr2)) { + DBG_WARNING("Failed to add SOA record: %s\n", + win_errstr(werr2)); + return; + } + + state->ancount = talloc_array_length(state->answers); + state->nscount = talloc_array_length(state->nsrecs); + state->arcount = talloc_array_length(state->additional); + + tevent_req_done(req); +} + +WERROR dns_server_process_query_recv( + struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct dns_res_rec **answers, uint16_t *ancount, + struct dns_res_rec **nsrecs, uint16_t *nscount, + struct dns_res_rec **additional, uint16_t *arcount) +{ + struct dns_server_process_query_state *state = tevent_req_data( + req, struct dns_server_process_query_state); + WERROR err = WERR_OK; + + if (tevent_req_is_werror(req, &err)) { + + if ((!W_ERROR_EQUAL(err, DNS_ERR(NAME_ERROR))) && + (!W_ERROR_EQUAL(err, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST))) { + return err; + } + } + *answers = talloc_move(mem_ctx, &state->answers); + *ancount = state->ancount; + *nsrecs = talloc_move(mem_ctx, &state->nsrecs); + *nscount = state->nscount; + *additional = talloc_move(mem_ctx, &state->additional); + *arcount = state->arcount; + return err; +} diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c new file mode 100644 index 0000000..7d0c086 --- /dev/null +++ b/source4/dns_server/dns_server.c @@ -0,0 +1,941 @@ +/* + Unix SMB/CIFS implementation. + + DNS server startup + + Copyright (C) 2010 Kai Blin <kai@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "samba/service_task.h" +#include "samba/service.h" +#include "samba/service_stream.h" +#include "samba/process_model.h" +#include "lib/events/events.h" +#include "lib/socket/socket.h" +#include "lib/tsocket/tsocket.h" +#include "libcli/util/tstream.h" +#include "libcli/util/ntstatus.h" +#include "system/network.h" +#include "lib/stream/packet.h" +#include "lib/socket/netif.h" +#include "dns_server/dns_server.h" +#include "param/param.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_dns.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include <ldb.h> +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "auth/session.h" +#include "lib/util/dlinklist.h" +#include "lib/util/tevent_werror.h" +#include "auth/auth.h" +#include "auth/credentials/credentials.h" +#include "librpc/gen_ndr/ndr_irpc.h" +#include "lib/messaging/irpc.h" +#include "libds/common/roles.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DNS + +NTSTATUS server_service_dns_init(TALLOC_CTX *); + +/* hold information about one dns socket */ +struct dns_socket { + struct dns_server *dns; + struct tsocket_address *local_address; +}; + +struct dns_udp_socket { + struct dns_socket *dns_socket; + struct tdgram_context *dgram; + struct tevent_queue *send_queue; +}; + +/* + state of an open tcp connection +*/ +struct dns_tcp_connection { + /* stream connection we belong to */ + struct stream_connection *conn; + + /* the dns_server the connection belongs to */ + struct dns_socket *dns_socket; + + struct tstream_context *tstream; + + struct tevent_queue *send_queue; +}; + +static void dns_tcp_terminate_connection(struct dns_tcp_connection *dnsconn, const char *reason) +{ + stream_terminate_connection(dnsconn->conn, reason); +} + +static void dns_tcp_recv(struct stream_connection *conn, uint16_t flags) +{ + struct dns_tcp_connection *dnsconn = talloc_get_type(conn->private_data, + struct dns_tcp_connection); + /* this should never be triggered! */ + dns_tcp_terminate_connection(dnsconn, "dns_tcp_recv: called"); +} + +static void dns_tcp_send(struct stream_connection *conn, uint16_t flags) +{ + struct dns_tcp_connection *dnsconn = talloc_get_type(conn->private_data, + struct dns_tcp_connection); + /* this should never be triggered! */ + dns_tcp_terminate_connection(dnsconn, "dns_tcp_send: called"); +} + +struct dns_process_state { + DATA_BLOB *in; + struct dns_server *dns; + struct dns_name_packet in_packet; + struct dns_request_state state; + uint16_t dns_err; + struct dns_name_packet out_packet; + DATA_BLOB out; +}; + +static void dns_process_done(struct tevent_req *subreq); + +static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct dns_server *dns, + const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, + DATA_BLOB *in) +{ + struct tevent_req *req, *subreq; + struct dns_process_state *state; + enum ndr_err_code ndr_err; + WERROR ret; + const char **forwarder = lpcfg_dns_forwarder(dns->task->lp_ctx); + req = tevent_req_create(mem_ctx, &state, struct dns_process_state); + if (req == NULL) { + return NULL; + } + state->state.mem_ctx = state; + state->in = in; + + state->dns = dns; + + if (in->length < 12) { + tevent_req_werror(req, WERR_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + dump_data_dbgc(DBGC_DNS, 8, in->data, in->length); + + ndr_err = ndr_pull_struct_blob( + in, state, &state->in_packet, + (ndr_pull_flags_fn_t)ndr_pull_dns_name_packet); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + state->dns_err = DNS_RCODE_FORMERR; + tevent_req_done(req); + return tevent_req_post(req, ev); + } + if (DEBUGLVLC(DBGC_DNS, 8)) { + NDR_PRINT_DEBUGC(DBGC_DNS, dns_name_packet, &state->in_packet); + } + + if (state->in_packet.operation & DNS_FLAG_REPLY) { + DEBUG(1, ("Won't reply to replies.\n")); + tevent_req_werror(req, WERR_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + state->state.flags = state->in_packet.operation; + state->state.flags |= DNS_FLAG_REPLY; + + state->state.local_address = local_address; + state->state.remote_address = remote_address; + + if (forwarder && *forwarder && **forwarder) { + state->state.flags |= DNS_FLAG_RECURSION_AVAIL; + } + + state->out_packet = state->in_packet; + + ret = dns_verify_tsig(dns, state, &state->state, + &state->out_packet, in); + if (!W_ERROR_IS_OK(ret)) { + state->dns_err = werr_to_dns_err(ret); + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + switch (state->in_packet.operation & DNS_OPCODE) { + case DNS_OPCODE_QUERY: + subreq = dns_server_process_query_send( + state, ev, dns, + &state->state, &state->in_packet); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, dns_process_done, req); + return req; + case DNS_OPCODE_UPDATE: + ret = dns_server_process_update( + dns, &state->state, state, &state->in_packet, + &state->out_packet.answers, &state->out_packet.ancount, + &state->out_packet.nsrecs, &state->out_packet.nscount, + &state->out_packet.additional, + &state->out_packet.arcount); + break; + default: + ret = WERR_DNS_ERROR_RCODE_NOT_IMPLEMENTED; + } + if (!W_ERROR_IS_OK(ret)) { + state->dns_err = werr_to_dns_err(ret); + } + tevent_req_done(req); + return tevent_req_post(req, ev); +} + +static void dns_process_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct dns_process_state *state = tevent_req_data( + req, struct dns_process_state); + WERROR ret; + + ret = dns_server_process_query_recv( + subreq, state, + &state->out_packet.answers, &state->out_packet.ancount, + &state->out_packet.nsrecs, &state->out_packet.nscount, + &state->out_packet.additional, &state->out_packet.arcount); + TALLOC_FREE(subreq); + + if (!W_ERROR_IS_OK(ret)) { + state->dns_err = werr_to_dns_err(ret); + } + tevent_req_done(req); +} + +static WERROR dns_process_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + DATA_BLOB *out) +{ + struct dns_process_state *state = tevent_req_data( + req, struct dns_process_state); + enum ndr_err_code ndr_err; + WERROR ret; + + if (tevent_req_is_werror(req, &ret)) { + return ret; + } + if ((state->dns_err != DNS_RCODE_OK) && + (state->dns_err != DNS_RCODE_NXDOMAIN) && + (state->dns_err != DNS_RCODE_NOTAUTH)) + { + goto drop; + } + if (state->dns_err != DNS_RCODE_OK) { + state->out_packet.operation |= state->dns_err; + } + state->out_packet.operation |= state->state.flags; + + if (state->state.sign) { + ret = dns_sign_tsig(state->dns, mem_ctx, &state->state, + &state->out_packet, 0); + if (!W_ERROR_IS_OK(ret)) { + state->dns_err = DNS_RCODE_SERVFAIL; + goto drop; + } + } + + if (DEBUGLVLC(DBGC_DNS, 8)) { + NDR_PRINT_DEBUGC(DBGC_DNS, dns_name_packet, &state->out_packet); + } + + ndr_err = ndr_push_struct_blob( + out, mem_ctx, &state->out_packet, + (ndr_push_flags_fn_t)ndr_push_dns_name_packet); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(1, ("Failed to push packet: %s!\n", + ndr_errstr(ndr_err))); + state->dns_err = DNS_RCODE_SERVFAIL; + goto drop; + } + return WERR_OK; + +drop: + *out = data_blob_talloc(mem_ctx, state->in->data, state->in->length); + if (out->data == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + out->data[2] |= 0x80; /* Toggle DNS_FLAG_REPLY */ + out->data[3] |= state->dns_err; + return WERR_OK; +} + +struct dns_tcp_call { + struct dns_tcp_connection *dns_conn; + DATA_BLOB in; + DATA_BLOB out; + uint8_t out_hdr[4]; + struct iovec out_iov[2]; +}; + +static void dns_tcp_call_process_done(struct tevent_req *subreq); +static void dns_tcp_call_writev_done(struct tevent_req *subreq); + +static void dns_tcp_call_loop(struct tevent_req *subreq) +{ + struct dns_tcp_connection *dns_conn = tevent_req_callback_data(subreq, + struct dns_tcp_connection); + struct dns_server *dns = dns_conn->dns_socket->dns; + struct dns_tcp_call *call; + NTSTATUS status; + + call = talloc(dns_conn, struct dns_tcp_call); + if (call == NULL) { + dns_tcp_terminate_connection(dns_conn, "dns_tcp_call_loop: " + "no memory for dns_tcp_call"); + return; + } + call->dns_conn = dns_conn; + + status = tstream_read_pdu_blob_recv(subreq, + call, + &call->in); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + const char *reason; + + reason = talloc_asprintf(call, "dns_tcp_call_loop: " + "tstream_read_pdu_blob_recv() - %s", + nt_errstr(status)); + if (!reason) { + reason = nt_errstr(status); + } + + dns_tcp_terminate_connection(dns_conn, reason); + return; + } + + DEBUG(10,("Received DNS TCP packet of length %lu from %s\n", + (long) call->in.length, + tsocket_address_string(dns_conn->conn->remote_address, call))); + + /* skip length header */ + call->in.data += 2; + call->in.length -= 2; + + subreq = dns_process_send(call, dns->task->event_ctx, dns, + dns_conn->conn->remote_address, + dns_conn->conn->local_address, + &call->in); + if (subreq == NULL) { + dns_tcp_terminate_connection( + dns_conn, "dns_tcp_call_loop: dns_process_send " + "failed\n"); + return; + } + tevent_req_set_callback(subreq, dns_tcp_call_process_done, call); + + /* + * The dns tcp pdu's has the length as 2 byte (initial_read_size), + * packet_full_request_u16 provides the pdu length then. + */ + subreq = tstream_read_pdu_blob_send(dns_conn, + dns_conn->conn->event.ctx, + dns_conn->tstream, + 2, /* initial_read_size */ + packet_full_request_u16, + dns_conn); + if (subreq == NULL) { + dns_tcp_terminate_connection(dns_conn, "dns_tcp_call_loop: " + "no memory for tstream_read_pdu_blob_send"); + return; + } + tevent_req_set_callback(subreq, dns_tcp_call_loop, dns_conn); +} + +static void dns_tcp_call_process_done(struct tevent_req *subreq) +{ + struct dns_tcp_call *call = tevent_req_callback_data(subreq, + struct dns_tcp_call); + struct dns_tcp_connection *dns_conn = call->dns_conn; + WERROR err; + + err = dns_process_recv(subreq, call, &call->out); + TALLOC_FREE(subreq); + if (!W_ERROR_IS_OK(err)) { + DEBUG(1, ("dns_process returned %s\n", win_errstr(err))); + dns_tcp_terminate_connection(dns_conn, + "dns_tcp_call_loop: process function failed"); + return; + } + + /* First add the length of the out buffer */ + RSSVAL(call->out_hdr, 0, call->out.length); + call->out_iov[0].iov_base = (char *) call->out_hdr; + call->out_iov[0].iov_len = 2; + + call->out_iov[1].iov_base = (char *) call->out.data; + call->out_iov[1].iov_len = call->out.length; + + subreq = tstream_writev_queue_send(call, + dns_conn->conn->event.ctx, + dns_conn->tstream, + dns_conn->send_queue, + call->out_iov, 2); + if (subreq == NULL) { + dns_tcp_terminate_connection(dns_conn, "dns_tcp_call_loop: " + "no memory for tstream_writev_queue_send"); + return; + } + tevent_req_set_callback(subreq, dns_tcp_call_writev_done, call); +} + +static void dns_tcp_call_writev_done(struct tevent_req *subreq) +{ + struct dns_tcp_call *call = tevent_req_callback_data(subreq, + struct dns_tcp_call); + int sys_errno; + int rc; + + rc = tstream_writev_queue_recv(subreq, &sys_errno); + TALLOC_FREE(subreq); + if (rc == -1) { + const char *reason; + + reason = talloc_asprintf(call, "dns_tcp_call_writev_done: " + "tstream_writev_queue_recv() - %d:%s", + sys_errno, strerror(sys_errno)); + if (!reason) { + reason = "dns_tcp_call_writev_done: tstream_writev_queue_recv() failed"; + } + + dns_tcp_terminate_connection(call->dns_conn, reason); + return; + } + + /* We don't care about errors */ + + talloc_free(call); +} + +/* + called when we get a new connection +*/ +static void dns_tcp_accept(struct stream_connection *conn) +{ + struct dns_socket *dns_socket; + struct dns_tcp_connection *dns_conn; + struct tevent_req *subreq; + int rc; + + dns_conn = talloc_zero(conn, struct dns_tcp_connection); + if (dns_conn == NULL) { + stream_terminate_connection(conn, + "dns_tcp_accept: out of memory"); + return; + } + + dns_conn->send_queue = tevent_queue_create(conn, "dns_tcp_accept"); + if (dns_conn->send_queue == NULL) { + stream_terminate_connection(conn, + "dns_tcp_accept: out of memory"); + return; + } + + dns_socket = talloc_get_type(conn->private_data, struct dns_socket); + + TALLOC_FREE(conn->event.fde); + + rc = tstream_bsd_existing_socket(dns_conn, + socket_get_fd(conn->socket), + &dns_conn->tstream); + if (rc < 0) { + stream_terminate_connection(conn, + "dns_tcp_accept: out of memory"); + return; + } + + dns_conn->conn = conn; + dns_conn->dns_socket = dns_socket; + conn->private_data = dns_conn; + + /* + * The dns tcp pdu's has the length as 2 byte (initial_read_size), + * packet_full_request_u16 provides the pdu length then. + */ + subreq = tstream_read_pdu_blob_send(dns_conn, + dns_conn->conn->event.ctx, + dns_conn->tstream, + 2, /* initial_read_size */ + packet_full_request_u16, + dns_conn); + if (subreq == NULL) { + dns_tcp_terminate_connection(dns_conn, "dns_tcp_accept: " + "no memory for tstream_read_pdu_blob_send"); + return; + } + tevent_req_set_callback(subreq, dns_tcp_call_loop, dns_conn); +} + +static const struct stream_server_ops dns_tcp_stream_ops = { + .name = "dns_tcp", + .accept_connection = dns_tcp_accept, + .recv_handler = dns_tcp_recv, + .send_handler = dns_tcp_send +}; + +struct dns_udp_call { + struct dns_udp_socket *sock; + struct tsocket_address *src; + DATA_BLOB in; + DATA_BLOB out; +}; + +static void dns_udp_call_process_done(struct tevent_req *subreq); +static void dns_udp_call_sendto_done(struct tevent_req *subreq); + +static void dns_udp_call_loop(struct tevent_req *subreq) +{ + struct dns_udp_socket *sock = tevent_req_callback_data(subreq, + struct dns_udp_socket); + struct dns_server *dns = sock->dns_socket->dns; + struct dns_udp_call *call; + uint8_t *buf; + ssize_t len; + int sys_errno; + + call = talloc(sock, struct dns_udp_call); + if (call == NULL) { + talloc_free(call); + goto done; + } + call->sock = sock; + + len = tdgram_recvfrom_recv(subreq, &sys_errno, + call, &buf, &call->src); + TALLOC_FREE(subreq); + if (len == -1) { + talloc_free(call); + goto done; + } + + call->in.data = buf; + call->in.length = len; + + DEBUG(10,("Received DNS UDP packet of length %lu from %s\n", + (long)call->in.length, + tsocket_address_string(call->src, call))); + + subreq = dns_process_send(call, dns->task->event_ctx, dns, + call->src, + sock->dns_socket->local_address, + &call->in); + if (subreq == NULL) { + TALLOC_FREE(call); + goto done; + } + tevent_req_set_callback(subreq, dns_udp_call_process_done, call); + +done: + subreq = tdgram_recvfrom_send(sock, + sock->dns_socket->dns->task->event_ctx, + sock->dgram); + if (subreq == NULL) { + task_server_terminate(sock->dns_socket->dns->task, + "no memory for tdgram_recvfrom_send", + true); + return; + } + tevent_req_set_callback(subreq, dns_udp_call_loop, sock); +} + +static void dns_udp_call_process_done(struct tevent_req *subreq) +{ + struct dns_udp_call *call = tevent_req_callback_data( + subreq, struct dns_udp_call); + struct dns_udp_socket *sock = call->sock; + struct dns_server *dns = sock->dns_socket->dns; + WERROR err; + + err = dns_process_recv(subreq, call, &call->out); + TALLOC_FREE(subreq); + if (!W_ERROR_IS_OK(err)) { + DEBUG(1, ("dns_process returned %s\n", win_errstr(err))); + TALLOC_FREE(call); + return; + } + + subreq = tdgram_sendto_queue_send(call, + dns->task->event_ctx, + sock->dgram, + sock->send_queue, + call->out.data, + call->out.length, + call->src); + if (subreq == NULL) { + talloc_free(call); + return; + } + tevent_req_set_callback(subreq, dns_udp_call_sendto_done, call); + +} +static void dns_udp_call_sendto_done(struct tevent_req *subreq) +{ + struct dns_udp_call *call = tevent_req_callback_data(subreq, + struct dns_udp_call); + int sys_errno; + + tdgram_sendto_queue_recv(subreq, &sys_errno); + + /* We don't care about errors */ + + talloc_free(call); +} + +/* + start listening on the given address +*/ +static NTSTATUS dns_add_socket(struct dns_server *dns, + const struct model_ops *model_ops, + const char *name, + const char *address, + uint16_t port) +{ + struct dns_socket *dns_socket; + struct dns_udp_socket *dns_udp_socket; + struct tevent_req *udpsubreq; + NTSTATUS status; + int ret; + + dns_socket = talloc(dns, struct dns_socket); + NT_STATUS_HAVE_NO_MEMORY(dns_socket); + + dns_socket->dns = dns; + + ret = tsocket_address_inet_from_strings(dns_socket, "ip", + address, port, + &dns_socket->local_address); + if (ret != 0) { + status = map_nt_error_from_unix_common(errno); + return status; + } + + status = stream_setup_socket(dns->task, + dns->task->event_ctx, + dns->task->lp_ctx, + model_ops, + &dns_tcp_stream_ops, + "ip", address, &port, + lpcfg_socket_options(dns->task->lp_ctx), + dns_socket, + dns->task->process_context); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("Failed to bind to %s:%u TCP - %s\n", + address, port, nt_errstr(status))); + talloc_free(dns_socket); + return status; + } + + dns_udp_socket = talloc(dns_socket, struct dns_udp_socket); + NT_STATUS_HAVE_NO_MEMORY(dns_udp_socket); + + dns_udp_socket->dns_socket = dns_socket; + + ret = tdgram_inet_udp_socket(dns_socket->local_address, + NULL, + dns_udp_socket, + &dns_udp_socket->dgram); + if (ret != 0) { + status = map_nt_error_from_unix_common(errno); + DEBUG(0,("Failed to bind to %s:%u UDP - %s\n", + address, port, nt_errstr(status))); + return status; + } + + dns_udp_socket->send_queue = tevent_queue_create(dns_udp_socket, + "dns_udp_send_queue"); + NT_STATUS_HAVE_NO_MEMORY(dns_udp_socket->send_queue); + + udpsubreq = tdgram_recvfrom_send(dns_udp_socket, + dns->task->event_ctx, + dns_udp_socket->dgram); + NT_STATUS_HAVE_NO_MEMORY(udpsubreq); + tevent_req_set_callback(udpsubreq, dns_udp_call_loop, dns_udp_socket); + + return NT_STATUS_OK; +} + +/* + setup our listening sockets on the configured network interfaces +*/ +static NTSTATUS dns_startup_interfaces(struct dns_server *dns, + struct interface *ifaces, + const struct model_ops *model_ops) +{ + size_t num_interfaces; + TALLOC_CTX *tmp_ctx = talloc_new(dns); + NTSTATUS status; + int i; + + if (ifaces != NULL) { + num_interfaces = iface_list_count(ifaces); + + for (i=0; i<num_interfaces; i++) { + const char *address = talloc_strdup(tmp_ctx, + iface_list_n_ip(ifaces, i)); + + status = dns_add_socket(dns, model_ops, "dns", address, + lpcfg_dns_port(dns->task->lp_ctx)); + NT_STATUS_NOT_OK_RETURN(status); + } + } else { + size_t num_binds = 0; + char **wcard; + wcard = iface_list_wildcard(tmp_ctx); + if (wcard == NULL) { + DEBUG(0, ("No wildcard address available\n")); + return NT_STATUS_INTERNAL_ERROR; + } + for (i = 0; wcard[i] != NULL; i++) { + status = dns_add_socket(dns, model_ops, "dns", wcard[i], + lpcfg_dns_port(dns->task->lp_ctx)); + if (NT_STATUS_IS_OK(status)) { + num_binds++; + } + } + if (num_binds == 0) { + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER_MIX; + } + } + + talloc_free(tmp_ctx); + + return NT_STATUS_OK; +} + +static struct dns_server_tkey_store *tkey_store_init(TALLOC_CTX *mem_ctx, + uint16_t size) +{ + struct dns_server_tkey_store *buffer = talloc_zero(mem_ctx, + struct dns_server_tkey_store); + + if (buffer == NULL) { + return NULL; + } + + buffer->size = size; + buffer->next_idx = 0; + + buffer->tkeys = talloc_zero_array(buffer, struct dns_server_tkey *, size); + if (buffer->tkeys == NULL) { + TALLOC_FREE(buffer); + } + + return buffer; +} + +static NTSTATUS dns_server_reload_zones(struct dns_server *dns) +{ + NTSTATUS status; + struct dns_server_zone *new_list = NULL; + struct dns_server_zone *old_list = dns->zones; + struct dns_server_zone *old_zone; + status = dns_common_zones(dns->samdb, dns, NULL, &new_list); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + dns->zones = new_list; + while ((old_zone = DLIST_TAIL(old_list)) != NULL) { + DLIST_REMOVE(old_list, old_zone); + talloc_free(old_zone); + } + + return NT_STATUS_OK; +} + +/** + * Called when the internal DNS server should reload the zones from DB, for + * example, when zones are added or deleted through RPC or replicated by + * inbound DRS. + */ +static NTSTATUS dns_reload_zones(struct irpc_message *msg, + struct dnssrv_reload_dns_zones *r) +{ + struct dns_server *dns; + + dns = talloc_get_type(msg->private_data, struct dns_server); + if (dns == NULL) { + r->out.result = NT_STATUS_INTERNAL_ERROR; + return NT_STATUS_INTERNAL_ERROR; + } + + r->out.result = dns_server_reload_zones(dns); + + return NT_STATUS_OK; +} + +static NTSTATUS dns_task_init(struct task_server *task) +{ + struct dns_server *dns; + NTSTATUS status; + struct interface *ifaces = NULL; + int ret; + static const char * const attrs_none[] = { NULL}; + struct ldb_message *dns_acc; + char *hostname_lower; + char *dns_spn; + bool ok; + + switch (lpcfg_server_role(task->lp_ctx)) { + case ROLE_STANDALONE: + task_server_terminate(task, "dns: no DNS required in standalone configuration", false); + return NT_STATUS_INVALID_DOMAIN_ROLE; + case ROLE_DOMAIN_MEMBER: + task_server_terminate(task, "dns: no DNS required in member server configuration", false); + return NT_STATUS_INVALID_DOMAIN_ROLE; + case ROLE_ACTIVE_DIRECTORY_DC: + /* Yes, we want a DNS */ + break; + } + + if (lpcfg_interfaces(task->lp_ctx) && lpcfg_bind_interfaces_only(task->lp_ctx)) { + load_interface_list(task, task->lp_ctx, &ifaces); + + if (iface_list_count(ifaces) == 0) { + task_server_terminate(task, "dns: no network interfaces configured", false); + return NT_STATUS_UNSUCCESSFUL; + } + } + + task_server_set_title(task, "task[dns]"); + + dns = talloc_zero(task, struct dns_server); + if (dns == NULL) { + task_server_terminate(task, "dns: out of memory", true); + return NT_STATUS_NO_MEMORY; + } + + dns->task = task; + + dns->server_credentials = cli_credentials_init(dns); + if (!dns->server_credentials) { + task_server_terminate(task, "Failed to init server credentials\n", true); + return NT_STATUS_UNSUCCESSFUL; + } + + dns->samdb = samdb_connect(dns, + dns->task->event_ctx, + dns->task->lp_ctx, + system_session(dns->task->lp_ctx), + NULL, + 0); + if (!dns->samdb) { + task_server_terminate(task, "dns: samdb_connect failed", true); + return NT_STATUS_UNSUCCESSFUL; + } + + ok = cli_credentials_set_conf(dns->server_credentials, task->lp_ctx); + if (!ok) { + task_server_terminate(task, + "dns: failed to load smb.conf", + true); + return NT_STATUS_UNSUCCESSFUL; + } + + hostname_lower = strlower_talloc(dns, lpcfg_netbios_name(task->lp_ctx)); + dns_spn = talloc_asprintf(dns, "DNS/%s.%s", + hostname_lower, + lpcfg_dnsdomain(task->lp_ctx)); + TALLOC_FREE(hostname_lower); + + ret = dsdb_search_one(dns->samdb, dns, &dns_acc, + ldb_get_default_basedn(dns->samdb), LDB_SCOPE_SUBTREE, + attrs_none, 0, "(servicePrincipalName=%s)", + dns_spn); + if (ret == LDB_SUCCESS) { + TALLOC_FREE(dns_acc); + if (!dns_spn) { + task_server_terminate(task, "dns: talloc_asprintf failed", true); + return NT_STATUS_UNSUCCESSFUL; + } + status = cli_credentials_set_stored_principal(dns->server_credentials, task->lp_ctx, dns_spn); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, + talloc_asprintf(task, "Failed to obtain server credentials for DNS, " + "despite finding it in the samdb! %s\n", + nt_errstr(status)), + true); + return status; + } + } else { + TALLOC_FREE(dns_spn); + status = cli_credentials_set_machine_account(dns->server_credentials, task->lp_ctx); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, + talloc_asprintf(task, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", + nt_errstr(status)), + true); + return status; + } + } + + dns->tkeys = tkey_store_init(dns, TKEY_BUFFER_SIZE); + if (!dns->tkeys) { + task_server_terminate(task, "Failed to allocate tkey storage\n", true); + return NT_STATUS_NO_MEMORY; + } + + status = dns_server_reload_zones(dns); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, "dns: failed to load DNS zones", true); + return status; + } + + status = dns_startup_interfaces(dns, ifaces, task->model_ops); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, "dns failed to setup interfaces", true); + return status; + } + + /* Setup the IRPC interface and register handlers */ + status = irpc_add_name(task->msg_ctx, "dnssrv"); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, "dns: failed to register IRPC name", true); + return status; + } + + status = IRPC_REGISTER(task->msg_ctx, irpc, DNSSRV_RELOAD_DNS_ZONES, + dns_reload_zones, dns); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, "dns: failed to setup reload handler", true); + return status; + } + return NT_STATUS_OK; +} + +NTSTATUS server_service_dns_init(TALLOC_CTX *ctx) +{ + static const struct service_details details = { + .inhibit_fork_on_accept = true, + .inhibit_pre_fork = true, + .task_init = dns_task_init, + .post_fork = NULL + }; + return register_server_service(ctx, "dns", &details); +} diff --git a/source4/dns_server/dns_server.h b/source4/dns_server/dns_server.h new file mode 100644 index 0000000..f4e5a61 --- /dev/null +++ b/source4/dns_server/dns_server.h @@ -0,0 +1,124 @@ +/* + Unix SMB/CIFS implementation. + + DNS structures + + Copyright (C) 2010 Kai Blin <kai@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __DNS_SERVER_H__ +#define __DNS_SERVER_H__ + +#include "librpc/gen_ndr/dns.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include "dnsserver_common.h" + +struct tsocket_address; +struct dns_server_tkey { + const char *name; + enum dns_tkey_mode mode; + const char *algorithm; + struct auth_session_info *session_info; + struct gensec_security *gensec; + bool complete; +}; + +#define TKEY_BUFFER_SIZE 128 + +struct dns_server_tkey_store { + struct dns_server_tkey **tkeys; + uint16_t next_idx; + uint16_t size; +}; + +struct dns_server { + struct task_server *task; + struct ldb_context *samdb; + struct dns_server_zone *zones; + struct dns_server_tkey_store *tkeys; + struct cli_credentials *server_credentials; +}; + +struct dns_request_state { + TALLOC_CTX *mem_ctx; + uint16_t flags; + bool authenticated; + bool sign; + char *key_name; + struct dns_res_rec *tsig; + uint16_t tsig_error; + const struct tsocket_address *local_address; + const struct tsocket_address *remote_address; +}; + +struct tevent_req *dns_server_process_query_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, struct dns_request_state *req_state, + const struct dns_name_packet *in); +WERROR dns_server_process_query_recv( + struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct dns_res_rec **answers, uint16_t *ancount, + struct dns_res_rec **nsrecs, uint16_t *nscount, + struct dns_res_rec **additional, uint16_t *arcount); + +WERROR dns_server_process_update(struct dns_server *dns, + const struct dns_request_state *state, + TALLOC_CTX *mem_ctx, + const struct dns_name_packet *in, + struct dns_res_rec **prereqs, uint16_t *prereq_count, + struct dns_res_rec **updates, uint16_t *update_count, + struct dns_res_rec **additional, uint16_t *arcount); + +bool dns_authoritative_for_zone(struct dns_server *dns, + const char *name); +const char *dns_get_authoritative_zone(struct dns_server *dns, + const char *name); +WERROR dns_lookup_records(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *rec_count); +WERROR dns_lookup_records_wildcard(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *rec_count); +WERROR dns_replace_records(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + bool needs_add, + struct dnsp_DnssrvRpcRecord *records, + uint16_t rec_count); +WERROR dns_name2dn(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const char *name, + struct ldb_dn **_dn); +struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store, + const char *name); +WERROR dns_verify_tsig(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct dns_request_state *state, + struct dns_name_packet *packet, + DATA_BLOB *in); +WERROR dns_sign_tsig(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct dns_request_state *state, + struct dns_name_packet *packet, + uint16_t error); + +#include "source4/dns_server/dnsserver_common.h" + +#endif /* __DNS_SERVER_H__ */ diff --git a/source4/dns_server/dns_update.c b/source4/dns_server/dns_update.c new file mode 100644 index 0000000..7b87dc6 --- /dev/null +++ b/source4/dns_server/dns_update.c @@ -0,0 +1,867 @@ +/* + Unix SMB/CIFS implementation. + + DNS server handler for update requests + + Copyright (C) 2010 Kai Blin <kai@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libcli/util/ntstatus.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_dns.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include <ldb.h> +#include "param/param.h" +#include "param/loadparm.h" +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "samba/service_task.h" +#include "dns_server/dns_server.h" +#include "auth/auth.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DNS + +static WERROR dns_rr_to_dnsp(TALLOC_CTX *mem_ctx, + const struct dns_res_rec *rrec, + struct dnsp_DnssrvRpcRecord *r, + bool name_is_static); + +static WERROR check_one_prerequisite(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_question *zone, + const struct dns_res_rec *pr, + bool *final_result) +{ + bool match; + WERROR werror; + struct ldb_dn *dn; + uint16_t i; + bool found = false; + struct dnsp_DnssrvRpcRecord *rec = NULL; + struct dnsp_DnssrvRpcRecord *ans; + uint16_t acount; + + size_t host_part_len = 0; + + *final_result = true; + + if (pr->ttl != 0) { + return DNS_ERR(FORMAT_ERROR); + } + + match = dns_name_match(zone->name, pr->name, &host_part_len); + if (!match) { + return DNS_ERR(NOTZONE); + } + + werror = dns_name2dn(dns, mem_ctx, pr->name, &dn); + W_ERROR_NOT_OK_RETURN(werror); + + if (pr->rr_class == DNS_QCLASS_ANY) { + + if (pr->length != 0) { + return DNS_ERR(FORMAT_ERROR); + } + + + if (pr->rr_type == DNS_QTYPE_ALL) { + /* + */ + werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount); + if (W_ERROR_EQUAL(werror, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + return DNS_ERR(NAME_ERROR); + } + W_ERROR_NOT_OK_RETURN(werror); + + if (acount == 0) { + return DNS_ERR(NAME_ERROR); + } + } else { + /* + */ + werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount); + if (W_ERROR_EQUAL(werror, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + return DNS_ERR(NXRRSET); + } + if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) { + return DNS_ERR(NXRRSET); + } + W_ERROR_NOT_OK_RETURN(werror); + + for (i = 0; i < acount; i++) { + if (ans[i].wType == (enum dns_record_type) pr->rr_type) { + found = true; + break; + } + } + if (!found) { + return DNS_ERR(NXRRSET); + } + } + + /* + * RFC2136 3.2.5 doesn't actually mention the need to return + * OK here, but otherwise we'd always return a FORMAT_ERROR + * later on. This also matches Microsoft DNS behavior. + */ + return WERR_OK; + } + + if (pr->rr_class == DNS_QCLASS_NONE) { + if (pr->length != 0) { + return DNS_ERR(FORMAT_ERROR); + } + + if (pr->rr_type == DNS_QTYPE_ALL) { + /* + */ + werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount); + if (W_ERROR_EQUAL(werror, WERR_OK)) { + return DNS_ERR(YXDOMAIN); + } + } else { + /* + */ + werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount); + if (W_ERROR_EQUAL(werror, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + werror = WERR_OK; + } + if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) { + werror = WERR_OK; + } + + for (i = 0; i < acount; i++) { + if (ans[i].wType == (enum dns_record_type) pr->rr_type) { + found = true; + break; + } + } + if (found) { + return DNS_ERR(YXRRSET); + } + } + + /* + * RFC2136 3.2.5 doesn't actually mention the need to return + * OK here, but otherwise we'd always return a FORMAT_ERROR + * later on. This also matches Microsoft DNS behavior. + */ + return WERR_OK; + } + + if (pr->rr_class != zone->question_class) { + return DNS_ERR(FORMAT_ERROR); + } + + *final_result = false; + + werror = dns_lookup_records(dns, mem_ctx, dn, &ans, &acount); + if (W_ERROR_EQUAL(werror, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + return DNS_ERR(NXRRSET); + } + if (W_ERROR_EQUAL(werror, DNS_ERR(NAME_ERROR))) { + return DNS_ERR(NXRRSET); + } + W_ERROR_NOT_OK_RETURN(werror); + + rec = talloc_zero(mem_ctx, struct dnsp_DnssrvRpcRecord); + W_ERROR_HAVE_NO_MEMORY(rec); + + werror = dns_rr_to_dnsp(rec, pr, rec, dns_name_is_static(ans, acount)); + W_ERROR_NOT_OK_RETURN(werror); + + for (i = 0; i < acount; i++) { + if (dns_record_match(rec, &ans[i])) { + found = true; + break; + } + } + + if (!found) { + return DNS_ERR(NXRRSET); + } + + return WERR_OK; +} + +static WERROR check_prerequisites(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_question *zone, + const struct dns_res_rec *prereqs, uint16_t count) +{ + uint16_t i; + WERROR final_error = WERR_OK; + + for (i = 0; i < count; i++) { + bool final; + WERROR werror; + + werror = check_one_prerequisite(dns, mem_ctx, zone, + &prereqs[i], &final); + if (!W_ERROR_IS_OK(werror)) { + if (final) { + return werror; + } + if (W_ERROR_IS_OK(final_error)) { + final_error = werror; + } + } + } + + if (!W_ERROR_IS_OK(final_error)) { + return final_error; + } + + return WERR_OK; +} + +static WERROR update_prescan(const struct dns_name_question *zone, + const struct dns_res_rec *updates, uint16_t count) +{ + const struct dns_res_rec *r; + uint16_t i; + size_t host_part_len; + bool match; + + for (i = 0; i < count; i++) { + r = &updates[i]; + match = dns_name_match(zone->name, r->name, &host_part_len); + if (!match) { + return DNS_ERR(NOTZONE); + } + if (zone->question_class == r->rr_class) { + if (r->rr_type == DNS_QTYPE_ALL) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_AXFR) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_MAILB) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_MAILA) { + return DNS_ERR(FORMAT_ERROR); + } + } else if (r->rr_class == DNS_QCLASS_ANY) { + if (r->ttl != 0) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->length != 0) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_AXFR) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_MAILB) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_MAILA) { + return DNS_ERR(FORMAT_ERROR); + } + } else if (r->rr_class == DNS_QCLASS_NONE) { + if (r->ttl != 0) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_ALL) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_AXFR) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_MAILB) { + return DNS_ERR(FORMAT_ERROR); + } + if (r->rr_type == DNS_QTYPE_MAILA) { + return DNS_ERR(FORMAT_ERROR); + } + } else { + return DNS_ERR(FORMAT_ERROR); + } + } + return WERR_OK; +} + +static WERROR dns_rr_to_dnsp(TALLOC_CTX *mem_ctx, + const struct dns_res_rec *rrec, + struct dnsp_DnssrvRpcRecord *r, + bool name_is_static) +{ + enum ndr_err_code ndr_err; + + if (rrec->rr_type == DNS_QTYPE_ALL) { + return DNS_ERR(FORMAT_ERROR); + } + + ZERO_STRUCTP(r); + + r->wType = (enum dns_record_type) rrec->rr_type; + r->dwTtlSeconds = rrec->ttl; + r->rank = DNS_RANK_ZONE; + if (name_is_static) { + r->dwTimeStamp = 0; + } else { + r->dwTimeStamp = unix_to_dns_timestamp(time(NULL)); + } + + /* If we get QCLASS_ANY, we're done here */ + if (rrec->rr_class == DNS_QCLASS_ANY) { + goto done; + } + + switch(rrec->rr_type) { + case DNS_QTYPE_A: + r->data.ipv4 = talloc_strdup(mem_ctx, rrec->rdata.ipv4_record); + W_ERROR_HAVE_NO_MEMORY(r->data.ipv4); + break; + case DNS_QTYPE_AAAA: + r->data.ipv6 = talloc_strdup(mem_ctx, rrec->rdata.ipv6_record); + W_ERROR_HAVE_NO_MEMORY(r->data.ipv6); + break; + case DNS_QTYPE_NS: + r->data.ns = talloc_strdup(mem_ctx, rrec->rdata.ns_record); + W_ERROR_HAVE_NO_MEMORY(r->data.ns); + break; + case DNS_QTYPE_CNAME: + r->data.cname = talloc_strdup(mem_ctx, rrec->rdata.cname_record); + W_ERROR_HAVE_NO_MEMORY(r->data.cname); + break; + case DNS_QTYPE_SRV: + r->data.srv.wPriority = rrec->rdata.srv_record.priority; + r->data.srv.wWeight = rrec->rdata.srv_record.weight; + r->data.srv.wPort = rrec->rdata.srv_record.port; + r->data.srv.nameTarget = talloc_strdup(mem_ctx, + rrec->rdata.srv_record.target); + W_ERROR_HAVE_NO_MEMORY(r->data.srv.nameTarget); + break; + case DNS_QTYPE_PTR: + r->data.ptr = talloc_strdup(mem_ctx, rrec->rdata.ptr_record); + W_ERROR_HAVE_NO_MEMORY(r->data.ptr); + break; + case DNS_QTYPE_MX: + r->data.mx.wPriority = rrec->rdata.mx_record.preference; + r->data.mx.nameTarget = talloc_strdup(mem_ctx, + rrec->rdata.mx_record.exchange); + W_ERROR_HAVE_NO_MEMORY(r->data.mx.nameTarget); + break; + case DNS_QTYPE_TXT: + ndr_err = ndr_dnsp_string_list_copy(mem_ctx, + &rrec->rdata.txt_record.txt, + &r->data.txt); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return WERR_NOT_ENOUGH_MEMORY; + } + + break; + default: + DEBUG(0, ("Got a qytpe of %d\n", rrec->rr_type)); + return DNS_ERR(NOT_IMPLEMENTED); + } + +done: + + return WERR_OK; +} + + +static WERROR handle_one_update(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_question *zone, + const struct dns_res_rec *update, + const struct dns_server_tkey *tkey) +{ + struct dnsp_DnssrvRpcRecord *recs = NULL; + uint16_t rcount = 0; + struct ldb_dn *dn; + uint16_t i; + uint16_t first = 0; + WERROR werror; + bool tombstoned = false; + bool needs_add = false; + bool name_is_static; + + DEBUG(2, ("Looking at record: \n")); + if (DEBUGLVL(2)) { + NDR_PRINT_DEBUG(dns_res_rec, discard_const(update)); + } + + switch (update->rr_type) { + case DNS_QTYPE_A: + case DNS_QTYPE_NS: + case DNS_QTYPE_CNAME: + case DNS_QTYPE_SOA: + case DNS_QTYPE_PTR: + case DNS_QTYPE_MX: + case DNS_QTYPE_AAAA: + case DNS_QTYPE_SRV: + case DNS_QTYPE_TXT: + case DNS_QTYPE_ALL: + break; + default: + DEBUG(0, ("Can't handle updates of type %u yet\n", + update->rr_type)); + return DNS_ERR(NOT_IMPLEMENTED); + } + + werror = dns_name2dn(dns, mem_ctx, update->name, &dn); + W_ERROR_NOT_OK_RETURN(werror); + + werror = dns_common_lookup(dns->samdb, mem_ctx, dn, + &recs, &rcount, &tombstoned); + if (W_ERROR_EQUAL(werror, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + needs_add = true; + werror = WERR_OK; + } + W_ERROR_NOT_OK_RETURN(werror); + + if (tombstoned) { + /* + * we need to keep the existing tombstone record + * and ignore it. + * + * There *should* only be a single record of type TOMBSTONE, + * but we don't insist. + */ + if (rcount != 1) { + DBG_WARNING("Tombstoned dnsNode has %u records, " + "expected 1\n", rcount); + if (DEBUGLVL(1)) { + NDR_PRINT_DEBUG(dns_res_rec, discard_const(update)); + } + } + first = rcount; + } + + name_is_static = dns_name_is_static(recs, rcount); + + if (update->rr_class == zone->question_class) { + if (update->rr_type == DNS_QTYPE_CNAME) { + /* + * If there is a record in the directory + * that's not a CNAME, ignore update + */ + for (i = first; i < rcount; i++) { + if (recs[i].wType != DNS_TYPE_CNAME) { + DEBUG(5, ("Skipping update\n")); + return WERR_OK; + } + break; + } + + /* + * There should be no entries besides one CNAME record + * per name, so replace everything with the new CNAME + */ + + rcount = first; + recs = talloc_realloc(mem_ctx, recs, + struct dnsp_DnssrvRpcRecord, rcount + 1); + W_ERROR_HAVE_NO_MEMORY(recs); + + werror = dns_rr_to_dnsp( + recs, update, &recs[rcount], name_is_static); + W_ERROR_NOT_OK_RETURN(werror); + rcount += 1; + + werror = dns_replace_records(dns, mem_ctx, dn, + needs_add, recs, rcount); + W_ERROR_NOT_OK_RETURN(werror); + + return WERR_OK; + } else { + /* + * If there is a CNAME record for this name, + * ignore update + */ + for (i = first; i < rcount; i++) { + if (recs[i].wType == DNS_TYPE_CNAME) { + DEBUG(5, ("Skipping update\n")); + return WERR_OK; + } + } + } + if (update->rr_type == DNS_QTYPE_SOA) { + bool found = false; + + /* + * If the zone has no SOA record?? or update's + * serial number is smaller than existing SOA's, + * ignore update + */ + for (i = first; i < rcount; i++) { + if (recs[i].wType == DNS_TYPE_SOA) { + uint16_t n, o; + + n = update->rdata.soa_record.serial; + o = recs[i].data.soa.serial; + /* + * TODO: Implement RFC 1982 comparison + * logic for RFC2136 + */ + if (n <= o) { + DEBUG(5, ("Skipping update\n")); + return WERR_OK; + } + found = true; + break; + } + } + if (!found) { + DEBUG(5, ("Skipping update\n")); + return WERR_OK; + } + + werror = dns_rr_to_dnsp( + mem_ctx, update, &recs[i], name_is_static); + W_ERROR_NOT_OK_RETURN(werror); + + /* + * There should only be one SOA, which we have already + * found and replaced. We now check for and tombstone + * any others. + */ + for (i++; i < rcount; i++) { + if (recs[i].wType != DNS_TYPE_SOA) { + continue; + } + DBG_ERR("Duplicate SOA records found.\n"); + if (DEBUGLVL(0)) { + NDR_PRINT_DEBUG(dns_res_rec, + discard_const(update)); + } + recs[i] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + } + + werror = dns_replace_records(dns, mem_ctx, dn, + needs_add, recs, rcount); + W_ERROR_NOT_OK_RETURN(werror); + + return WERR_OK; + } + /* All but CNAME, SOA */ + recs = talloc_realloc(mem_ctx, recs, + struct dnsp_DnssrvRpcRecord, rcount+1); + W_ERROR_HAVE_NO_MEMORY(recs); + + werror = + dns_rr_to_dnsp(recs, update, &recs[rcount], name_is_static); + W_ERROR_NOT_OK_RETURN(werror); + + for (i = first; i < rcount; i++) { + if (!dns_record_match(&recs[i], &recs[rcount])) { + continue; + } + + recs[i].data = recs[rcount].data; + recs[i].wType = recs[rcount].wType; + recs[i].dwTtlSeconds = recs[rcount].dwTtlSeconds; + recs[i].rank = recs[rcount].rank; + recs[i].dwReserved = 0; + recs[i].flags = 0; + werror = dns_replace_records(dns, mem_ctx, dn, + needs_add, recs, rcount); + W_ERROR_NOT_OK_RETURN(werror); + + return WERR_OK; + } + /* we did not find a matching record. This is new. */ + werror = dns_replace_records(dns, mem_ctx, dn, + needs_add, recs, rcount+1); + W_ERROR_NOT_OK_RETURN(werror); + + return WERR_OK; + } else if (update->rr_class == DNS_QCLASS_ANY) { + /* + * Mass-deleting records by type, which we do by adding a + * tombstone with zero timestamp. dns_replace_records() will + * work out if the node as a whole needs tombstoning. + */ + if (update->rr_type == DNS_QTYPE_ALL) { + if (samba_dns_name_equal(update->name, zone->name)) { + for (i = first; i < rcount; i++) { + + if (recs[i].wType == DNS_TYPE_SOA) { + continue; + } + + if (recs[i].wType == DNS_TYPE_NS) { + continue; + } + + recs[i] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + } + + } else { + for (i = first; i < rcount; i++) { + recs[i] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + } + } + + } else if (samba_dns_name_equal(update->name, zone->name)) { + + if (update->rr_type == DNS_QTYPE_SOA) { + return WERR_OK; + } + + if (update->rr_type == DNS_QTYPE_NS) { + return WERR_OK; + } + } + for (i = first; i < rcount; i++) { + if (recs[i].wType == (enum dns_record_type) update->rr_type) { + recs[i] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + } + } + + werror = dns_replace_records(dns, mem_ctx, dn, + needs_add, recs, rcount); + W_ERROR_NOT_OK_RETURN(werror); + + return WERR_OK; + } else if (update->rr_class == DNS_QCLASS_NONE) { + /* deleting individual records */ + struct dnsp_DnssrvRpcRecord *del_rec; + + if (update->rr_type == DNS_QTYPE_SOA) { + return WERR_OK; + } + if (update->rr_type == DNS_QTYPE_NS) { + bool found = false; + struct dnsp_DnssrvRpcRecord *ns_rec = talloc(mem_ctx, + struct dnsp_DnssrvRpcRecord); + W_ERROR_HAVE_NO_MEMORY(ns_rec); + + werror = dns_rr_to_dnsp( + ns_rec, update, ns_rec, name_is_static); + W_ERROR_NOT_OK_RETURN(werror); + + for (i = first; i < rcount; i++) { + if (dns_record_match(ns_rec, &recs[i])) { + found = true; + break; + } + } + if (found) { + return WERR_OK; + } + } + + del_rec = talloc(mem_ctx, struct dnsp_DnssrvRpcRecord); + W_ERROR_HAVE_NO_MEMORY(del_rec); + + werror = + dns_rr_to_dnsp(del_rec, update, del_rec, name_is_static); + W_ERROR_NOT_OK_RETURN(werror); + + for (i = first; i < rcount; i++) { + if (dns_record_match(del_rec, &recs[i])) { + recs[i] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + }; + } + } + + werror = dns_replace_records(dns, mem_ctx, dn, + needs_add, recs, rcount); + W_ERROR_NOT_OK_RETURN(werror); + } + + return WERR_OK; +} + +static WERROR handle_updates(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_question *zone, + const struct dns_res_rec *prereqs, uint16_t pcount, + struct dns_res_rec *updates, uint16_t upd_count, + struct dns_server_tkey *tkey) +{ + struct ldb_dn *zone_dn = NULL; + WERROR werror = WERR_OK; + int ret; + uint16_t ri; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + + if (tkey != NULL) { + ret = ldb_set_opaque( + dns->samdb, + DSDB_SESSION_INFO, + tkey->session_info); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("unable to set session info\n")); + werror = DNS_ERR(SERVER_FAILURE); + goto failed; + } + } + + werror = dns_name2dn(dns, tmp_ctx, zone->name, &zone_dn); + W_ERROR_NOT_OK_GOTO(werror, failed); + + ret = ldb_transaction_start(dns->samdb); + if (ret != LDB_SUCCESS) { + werror = DNS_ERR(SERVER_FAILURE); + goto failed; + } + + werror = check_prerequisites(dns, tmp_ctx, zone, prereqs, pcount); + W_ERROR_NOT_OK_GOTO(werror, failed); + + DBG_DEBUG("dns update count is %u\n", upd_count); + + for (ri = 0; ri < upd_count; ri++) { + werror = handle_one_update(dns, tmp_ctx, zone, + &updates[ri], tkey); + W_ERROR_NOT_OK_GOTO(werror, failed); + } + + ldb_transaction_commit(dns->samdb); + TALLOC_FREE(tmp_ctx); + + if (tkey != NULL) { + ldb_set_opaque( + dns->samdb, + DSDB_SESSION_INFO, + system_session(dns->task->lp_ctx)); + } + + return WERR_OK; + +failed: + ldb_transaction_cancel(dns->samdb); + + if (tkey != NULL) { + ldb_set_opaque( + dns->samdb, + DSDB_SESSION_INFO, + system_session(dns->task->lp_ctx)); + } + + TALLOC_FREE(tmp_ctx); + return werror; + +} + +static WERROR dns_update_allowed(struct dns_server *dns, + const struct dns_request_state *state, + struct dns_server_tkey **tkey) +{ + if (lpcfg_allow_dns_updates(dns->task->lp_ctx) == DNS_UPDATE_ON) { + DEBUG(2, ("All updates allowed.\n")); + return WERR_OK; + } + + if (lpcfg_allow_dns_updates(dns->task->lp_ctx) == DNS_UPDATE_OFF) { + DEBUG(2, ("Updates disabled.\n")); + return DNS_ERR(REFUSED); + } + + if (state->authenticated == false ) { + DEBUG(2, ("Update not allowed for unsigned packet.\n")); + return DNS_ERR(REFUSED); + } + + *tkey = dns_find_tkey(dns->tkeys, state->key_name); + if (*tkey == NULL) { + DEBUG(0, ("Authenticated, but key not found. Something is wrong.\n")); + return DNS_ERR(REFUSED); + } + + return WERR_OK; +} + + +WERROR dns_server_process_update(struct dns_server *dns, + const struct dns_request_state *state, + TALLOC_CTX *mem_ctx, + const struct dns_name_packet *in, + struct dns_res_rec **prereqs, uint16_t *prereq_count, + struct dns_res_rec **updates, uint16_t *update_count, + struct dns_res_rec **additional, uint16_t *arcount) +{ + struct dns_name_question *zone; + const struct dns_server_zone *z; + size_t host_part_len = 0; + WERROR werror = DNS_ERR(NOT_IMPLEMENTED); + struct dns_server_tkey *tkey = NULL; + + if (in->qdcount != 1) { + return DNS_ERR(FORMAT_ERROR); + } + + zone = &in->questions[0]; + + if (zone->question_class != DNS_QCLASS_IN && + zone->question_class != DNS_QCLASS_ANY) { + return DNS_ERR(NOT_IMPLEMENTED); + } + + if (zone->question_type != DNS_QTYPE_SOA) { + return DNS_ERR(FORMAT_ERROR); + } + + DEBUG(2, ("Got a dns update request.\n")); + + for (z = dns->zones; z != NULL; z = z->next) { + bool match; + + match = dns_name_match(z->name, zone->name, &host_part_len); + if (match) { + break; + } + } + + if (z == NULL) { + DEBUG(1, ("We're not authoritative for this zone\n")); + return DNS_ERR(NOTAUTH); + } + + if (host_part_len != 0) { + /* TODO: We need to delegate this one */ + DEBUG(1, ("Would have to delegate zone '%s'.\n", zone->name)); + return DNS_ERR(NOT_IMPLEMENTED); + } + + *prereq_count = in->ancount; + *prereqs = in->answers; + werror = check_prerequisites(dns, mem_ctx, in->questions, *prereqs, + *prereq_count); + W_ERROR_NOT_OK_RETURN(werror); + + werror = dns_update_allowed(dns, state, &tkey); + if (!W_ERROR_IS_OK(werror)) { + return werror; + } + + *update_count = in->nscount; + *updates = in->nsrecs; + werror = update_prescan(in->questions, *updates, *update_count); + W_ERROR_NOT_OK_RETURN(werror); + + werror = handle_updates(dns, mem_ctx, in->questions, *prereqs, + *prereq_count, *updates, *update_count, tkey); + W_ERROR_NOT_OK_RETURN(werror); + + return werror; +} diff --git a/source4/dns_server/dns_utils.c b/source4/dns_server/dns_utils.c new file mode 100644 index 0000000..d0661f3 --- /dev/null +++ b/source4/dns_server/dns_utils.c @@ -0,0 +1,130 @@ +/* + Unix SMB/CIFS implementation. + + DNS server utils + + Copyright (C) 2010 Kai Blin <kai@samba.org> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libcli/util/ntstatus.h" +#include "libcli/util/werror.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_dns.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include <ldb.h> +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "dns_server/dns_server.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DNS + + +/* + * Lookup a DNS record, performing an exact match. + * i.e. DNS wild card records are not considered. + */ +WERROR dns_lookup_records(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *rec_count) +{ + return dns_common_lookup(dns->samdb, mem_ctx, dn, + records, rec_count, NULL); +} + +/* + * Lookup a DNS record, will match DNS wild card records if an exact match + * is not found. + */ +WERROR dns_lookup_records_wildcard(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *rec_count) +{ + return dns_common_wildcard_lookup(dns->samdb, mem_ctx, dn, + records, rec_count); +} + +WERROR dns_replace_records(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + bool needs_add, + struct dnsp_DnssrvRpcRecord *records, + uint16_t rec_count) +{ + /* TODO: Autogenerate this somehow */ + uint32_t dwSerial = 110; + return dns_common_replace(dns->samdb, mem_ctx, dn, + needs_add, dwSerial, records, rec_count); +} + +bool dns_authoritative_for_zone(struct dns_server *dns, + const char *name) +{ + const struct dns_server_zone *z; + size_t host_part_len = 0; + + if (name == NULL) { + return false; + } + + if (strcmp(name, "") == 0) { + return true; + } + for (z = dns->zones; z != NULL; z = z->next) { + bool match; + + match = dns_name_match(z->name, name, &host_part_len); + if (match) { + break; + } + } + if (z == NULL) { + return false; + } + + return true; +} + +const char *dns_get_authoritative_zone(struct dns_server *dns, + const char *name) +{ + const struct dns_server_zone *z; + size_t host_part_len = 0; + + for (z = dns->zones; z != NULL; z = z->next) { + bool match; + match = dns_name_match(z->name, name, &host_part_len); + if (match) { + return z->name; + } + } + return NULL; +} + +WERROR dns_name2dn(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const char *name, + struct ldb_dn **dn) +{ + return dns_common_name2dn(dns->samdb, dns->zones, + mem_ctx, name, dn); +} + diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c new file mode 100644 index 0000000..0481b07 --- /dev/null +++ b/source4/dns_server/dnsserver_common.c @@ -0,0 +1,1589 @@ +/* + Unix SMB/CIFS implementation. + + DNS server utils + + Copyright (C) 2010 Kai Blin + Copyright (C) 2014 Stefan Metzmacher + Copyright (C) 2015 Andrew Bartlett + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libcli/util/ntstatus.h" +#include "libcli/util/werror.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_dns.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include <ldb.h> +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "dns_server/dnsserver_common.h" +#include "rpc_server/dnsserver/dnsserver.h" +#include "lib/util/dlinklist.h" +#include "system/network.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DNS + +#undef strncasecmp + +uint8_t werr_to_dns_err(WERROR werr) +{ + if (W_ERROR_EQUAL(WERR_OK, werr)) { + return DNS_RCODE_OK; + } else if (W_ERROR_EQUAL(DNS_ERR(FORMAT_ERROR), werr)) { + return DNS_RCODE_FORMERR; + } else if (W_ERROR_EQUAL(DNS_ERR(SERVER_FAILURE), werr)) { + return DNS_RCODE_SERVFAIL; + } else if (W_ERROR_EQUAL(DNS_ERR(NAME_ERROR), werr)) { + return DNS_RCODE_NXDOMAIN; + } else if (W_ERROR_EQUAL(WERR_DNS_ERROR_NAME_DOES_NOT_EXIST, werr)) { + return DNS_RCODE_NXDOMAIN; + } else if (W_ERROR_EQUAL(DNS_ERR(NOT_IMPLEMENTED), werr)) { + return DNS_RCODE_NOTIMP; + } else if (W_ERROR_EQUAL(DNS_ERR(REFUSED), werr)) { + return DNS_RCODE_REFUSED; + } else if (W_ERROR_EQUAL(DNS_ERR(YXDOMAIN), werr)) { + return DNS_RCODE_YXDOMAIN; + } else if (W_ERROR_EQUAL(DNS_ERR(YXRRSET), werr)) { + return DNS_RCODE_YXRRSET; + } else if (W_ERROR_EQUAL(DNS_ERR(NXRRSET), werr)) { + return DNS_RCODE_NXRRSET; + } else if (W_ERROR_EQUAL(DNS_ERR(NOTAUTH), werr)) { + return DNS_RCODE_NOTAUTH; + } else if (W_ERROR_EQUAL(DNS_ERR(NOTZONE), werr)) { + return DNS_RCODE_NOTZONE; + } else if (W_ERROR_EQUAL(DNS_ERR(BADKEY), werr)) { + return DNS_RCODE_BADKEY; + } + DEBUG(5, ("No mapping exists for %s\n", win_errstr(werr))); + return DNS_RCODE_SERVFAIL; +} + +WERROR dns_common_extract(struct ldb_context *samdb, + const struct ldb_message_element *el, + TALLOC_CTX *mem_ctx, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records) +{ + uint16_t ri; + struct dnsp_DnssrvRpcRecord *recs; + + *records = NULL; + *num_records = 0; + + recs = talloc_zero_array(mem_ctx, struct dnsp_DnssrvRpcRecord, + el->num_values); + if (recs == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + for (ri = 0; ri < el->num_values; ri++) { + bool am_rodc; + int ret; + const char *dnsHostName = NULL; + struct ldb_val *v = &el->values[ri]; + enum ndr_err_code ndr_err; + ndr_err = ndr_pull_struct_blob(v, recs, &recs[ri], + (ndr_pull_flags_fn_t)ndr_pull_dnsp_DnssrvRpcRecord); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + TALLOC_FREE(recs); + DEBUG(0, ("Failed to grab dnsp_DnssrvRpcRecord\n")); + return DNS_ERR(SERVER_FAILURE); + } + + /* + * In AD, except on an RODC (where we should list a random RWDC, + * we should over-stamp the MNAME with our own hostname + */ + if (recs[ri].wType != DNS_TYPE_SOA) { + continue; + } + + ret = samdb_rodc(samdb, &am_rodc); + if (ret != LDB_SUCCESS) { + DEBUG(0, ("Failed to confirm we are not an RODC: %s\n", + ldb_errstring(samdb))); + return DNS_ERR(SERVER_FAILURE); + } + + if (am_rodc) { + continue; + } + + ret = samdb_dns_host_name(samdb, &dnsHostName); + if (ret != LDB_SUCCESS || dnsHostName == NULL) { + DEBUG(0, ("Failed to get dnsHostName from rootDSE")); + return DNS_ERR(SERVER_FAILURE); + } + + recs[ri].data.soa.mname = talloc_strdup(recs, dnsHostName); + } + + *records = recs; + *num_records = el->num_values; + return WERR_OK; +} + +/* + * Lookup a DNS record, performing an exact match. + * i.e. DNS wild card records are not considered. + */ +WERROR dns_common_lookup(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records, + bool *tombstoned) +{ + const struct timeval start = timeval_current(); + static const char * const attrs[] = { + "dnsRecord", + "dNSTombstoned", + NULL + }; + int ret; + WERROR werr = WERR_OK; + struct ldb_message *msg = NULL; + struct ldb_message_element *el; + + *records = NULL; + *num_records = 0; + + if (tombstoned != NULL) { + *tombstoned = false; + ret = dsdb_search_one(samdb, mem_ctx, &msg, dn, + LDB_SCOPE_BASE, attrs, 0, + "(objectClass=dnsNode)"); + } else { + ret = dsdb_search_one(samdb, mem_ctx, &msg, dn, + LDB_SCOPE_BASE, attrs, 0, + "(&(objectClass=dnsNode)(!(dNSTombstoned=TRUE)))"); + } + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST; + goto exit; + } + if (ret != LDB_SUCCESS) { + /* TODO: we need to check if there's a glue record we need to + * create a referral to */ + werr = DNS_ERR(NAME_ERROR); + goto exit; + } + + if (tombstoned != NULL) { + *tombstoned = ldb_msg_find_attr_as_bool(msg, + "dNSTombstoned", false); + } + + el = ldb_msg_find_element(msg, "dnsRecord"); + if (el == NULL) { + TALLOC_FREE(msg); + /* + * records produced by older Samba releases + * keep dnsNode objects without dnsRecord and + * without setting dNSTombstoned=TRUE. + * + * We just pretend they're tombstones. + */ + if (tombstoned != NULL) { + struct dnsp_DnssrvRpcRecord *recs; + recs = talloc_array(mem_ctx, + struct dnsp_DnssrvRpcRecord, + 1); + if (recs == NULL) { + werr = WERR_NOT_ENOUGH_MEMORY; + goto exit; + } + recs[0] = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + /* + * A value of timestamp != 0 + * indicated that the object was already + * a tombstone, this will be used + * in dns_common_replace() + */ + .data.EntombedTime = 1, + }; + + *tombstoned = true; + *records = recs; + *num_records = 1; + werr = WERR_OK; + goto exit; + } else { + /* + * Because we are not looking for a tombstone + * in this codepath, we just pretend it does + * not exist at all. + */ + werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST; + goto exit; + } + } + + werr = dns_common_extract(samdb, el, mem_ctx, records, num_records); + TALLOC_FREE(msg); + if (!W_ERROR_IS_OK(werr)) { + goto exit; + } + + werr = WERR_OK; +exit: + DNS_COMMON_LOG_OPERATION( + win_errstr(werr), + &start, + NULL, + dn == NULL ? NULL : ldb_dn_get_linearized(dn), + NULL); + return werr; +} + +/* + * Build an ldb_parse_tree node for an equality check + * + * Note: name is assumed to have been validated by dns_name_check + * so will be zero terminated and of a reasonable size. + */ +static struct ldb_parse_tree *build_equality_operation( + TALLOC_CTX *mem_ctx, + bool add_asterix, /* prepend an '*' to the name */ + const uint8_t *name, /* the value being matched */ + const char *attr, /* the attribute to check name against */ + size_t size) /* length of name */ +{ + + struct ldb_parse_tree *el = NULL; /* Equality node being built */ + struct ldb_val *value = NULL; /* Value the attr will be compared + with */ + size_t length = 0; /* calculated length of the value + including option '*' prefix and + '\0' string terminator */ + + el = talloc(mem_ctx, struct ldb_parse_tree); + if (el == NULL) { + DBG_ERR("Unable to allocate ldb_parse_tree\n"); + return NULL; + } + + el->operation = LDB_OP_EQUALITY; + el->u.equality.attr = talloc_strdup(mem_ctx, attr); + value = &el->u.equality.value; + length = (add_asterix) ? size + 2 : size + 1; + value->data = talloc_zero_array(el, uint8_t, length); + if (value->data == NULL) { + DBG_ERR("Unable to allocate value->data\n"); + TALLOC_FREE(el); + return NULL; + } + + value->length = length; + if (add_asterix) { + value->data[0] = '*'; + if (name != NULL) { + memcpy(&value->data[1], name, size); + } + } else if (name != NULL) { + memcpy(value->data, name, size); + } + return el; +} + +/* + * Determine the number of levels in name + * essentially the number of '.'s in the name + 1 + * + * name is assumed to have been validated by dns_name_check + */ +static unsigned int number_of_labels(const struct ldb_val *name) { + int x = 0; + unsigned int labels = 1; + for (x = 0; x < name->length; x++) { + if (name->data[x] == '.') { + labels++; + } + } + return labels; +} +/* + * Build a query that matches the target name, and any possible + * DNS wild card entries + * + * Builds a parse tree equivalent to the example query. + * + * x.y.z -> (|(name=x.y.z)(name=\2a.y.z)(name=\2a.z)(name=\2a)) + * + * The attribute 'name' is used as this is what the LDB index is on + * (the RDN, being 'dc' in this use case, does not have an index in + * the AD schema). + * + * Returns NULL if unable to build the query. + * + * The first component of the DN is assumed to be the name being looked up + * and also that it has been validated by dns_name_check + * + */ +#define BASE "(&(objectClass=dnsNode)(!(dNSTombstoned=TRUE))(|(a=b)(c=d)))" +static struct ldb_parse_tree *build_wildcard_query( + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn) +{ + const struct ldb_val *name = NULL; /* The DNS name being + queried */ + const char *attr = "name"; /* The attribute name */ + struct ldb_parse_tree *query = NULL; /* The constructed query + parse tree*/ + struct ldb_parse_tree *wildcard_query = NULL; /* The parse tree for the + name and wild card + entries */ + int labels = 0; /* The number of labels in the name */ + + name = ldb_dn_get_rdn_val(dn); + if (name == NULL) { + DBG_ERR("Unable to get domain name value\n"); + return NULL; + } + labels = number_of_labels(name); + + query = ldb_parse_tree(mem_ctx, BASE); + if (query == NULL) { + DBG_ERR("Unable to parse query %s\n", BASE); + return NULL; + } + + /* + * The 3rd element of BASE is a place holder which is replaced with + * the actual wild card query + */ + wildcard_query = query->u.list.elements[2]; + TALLOC_FREE(wildcard_query->u.list.elements); + + wildcard_query->u.list.num_elements = labels + 1; + wildcard_query->u.list.elements = talloc_array( + wildcard_query, + struct ldb_parse_tree *, + labels + 1); + /* + * Build the wild card query + */ + { + int x = 0; /* current character in the name */ + int l = 0; /* current equality operator index in elements */ + struct ldb_parse_tree *el = NULL; /* Equality operator being + built */ + bool add_asterix = true; /* prepend an '*' to the value */ + for (l = 0, x = 0; l < labels && x < name->length; l++) { + unsigned int size = name->length - x; + add_asterix = (name->data[x] == '.'); + el = build_equality_operation( + mem_ctx, + add_asterix, + &name->data[x], + attr, + size); + if (el == NULL) { + return NULL; /* Reason will have been logged */ + } + wildcard_query->u.list.elements[l] = el; + + /* skip to the start of the next label */ + x++; + for (;x < name->length && name->data[x] != '.'; x++); + } + + /* Add the base level "*" only query */ + el = build_equality_operation(mem_ctx, true, NULL, attr, 0); + if (el == NULL) { + TALLOC_FREE(query); + return NULL; /* Reason will have been logged */ + } + wildcard_query->u.list.elements[l] = el; + } + return query; +} + +/* + * Scan the list of records matching a dns wildcard query and return the + * best match. + * + * The best match is either an exact name match, or the longest wild card + * entry returned + * + * i.e. name = a.b.c candidates *.b.c, *.c, - *.b.c would be selected + * name = a.b.c candidates a.b.c, *.b.c, *.c - a.b.c would be selected + */ +static struct ldb_message *get_best_match(struct ldb_dn *dn, + struct ldb_result *result) +{ + int matched = 0; /* Index of the current best match in result */ + size_t length = 0; /* The length of the current candidate */ + const struct ldb_val *target = NULL; /* value we're looking for */ + const struct ldb_val *candidate = NULL; /* current candidate value */ + int x = 0; + + target = ldb_dn_get_rdn_val(dn); + for(x = 0; x < result->count; x++) { + candidate = ldb_dn_get_rdn_val(result->msgs[x]->dn); + if (strncasecmp((char *) target->data, + (char *) candidate->data, + target->length) == 0) { + /* Exact match stop searching and return */ + return result->msgs[x]; + } + if (candidate->length > length) { + matched = x; + length = candidate->length; + } + } + return result->msgs[matched]; +} + +/* + * Look up a DNS entry, if an exact match does not exist, return the + * closest matching DNS wildcard entry if available + * + * Returns: LDB_ERR_NO_SUCH_OBJECT If no matching record exists + * LDB_ERR_OPERATIONS_ERROR If the query fails + * LDB_SUCCESS If a matching record was retrieved + * + */ +static int dns_wildcard_lookup(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct ldb_message **msg) +{ + static const char * const attrs[] = { + "dnsRecord", + "dNSTombstoned", + NULL + }; + struct ldb_dn *parent = NULL; /* The parent dn */ + struct ldb_result *result = NULL; /* Results of the search */ + int ret; /* Return code */ + struct ldb_parse_tree *query = NULL; /* The query to run */ + struct ldb_request *request = NULL; /* LDB request for the query op */ + struct ldb_message *match = NULL; /* the best matching DNS record */ + TALLOC_CTX *frame = talloc_stackframe(); + + parent = ldb_dn_get_parent(frame, dn); + if (parent == NULL) { + DBG_ERR("Unable to extract parent from dn\n"); + TALLOC_FREE(frame); + return LDB_ERR_OPERATIONS_ERROR; + } + + query = build_wildcard_query(frame, dn); + if (query == NULL) { + TALLOC_FREE(frame); + return LDB_ERR_OPERATIONS_ERROR; + } + + result = talloc_zero(mem_ctx, struct ldb_result); + if (result == NULL) { + TALLOC_FREE(frame); + DBG_ERR("Unable to allocate ldb_result\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_build_search_req_ex(&request, + samdb, + frame, + parent, + LDB_SCOPE_SUBTREE, + query, + attrs, + NULL, + result, + ldb_search_default_callback, + NULL); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(frame); + DBG_ERR("ldb_build_search_req_ex returned %d\n", ret); + return ret; + } + + ret = ldb_request(samdb, request); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(frame); + return ret; + } + + ret = ldb_wait(request->handle, LDB_WAIT_ALL); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(frame); + return ret; + } + + if (result->count == 0) { + TALLOC_FREE(frame); + return LDB_ERR_NO_SUCH_OBJECT; + } + + match = get_best_match(dn, result); + if (match == NULL) { + TALLOC_FREE(frame); + return LDB_ERR_OPERATIONS_ERROR; + } + + *msg = talloc_move(mem_ctx, &match); + TALLOC_FREE(frame); + return LDB_SUCCESS; +} + +/* + * Lookup a DNS record, will match DNS wild card records if an exact match + * is not found. + */ +WERROR dns_common_wildcard_lookup(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records) +{ + const struct timeval start = timeval_current(); + int ret; + WERROR werr = WERR_OK; + struct ldb_message *msg = NULL; + struct ldb_message_element *el = NULL; + const struct ldb_val *name = NULL; + + *records = NULL; + *num_records = 0; + + name = ldb_dn_get_rdn_val(dn); + if (name == NULL) { + werr = DNS_ERR(NAME_ERROR); + goto exit; + } + + /* Don't look for a wildcard for @ */ + if (name->length == 1 && name->data[0] == '@') { + werr = dns_common_lookup(samdb, + mem_ctx, + dn, + records, + num_records, + NULL); + goto exit; + } + + werr = dns_name_check( + mem_ctx, + strlen((const char*)name->data), + (const char*) name->data); + if (!W_ERROR_IS_OK(werr)) { + goto exit; + } + + /* + * Do a point search first, then fall back to a wildcard + * lookup if it does not exist + */ + werr = dns_common_lookup(samdb, + mem_ctx, + dn, + records, + num_records, + NULL); + if (!W_ERROR_EQUAL(werr, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) { + goto exit; + } + + ret = dns_wildcard_lookup(samdb, mem_ctx, dn, &msg); + if (ret == LDB_ERR_OPERATIONS_ERROR) { + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + if (ret != LDB_SUCCESS) { + werr = DNS_ERR(NAME_ERROR); + goto exit; + } + + el = ldb_msg_find_element(msg, "dnsRecord"); + if (el == NULL) { + werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST; + goto exit; + } + + werr = dns_common_extract(samdb, el, mem_ctx, records, num_records); + TALLOC_FREE(msg); + if (!W_ERROR_IS_OK(werr)) { + goto exit; + } + + werr = WERR_OK; +exit: + DNS_COMMON_LOG_OPERATION( + win_errstr(werr), + &start, + NULL, + dn == NULL ? NULL : ldb_dn_get_linearized(dn), + NULL); + return werr; +} + +static int rec_cmp(const struct dnsp_DnssrvRpcRecord *r1, + const struct dnsp_DnssrvRpcRecord *r2) +{ + if (r1->wType != r2->wType) { + /* + * The records are sorted with higher types first, + * which puts tombstones (type 0) last. + */ + return r2->wType - r1->wType; + } + /* + * Then we need to sort from the oldest to newest timestamp. + * + * Note that dwTimeStamp == 0 (never expiring) records come first, + * then the ones whose expiry is soonest. + */ + return r1->dwTimeStamp - r2->dwTimeStamp; +} + +/* + * Check for valid DNS names. These are names which: + * - are non-empty + * - do not start with a dot + * - do not have any empty labels + * - have no more than 127 labels + * - are no longer than 253 characters + * - none of the labels exceed 63 characters + */ +WERROR dns_name_check(TALLOC_CTX *mem_ctx, size_t len, const char *name) +{ + size_t i; + unsigned int labels = 0; + unsigned int label_len = 0; + + if (len == 0) { + return WERR_DS_INVALID_DN_SYNTAX; + } + + if (len > 1 && name[0] == '.') { + return WERR_DS_INVALID_DN_SYNTAX; + } + + if ((len - 1) > DNS_MAX_DOMAIN_LENGTH) { + return WERR_DS_INVALID_DN_SYNTAX; + } + + for (i = 0; i < len - 1; i++) { + if (name[i] == '.' && name[i+1] == '.') { + return WERR_DS_INVALID_DN_SYNTAX; + } + if (name[i] == '.') { + labels++; + if (labels > DNS_MAX_LABELS) { + return WERR_DS_INVALID_DN_SYNTAX; + } + label_len = 0; + } else { + label_len++; + if (label_len > DNS_MAX_LABEL_LENGTH) { + return WERR_DS_INVALID_DN_SYNTAX; + } + } + } + + return WERR_OK; +} + +static WERROR check_name_list(TALLOC_CTX *mem_ctx, uint16_t rec_count, + struct dnsp_DnssrvRpcRecord *records) +{ + WERROR werr; + uint16_t i; + size_t len; + struct dnsp_DnssrvRpcRecord record; + + werr = WERR_OK; + for (i = 0; i < rec_count; i++) { + record = records[i]; + + switch (record.wType) { + + case DNS_TYPE_NS: + len = strlen(record.data.ns); + werr = dns_name_check(mem_ctx, len, record.data.ns); + break; + case DNS_TYPE_CNAME: + len = strlen(record.data.cname); + werr = dns_name_check(mem_ctx, len, record.data.cname); + break; + case DNS_TYPE_SOA: + len = strlen(record.data.soa.mname); + werr = dns_name_check(mem_ctx, len, record.data.soa.mname); + if (!W_ERROR_IS_OK(werr)) { + break; + } + len = strlen(record.data.soa.rname); + werr = dns_name_check(mem_ctx, len, record.data.soa.rname); + break; + case DNS_TYPE_PTR: + len = strlen(record.data.ptr); + werr = dns_name_check(mem_ctx, len, record.data.ptr); + break; + case DNS_TYPE_MX: + len = strlen(record.data.mx.nameTarget); + werr = dns_name_check(mem_ctx, len, record.data.mx.nameTarget); + break; + case DNS_TYPE_SRV: + len = strlen(record.data.srv.nameTarget); + werr = dns_name_check(mem_ctx, len, + record.data.srv.nameTarget); + break; + /* + * In the default case, the record doesn't have a DN, so it + * must be ok. + */ + default: + break; + } + + if (!W_ERROR_IS_OK(werr)) { + return werr; + } + } + + return WERR_OK; +} + +bool dns_name_is_static(struct dnsp_DnssrvRpcRecord *records, + uint16_t rec_count) +{ + int i = 0; + for (i = 0; i < rec_count; i++) { + if (records[i].wType == DNS_TYPE_TOMBSTONE) { + continue; + } + + if (records[i].wType == DNS_TYPE_SOA || + records[i].dwTimeStamp == 0) { + return true; + } + } + return false; +} + +/* + * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct. + * The new structure and it's data are allocated on the supplied talloc context + */ +static struct IP4_ARRAY *copy_ip4_array(TALLOC_CTX *ctx, + const char *name, + struct dnsp_ip4_array array) +{ + + struct IP4_ARRAY *ip4_array = NULL; + unsigned int i; + + ip4_array = talloc_zero(ctx, struct IP4_ARRAY); + if (ip4_array == NULL) { + DBG_ERR("Out of memory copying property [%s]\n", name); + return NULL; + } + + ip4_array->AddrCount = array.addrCount; + if (ip4_array->AddrCount == 0) { + return ip4_array; + } + + ip4_array->AddrArray = + talloc_array(ip4_array, uint32_t, ip4_array->AddrCount); + if (ip4_array->AddrArray == NULL) { + TALLOC_FREE(ip4_array); + DBG_ERR("Out of memory copying property [%s] values\n", name); + return NULL; + } + + for (i = 0; i < ip4_array->AddrCount; i++) { + ip4_array->AddrArray[i] = array.addrArray[i]; + } + + return ip4_array; +} + +bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo, + struct dnsp_DnsProperty *prop) +{ + switch (prop->id) { + case DSPROPERTY_ZONE_TYPE: + zoneinfo->dwZoneType = prop->data.zone_type; + break; + case DSPROPERTY_ZONE_ALLOW_UPDATE: + zoneinfo->fAllowUpdate = prop->data.allow_update_flag; + break; + case DSPROPERTY_ZONE_NOREFRESH_INTERVAL: + zoneinfo->dwNoRefreshInterval = prop->data.norefresh_hours; + break; + case DSPROPERTY_ZONE_REFRESH_INTERVAL: + zoneinfo->dwRefreshInterval = prop->data.refresh_hours; + break; + case DSPROPERTY_ZONE_AGING_STATE: + zoneinfo->fAging = prop->data.aging_enabled; + break; + case DSPROPERTY_ZONE_SCAVENGING_SERVERS: + zoneinfo->aipScavengeServers = copy_ip4_array( + zoneinfo, "ZONE_SCAVENGING_SERVERS", prop->data.servers); + if (zoneinfo->aipScavengeServers == NULL) { + return false; + } + break; + case DSPROPERTY_ZONE_AGING_ENABLED_TIME: + zoneinfo->dwAvailForScavengeTime = + prop->data.next_scavenging_cycle_hours; + break; + case DSPROPERTY_ZONE_MASTER_SERVERS: + zoneinfo->aipLocalMasters = copy_ip4_array( + zoneinfo, "ZONE_MASTER_SERVERS", prop->data.master_servers); + if (zoneinfo->aipLocalMasters == NULL) { + return false; + } + break; + case DSPROPERTY_ZONE_EMPTY: + case DSPROPERTY_ZONE_SECURE_TIME: + case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME: + case DSPROPERTY_ZONE_AUTO_NS_SERVERS: + case DSPROPERTY_ZONE_DCPROMO_CONVERT: + case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA: + case DSPROPERTY_ZONE_MASTER_SERVERS_DA: + case DSPROPERTY_ZONE_NS_SERVERS_DA: + case DSPROPERTY_ZONE_NODE_DBFLAGS: + break; + } + return true; +} +WERROR dns_get_zone_properties(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *zone_dn, + struct dnsserver_zoneinfo *zoneinfo) +{ + + int ret, i; + struct dnsp_DnsProperty *prop = NULL; + struct ldb_message_element *element = NULL; + const char *const attrs[] = {"dNSProperty", NULL}; + struct ldb_result *res = NULL; + enum ndr_err_code err; + + ret = ldb_search(samdb, + mem_ctx, + &res, + zone_dn, + LDB_SCOPE_BASE, + attrs, + "(objectClass=dnsZone)"); + if (ret != LDB_SUCCESS) { + DBG_ERR("dnsserver: Failed to find DNS zone: %s\n", + ldb_dn_get_linearized(zone_dn)); + return DNS_ERR(SERVER_FAILURE); + } + + element = ldb_msg_find_element(res->msgs[0], "dNSProperty"); + if (element == NULL) { + return DNS_ERR(NOTZONE); + } + + for (i = 0; i < element->num_values; i++) { + bool valid_property; + prop = talloc_zero(mem_ctx, struct dnsp_DnsProperty); + if (prop == NULL) { + return WERR_NOT_ENOUGH_MEMORY; + } + err = ndr_pull_struct_blob( + &(element->values[i]), + mem_ctx, + prop, + (ndr_pull_flags_fn_t)ndr_pull_dnsp_DnsProperty); + if (!NDR_ERR_CODE_IS_SUCCESS(err)) { + /* + * If we can't pull it, then there is no valid + * data to load into the zone, so ignore this + * as Micosoft does. Windows can load an + * invalid property with a zero length into + * the dnsProperty attribute. + */ + continue; + } + + valid_property = + dns_zoneinfo_load_zone_property(zoneinfo, prop); + if (!valid_property) { + return DNS_ERR(SERVER_FAILURE); + } + } + + return WERR_OK; +} + +WERROR dns_common_replace(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + bool needs_add, + uint32_t serial, + struct dnsp_DnssrvRpcRecord *records, + uint16_t rec_count) +{ + const struct timeval start = timeval_current(); + struct ldb_message_element *el; + uint16_t i; + int ret; + WERROR werr; + struct ldb_message *msg = NULL; + bool was_tombstoned = false; + bool become_tombstoned = false; + struct ldb_dn *zone_dn = NULL; + struct dnsserver_zoneinfo *zoneinfo = NULL; + uint32_t t; + + msg = ldb_msg_new(mem_ctx); + W_ERROR_HAVE_NO_MEMORY(msg); + + msg->dn = dn; + + zone_dn = ldb_dn_copy(mem_ctx, dn); + if (zone_dn == NULL) { + werr = WERR_NOT_ENOUGH_MEMORY; + goto exit; + } + if (!ldb_dn_remove_child_components(zone_dn, 1)) { + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + zoneinfo = talloc(mem_ctx, struct dnsserver_zoneinfo); + if (zoneinfo == NULL) { + werr = WERR_NOT_ENOUGH_MEMORY; + goto exit; + } + werr = dns_get_zone_properties(samdb, mem_ctx, zone_dn, zoneinfo); + if (W_ERROR_EQUAL(DNS_ERR(NOTZONE), werr)) { + /* + * We only got zoneinfo for aging so if we didn't find any + * properties then just disable aging and keep going. + */ + zoneinfo->fAging = 0; + } else if (!W_ERROR_IS_OK(werr)) { + goto exit; + } + + werr = check_name_list(mem_ctx, rec_count, records); + if (!W_ERROR_IS_OK(werr)) { + goto exit; + } + + ret = ldb_msg_add_empty(msg, "dnsRecord", LDB_FLAG_MOD_REPLACE, &el); + if (ret != LDB_SUCCESS) { + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + + /* + * we have at least one value, + * which might be used for the tombstone marker + */ + el->values = talloc_zero_array(el, struct ldb_val, MAX(1, rec_count)); + if (el->values == NULL) { + werr = WERR_NOT_ENOUGH_MEMORY; + goto exit; + } + + if (rec_count > 1) { + /* + * We store a sorted list with the high wType values first + * that's what windows does. It also simplifies the + * filtering of DNS_TYPE_TOMBSTONE records + */ + TYPESAFE_QSORT(records, rec_count, rec_cmp); + } + + for (i = 0; i < rec_count; i++) { + struct ldb_val *v = &el->values[el->num_values]; + enum ndr_err_code ndr_err; + + if (records[i].wType == DNS_TYPE_TOMBSTONE) { + /* + * There are two things that could be going on here. + * + * 1. We use a tombstone with EntombedTime == 0 for + * passing deletion messages through the stack, and + * this is the place we filter them out to perform + * that deletion. + * + * 2. This node is tombstoned, with no records except + * for a single tombstone, and it is just waiting to + * disappear. In this case, unless the caller has + * added a record, rec_count should be 1, and + * el->num_values will end up at 0, and we will make + * no changes. But if the caller has added a record, + * we need to un-tombstone the node. + * + * It is not possible to add an explicit tombstone + * record. + */ + if (records[i].data.EntombedTime != 0) { + was_tombstoned = true; + } + continue; + } + + if (zoneinfo->fAging == 1 && records[i].dwTimeStamp != 0) { + t = unix_to_dns_timestamp(time(NULL)); + if (t - records[i].dwTimeStamp > + zoneinfo->dwNoRefreshInterval) { + records[i].dwTimeStamp = t; + } + } + + records[i].dwSerial = serial; + ndr_err = ndr_push_struct_blob(v, el->values, &records[i], + (ndr_push_flags_fn_t)ndr_push_dnsp_DnssrvRpcRecord); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(0, ("Failed to push dnsp_DnssrvRpcRecord\n")); + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + el->num_values++; + } + + if (needs_add) { + /* + * This is a new dnsNode, which simplifies everything as we + * know there is nothing to delete or change. We add the + * records and get out. + */ + if (el->num_values == 0) { + werr = WERR_OK; + goto exit; + } + + ret = ldb_msg_add_string(msg, "objectClass", "dnsNode"); + if (ret != LDB_SUCCESS) { + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + + ret = ldb_add(samdb, msg); + if (ret != LDB_SUCCESS) { + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + + werr = WERR_OK; + goto exit; + } + + if (el->num_values == 0) { + /* + * We get here if there are no records or all the records were + * tombstones. + */ + struct dnsp_DnssrvRpcRecord tbs; + struct ldb_val *v = &el->values[el->num_values]; + enum ndr_err_code ndr_err; + struct timeval tv; + + if (was_tombstoned) { + /* + * This is already a tombstoned object. + * Just leave it instead of updating the time stamp. + */ + werr = WERR_OK; + goto exit; + } + + tv = timeval_current(); + tbs = (struct dnsp_DnssrvRpcRecord) { + .wType = DNS_TYPE_TOMBSTONE, + .dwSerial = serial, + .data.EntombedTime = timeval_to_nttime(&tv), + }; + + ndr_err = ndr_push_struct_blob(v, el->values, &tbs, + (ndr_push_flags_fn_t)ndr_push_dnsp_DnssrvRpcRecord); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(0, ("Failed to push dnsp_DnssrvRpcRecord\n")); + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + el->num_values++; + + become_tombstoned = true; + } + + if (was_tombstoned || become_tombstoned) { + ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, + "dNSTombstoned", "%s", + become_tombstoned ? "TRUE" : "FALSE"); + if (ret != LDB_SUCCESS) { + werr = DNS_ERR(SERVER_FAILURE); + goto exit; + } + } + + ret = ldb_modify(samdb, msg); + if (ret != LDB_SUCCESS) { + NTSTATUS nt = dsdb_ldb_err_to_ntstatus(ret); + werr = ntstatus_to_werror(nt); + goto exit; + } + + werr = WERR_OK; +exit: + talloc_free(msg); + DNS_COMMON_LOG_OPERATION( + win_errstr(werr), + &start, + NULL, + dn == NULL ? NULL : ldb_dn_get_linearized(dn), + NULL); + return werr; +} + +bool dns_name_match(const char *zone, const char *name, size_t *host_part_len) +{ + size_t zl = strlen(zone); + size_t nl = strlen(name); + ssize_t zi, ni; + static const size_t fixup = 'a' - 'A'; + + if (zl > nl) { + return false; + } + + for (zi = zl, ni = nl; zi >= 0; zi--, ni--) { + char zc = zone[zi]; + char nc = name[ni]; + + /* convert to lower case */ + if (zc >= 'A' && zc <= 'Z') { + zc += fixup; + } + if (nc >= 'A' && nc <= 'Z') { + nc += fixup; + } + + if (zc != nc) { + return false; + } + } + + if (ni >= 0) { + if (name[ni] != '.') { + return false; + } + + ni--; + } + + *host_part_len = ni+1; + + return true; +} + +WERROR dns_common_name2dn(struct ldb_context *samdb, + struct dns_server_zone *zones, + TALLOC_CTX *mem_ctx, + const char *name, + struct ldb_dn **_dn) +{ + struct ldb_dn *base; + struct ldb_dn *dn; + const struct dns_server_zone *z; + size_t host_part_len = 0; + struct ldb_val host_part; + WERROR werr; + bool ok; + const char *casefold = NULL; + + if (name == NULL) { + return DNS_ERR(FORMAT_ERROR); + } + + if (strcmp(name, "") == 0) { + base = ldb_get_default_basedn(samdb); + dn = ldb_dn_copy(mem_ctx, base); + ok = ldb_dn_add_child_fmt(dn, + "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System"); + if (ok == false) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + + *_dn = dn; + return WERR_OK; + } + + /* Check non-empty names */ + werr = dns_name_check(mem_ctx, strlen(name), name); + if (!W_ERROR_IS_OK(werr)) { + return werr; + } + + for (z = zones; z != NULL; z = z->next) { + bool match; + + match = dns_name_match(z->name, name, &host_part_len); + if (match) { + break; + } + } + + if (z == NULL) { + return DNS_ERR(NAME_ERROR); + } + + if (host_part_len == 0) { + dn = ldb_dn_copy(mem_ctx, z->dn); + ok = ldb_dn_add_child_fmt(dn, "DC=@"); + if (! ok) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + *_dn = dn; + return WERR_OK; + } + + dn = ldb_dn_copy(mem_ctx, z->dn); + if (dn == NULL) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + + host_part = data_blob_const(name, host_part_len); + + ok = ldb_dn_add_child_val(dn, "DC", host_part); + + if (ok == false) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + + /* + * Check the new DN here for validity, so as to catch errors + * early + */ + ok = ldb_dn_validate(dn); + if (ok == false) { + TALLOC_FREE(dn); + return DNS_ERR(NAME_ERROR); + } + + /* + * The value from this check is saved in the DN, and doing + * this here allows an easy return here. + */ + casefold = ldb_dn_get_casefold(dn); + if (casefold == NULL) { + TALLOC_FREE(dn); + return DNS_ERR(NAME_ERROR); + } + + *_dn = dn; + return WERR_OK; +} + + +/* + see if two dns records match + */ + + +bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, + struct dnsp_DnssrvRpcRecord *rec2) +{ + int i; + struct in6_addr rec1_in_addr6; + struct in6_addr rec2_in_addr6; + + if (rec1->wType != rec2->wType) { + return false; + } + + /* see if the data matches */ + switch (rec1->wType) { + case DNS_TYPE_A: + return strcmp(rec1->data.ipv4, rec2->data.ipv4) == 0; + case DNS_TYPE_AAAA: { + int ret; + + ret = inet_pton(AF_INET6, rec1->data.ipv6, &rec1_in_addr6); + if (ret != 1) { + return false; + } + ret = inet_pton(AF_INET6, rec2->data.ipv6, &rec2_in_addr6); + if (ret != 1) { + return false; + } + + return memcmp(&rec1_in_addr6, &rec2_in_addr6, sizeof(rec1_in_addr6)) == 0; + } + case DNS_TYPE_CNAME: + return samba_dns_name_equal(rec1->data.cname, + rec2->data.cname); + case DNS_TYPE_TXT: + if (rec1->data.txt.count != rec2->data.txt.count) { + return false; + } + for (i = 0; i < rec1->data.txt.count; i++) { + if (strcmp(rec1->data.txt.str[i], rec2->data.txt.str[i]) != 0) { + return false; + } + } + return true; + case DNS_TYPE_PTR: + return samba_dns_name_equal(rec1->data.ptr, rec2->data.ptr); + case DNS_TYPE_NS: + return samba_dns_name_equal(rec1->data.ns, rec2->data.ns); + + case DNS_TYPE_SRV: + return rec1->data.srv.wPriority == rec2->data.srv.wPriority && + rec1->data.srv.wWeight == rec2->data.srv.wWeight && + rec1->data.srv.wPort == rec2->data.srv.wPort && + samba_dns_name_equal(rec1->data.srv.nameTarget, + rec2->data.srv.nameTarget); + + case DNS_TYPE_MX: + return rec1->data.mx.wPriority == rec2->data.mx.wPriority && + samba_dns_name_equal(rec1->data.mx.nameTarget, + rec2->data.mx.nameTarget); + + case DNS_TYPE_SOA: + return samba_dns_name_equal(rec1->data.soa.mname, + rec2->data.soa.mname) && + samba_dns_name_equal(rec1->data.soa.rname, + rec2->data.soa.rname) && + rec1->data.soa.serial == rec2->data.soa.serial && + rec1->data.soa.refresh == rec2->data.soa.refresh && + rec1->data.soa.retry == rec2->data.soa.retry && + rec1->data.soa.expire == rec2->data.soa.expire && + rec1->data.soa.minimum == rec2->data.soa.minimum; + case DNS_TYPE_TOMBSTONE: + return true; + default: + break; + } + + return false; +} + + +static int dns_common_sort_zones(struct ldb_message **m1, struct ldb_message **m2) +{ + const char *n1, *n2; + size_t l1, l2; + + n1 = ldb_msg_find_attr_as_string(*m1, "name", NULL); + n2 = ldb_msg_find_attr_as_string(*m2, "name", NULL); + if (n1 == NULL || n2 == NULL) { + if (n1 != NULL) { + return -1; + } else if (n2 != NULL) { + return 1; + } else { + return 0; + } + } + l1 = strlen(n1); + l2 = strlen(n2); + + /* If the string lengths are not equal just sort by length */ + if (l1 != l2) { + /* If m1 is the larger zone name, return it first */ + return l2 - l1; + } + + /*TODO: We need to compare DNs here, we want the DomainDNSZones first */ + return 0; +} + +NTSTATUS dns_common_zones(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *base_dn, + struct dns_server_zone **zones_ret) +{ + const struct timeval start = timeval_current(); + int ret; + static const char * const attrs[] = { "name", NULL}; + struct ldb_result *res; + int i; + struct dns_server_zone *new_list = NULL; + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS result = NT_STATUS_OK; + + if (base_dn) { + /* This search will work against windows */ + ret = dsdb_search(samdb, frame, &res, + base_dn, LDB_SCOPE_SUBTREE, + attrs, 0, "(objectClass=dnsZone)"); + } else { + /* TODO: this search does not work against windows */ + ret = dsdb_search(samdb, frame, &res, NULL, + LDB_SCOPE_SUBTREE, + attrs, + DSDB_SEARCH_SEARCH_ALL_PARTITIONS, + "(objectClass=dnsZone)"); + } + if (ret != LDB_SUCCESS) { + TALLOC_FREE(frame); + result = NT_STATUS_INTERNAL_DB_CORRUPTION; + goto exit; + } + + TYPESAFE_QSORT(res->msgs, res->count, dns_common_sort_zones); + + for (i=0; i < res->count; i++) { + struct dns_server_zone *z; + + z = talloc_zero(mem_ctx, struct dns_server_zone); + if (z == NULL) { + TALLOC_FREE(frame); + result = NT_STATUS_NO_MEMORY; + goto exit; + } + + z->name = ldb_msg_find_attr_as_string(res->msgs[i], "name", NULL); + talloc_steal(z, z->name); + z->dn = talloc_move(z, &res->msgs[i]->dn); + /* + * Ignore the RootDNSServers zone and zones that we don't support yet + * RootDNSServers should never be returned (Windows DNS server don't) + * ..TrustAnchors should never be returned as is, (Windows returns + * TrustAnchors) and for the moment we don't support DNSSEC so we'd better + * not return this zone. + */ + if ((strcmp(z->name, "RootDNSServers") == 0) || + (strcmp(z->name, "..TrustAnchors") == 0)) + { + DEBUG(10, ("Ignoring zone %s\n", z->name)); + talloc_free(z); + continue; + } + DLIST_ADD_END(new_list, z); + } + + *zones_ret = new_list; + TALLOC_FREE(frame); + result = NT_STATUS_OK; +exit: + DNS_COMMON_LOG_OPERATION( + nt_errstr(result), + &start, + NULL, + base_dn == NULL ? NULL : ldb_dn_get_linearized(base_dn), + NULL); + return result; +} + +/* + see if two DNS names are the same + */ +bool samba_dns_name_equal(const char *name1, const char *name2) +{ + size_t len1 = strlen(name1); + size_t len2 = strlen(name2); + + if (len1 > 0 && name1[len1 - 1] == '.') { + len1--; + } + if (len2 > 0 && name2[len2 - 1] == '.') { + len2--; + } + if (len1 != len2) { + return false; + } + return strncasecmp(name1, name2, len1) == 0; +} + + +/* + * Convert unix time to a DNS timestamp + * uint32 hours in the NTTIME epoch + * + * This uses unix_to_nt_time() which can return special flag NTTIMEs like + * UINT64_MAX (0xFFF...) or NTTIME_MAX (0x7FF...), which will convert to + * distant future timestamps; or 0 as a flag value, meaning a 1601 timestamp, + * which is used to indicate a record does not expire. + * + * As we don't generally check for these special values in NTTIME conversions, + * we also don't check here, but for the benefit of people encountering these + * timestamps and searching for their origin, here is a list: + * + ** TIME_T_MAX + * + * Even if time_t is 32 bit, this will become NTTIME_MAX (a.k.a INT64_MAX, + * 0x7fffffffffffffff) in 100ns units. That translates to 256204778 hours + * since 1601, which converts back to 9223372008000000000 or + * 0x7ffffff9481f1000. It will present as 30828-09-14 02:00:00, around 48 + * minutes earlier than NTTIME_MAX. + * + ** 0, the start of the unix epoch, 1970-01-01 00:00:00 + * + * This is converted into 0 in the Windows epoch, 1601-01-01 00:00:00 which is + * clearly the same whether you count in 100ns units or hours. In DNS record + * timestamps this is a flag meaning the record will never expire. + * + ** (time_t)-1, such as what *might* mean 1969-12-31 23:59:59 + * + * This becomes (NTTIME)-1ULL a.k.a. UINT64_MAX, 0xffffffffffffffff thence + * 512409557 in hours since 1601. That in turn is 0xfffffffaf2028800 or + * 18446744052000000000 in NTTIME (rounded to the hour), which might be + * presented as -21709551616 or -0x50dfd7800, because NTITME is not completely + * dedicated to being unsigned. If it gets shown as a year, it will be around + * 60055. + * + ** Other negative time_t values (e.g. 1969-05-29). + * + * The meaning of these is somewhat undefined, but in any case they will + * translate perfectly well into the same dates in NTTIME. + * + ** Notes + * + * There are dns timestamps that exceed the range of NTTIME (up to 488356 AD), + * but it is not possible for this function to produce them. + * + * It is plausible that it was at midnight on 1601-01-01, in London, that + * Shakespeare wrote: + * + * The time is out of joint. O cursed spite + * That ever I was born to set it right! + * + * and this is why we have this epoch and time zone. + */ +uint32_t unix_to_dns_timestamp(time_t t) +{ + NTTIME nt; + unix_to_nt_time(&nt, t); + nt /= NTTIME_TO_HOURS; + return (uint32_t) nt; +} + +/* + * Convert a DNS timestamp into NTTIME. + * + * Because DNS timestamps cover a longer time period than NTTIME, and these + * would wrap to an arbitrary NTTIME, we saturate at NTTIME_MAX and return an + * error in this case. + */ +NTSTATUS dns_timestamp_to_nt_time(NTTIME *_nt, uint32_t t) +{ + NTTIME nt = t; + if (nt > NTTIME_MAX / NTTIME_TO_HOURS) { + *_nt = NTTIME_MAX; + return NT_STATUS_INTEGER_OVERFLOW; + } + *_nt = nt * NTTIME_TO_HOURS; + return NT_STATUS_OK; +} diff --git a/source4/dns_server/dnsserver_common.h b/source4/dns_server/dnsserver_common.h new file mode 100644 index 0000000..a0c1065 --- /dev/null +++ b/source4/dns_server/dnsserver_common.h @@ -0,0 +1,139 @@ +/* + Unix SMB/CIFS implementation. + + DNS server utils + + Copyright (C) 2014 Stefan Metzmacher + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "rpc_server/dnsserver/dnsserver.h" + +#ifndef __DNSSERVER_COMMON_H__ +#define __DNSSERVER_COMMON_H__ + +uint8_t werr_to_dns_err(WERROR werr); +#define DNS_ERR(err_str) WERR_DNS_ERROR_RCODE_##err_str + +struct ldb_message_element; +struct ldb_context; +struct dnsp_DnssrvRpcRecord; + +struct dns_server_zone { + struct dns_server_zone *prev, *next; + const char *name; + struct ldb_dn *dn; +}; + +WERROR dns_common_extract(struct ldb_context *samdb, + const struct ldb_message_element *el, + TALLOC_CTX *mem_ctx, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records); + +WERROR dns_common_lookup(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records, + bool *tombstoned); +WERROR dns_common_wildcard_lookup(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records); +WERROR dns_name_check(TALLOC_CTX *mem_ctx, + size_t len, + const char *name); +WERROR dns_get_zone_properties(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *zone_dn, + struct dnsserver_zoneinfo *zoneinfo); +bool dns_name_is_static(struct dnsp_DnssrvRpcRecord *records, + uint16_t rec_count); +WERROR dns_common_replace(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + bool needs_add, + uint32_t serial, + struct dnsp_DnssrvRpcRecord *records, + uint16_t rec_count); +bool dns_name_match(const char *zone, const char *name, size_t *host_part_len); +WERROR dns_common_name2dn(struct ldb_context *samdb, + struct dns_server_zone *zones, + TALLOC_CTX *mem_ctx, + const char *name, + struct ldb_dn **_dn); +bool samba_dns_name_equal(const char *name1, const char *name2); + +bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, + struct dnsp_DnssrvRpcRecord *rec2); + +/* + * For this routine, base_dn is generally NULL. The exception comes + * from the python bindings to support setting ACLs on DNS objects + * when joining Windows + */ +NTSTATUS dns_common_zones(struct ldb_context *samdb, + TALLOC_CTX *mem_ctx, + struct ldb_dn *base_dn, + struct dns_server_zone **zones_ret); + +bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo, + struct dnsp_DnsProperty *prop); +/* + * Log a DNS operation along with it's duration + * Enabled by setting a log level of "dns:10" + * + * const char *operation + * const char *result + * const struct timeval *start + * const char *zone + * const char *name + * const char *data + */ +#define DNS_COMMON_LOG_OPERATION(result, start, zone, name, data) \ + if (CHECK_DEBUGLVLC(DBGC_DNS, DBGLVL_DEBUG)) { \ + struct timeval now = timeval_current(); \ + uint64_t duration = usec_time_diff(&now, (start));\ + const char *re = (result);\ + const char *zn = (zone); \ + const char *nm = (name); \ + const char *dt = (data); \ + DBG_DEBUG( \ + "DNS timing: result: [%s] duration: (%" PRIi64 ") " \ + "zone: [%s] name: [%s] data: [%s]\n", \ + re == NULL ? "" : re, \ + duration, \ + zn == NULL ? "" : zn, \ + nm == NULL ? "" : nm, \ + dt == NULL ? "" : dt); \ + } + +/* There are this many nttime jiffies in an hour */ +#define NTTIME_TO_HOURS (3600ULL * 10ULL * 1000ULL * 1000ULL) + +/* + * convert unix time to a DNS timestamp + * (hours in the NTTIME epoch, 32 bit). + */ +uint32_t unix_to_dns_timestamp(time_t t); + +/* + * Convert a DNS timestamp into NTTIME. + */ +NTSTATUS dns_timestamp_to_nt_time(NTTIME *_nt, uint32_t t); + +#endif /* __DNSSERVER_COMMON_H__ */ diff --git a/source4/dns_server/pydns.c b/source4/dns_server/pydns.c new file mode 100644 index 0000000..7b83d7c --- /dev/null +++ b/source4/dns_server/pydns.c @@ -0,0 +1,445 @@ +/* + Unix SMB/CIFS implementation. + + Python DNS server wrapper + + Copyright (C) 2015 Andrew Bartlett + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <Python.h> +#include "python/py3compat.h" +#include "includes.h" +#include "python/modules.h" +#include <pyldb.h> +#include <pytalloc.h> +#include "dns_server/dnsserver_common.h" +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "librpc/gen_ndr/ndr_dnsp.h" +#include "librpc/rpc/pyrpc_util.h" + +/* FIXME: These should be in a header file somewhere */ +#define PyErr_LDB_OR_RAISE(py_ldb, ldb) \ + if (!py_check_dcerpc_type(py_ldb, "ldb", "Ldb")) { \ + PyErr_SetString(PyExc_TypeError, "Ldb connection object required"); \ + return NULL; \ + } \ + ldb = pyldb_Ldb_AsLdbContext(py_ldb); + +#define PyErr_LDB_DN_OR_RAISE(py_ldb_dn, dn) \ + if (!py_check_dcerpc_type(py_ldb_dn, "ldb", "Dn")) { \ + PyErr_SetString(PyExc_TypeError, "ldb Dn object required"); \ + return NULL; \ + } \ + dn = pyldb_Dn_AS_DN(py_ldb_dn); + +static PyObject *py_dnsp_DnssrvRpcRecord_get_list(struct dnsp_DnssrvRpcRecord *records, + uint16_t num_records) +{ + PyObject *py_dns_list; + int i; + py_dns_list = PyList_New(num_records); + if (py_dns_list == NULL) { + return NULL; + } + for (i = 0; i < num_records; i++) { + PyObject *py_dns_record; + py_dns_record = py_return_ndr_struct("samba.dcerpc.dnsp", "DnssrvRpcRecord", records, &records[i]); + PyList_SetItem(py_dns_list, i, py_dns_record); + } + return py_dns_list; +} + + +static int py_dnsp_DnssrvRpcRecord_get_array(PyObject *value, + TALLOC_CTX *mem_ctx, + struct dnsp_DnssrvRpcRecord **records, + uint16_t *num_records) +{ + int i; + struct dnsp_DnssrvRpcRecord *recs; + PY_CHECK_TYPE(&PyList_Type, value, return -1;); + recs = talloc_array(mem_ctx, struct dnsp_DnssrvRpcRecord, + PyList_GET_SIZE(value)); + if (recs == NULL) { + PyErr_NoMemory(); + return -1; + } + for (i = 0; i < PyList_GET_SIZE(value); i++) { + bool type_correct; + PyObject *item = PyList_GET_ITEM(value, i); + type_correct = py_check_dcerpc_type(item, "samba.dcerpc.dnsp", "DnssrvRpcRecord"); + if (type_correct == false) { + return -1; + } + if (talloc_reference(mem_ctx, pytalloc_get_mem_ctx(item)) == NULL) { + PyErr_NoMemory(); + return -1; + } + recs[i] = *(struct dnsp_DnssrvRpcRecord *)pytalloc_get_ptr(item); + } + *records = recs; + *num_records = PyList_GET_SIZE(value); + return 0; +} + +static PyObject *py_dsdb_dns_lookup(PyObject *self, + PyObject *args, PyObject *kwargs) +{ + struct ldb_context *samdb; + PyObject *py_ldb, *ret, *pydn; + PyObject *py_dns_partition = NULL; + PyObject *result = NULL; + char *dns_name; + TALLOC_CTX *frame; + NTSTATUS status; + WERROR werr; + struct dns_server_zone *zones_list; + struct ldb_dn *dn, *dns_partition = NULL; + struct dnsp_DnssrvRpcRecord *records; + uint16_t num_records; + const char * const kwnames[] = { "ldb", "dns_name", + "dns_partition", NULL }; + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Os|O", + discard_const_p(char *, kwnames), + &py_ldb, &dns_name, + &py_dns_partition)) { + return NULL; + } + PyErr_LDB_OR_RAISE(py_ldb, samdb); + + if (py_dns_partition) { + PyErr_LDB_DN_OR_RAISE(py_dns_partition, + dns_partition); + } + + frame = talloc_stackframe(); + + status = dns_common_zones(samdb, frame, dns_partition, + &zones_list); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(frame); + PyErr_SetNTSTATUS(status); + return NULL; + } + + werr = dns_common_name2dn(samdb, zones_list, frame, dns_name, &dn); + if (!W_ERROR_IS_OK(werr)) { + talloc_free(frame); + PyErr_SetWERROR(werr); + return NULL; + } + + werr = dns_common_lookup(samdb, + frame, + dn, + &records, + &num_records, + NULL); + if (!W_ERROR_IS_OK(werr)) { + talloc_free(frame); + PyErr_SetWERROR(werr); + return NULL; + } + + ret = py_dnsp_DnssrvRpcRecord_get_list(records, num_records); + pydn = pyldb_Dn_FromDn(dn); + talloc_free(frame); + result = Py_BuildValue("(OO)", pydn, ret); + Py_CLEAR(ret); + Py_CLEAR(pydn); + return result; +} + +static PyObject *py_dsdb_dns_extract(PyObject *self, PyObject *args) +{ + struct ldb_context *samdb; + PyObject *py_dns_el, *ret; + PyObject *py_ldb = NULL; + TALLOC_CTX *frame; + WERROR werr; + struct ldb_message_element *dns_el; + struct dnsp_DnssrvRpcRecord *records; + uint16_t num_records; + + if (!PyArg_ParseTuple(args, "OO", &py_ldb, &py_dns_el)) { + return NULL; + } + + PyErr_LDB_OR_RAISE(py_ldb, samdb); + + if (!py_check_dcerpc_type(py_dns_el, "ldb", "MessageElement")) { + PyErr_SetString(PyExc_TypeError, + "ldb MessageElement object required"); + return NULL; + } + dns_el = pyldb_MessageElement_AsMessageElement(py_dns_el); + + frame = talloc_stackframe(); + + werr = dns_common_extract(samdb, dns_el, + frame, + &records, + &num_records); + if (!W_ERROR_IS_OK(werr)) { + talloc_free(frame); + PyErr_SetWERROR(werr); + return NULL; + } + + ret = py_dnsp_DnssrvRpcRecord_get_list(records, num_records); + talloc_free(frame); + return ret; +} + +static PyObject *py_dsdb_dns_replace(PyObject *self, PyObject *args) +{ + struct ldb_context *samdb; + PyObject *py_ldb, *py_dns_records; + char *dns_name; + TALLOC_CTX *frame; + NTSTATUS status; + WERROR werr; + int ret; + struct dns_server_zone *zones_list; + struct ldb_dn *dn; + struct dnsp_DnssrvRpcRecord *records; + uint16_t num_records; + + /* + * TODO: This is a shocking abuse, but matches what the + * internal DNS server does, it should be pushed into + * dns_common_replace() + */ + static const int serial = 110; + + if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &dns_name, &py_dns_records)) { + return NULL; + } + PyErr_LDB_OR_RAISE(py_ldb, samdb); + + frame = talloc_stackframe(); + + status = dns_common_zones(samdb, frame, NULL, &zones_list); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + talloc_free(frame); + return NULL; + } + + werr = dns_common_name2dn(samdb, zones_list, frame, dns_name, &dn); + if (!W_ERROR_IS_OK(werr)) { + PyErr_SetWERROR(werr); + talloc_free(frame); + return NULL; + } + + ret = py_dnsp_DnssrvRpcRecord_get_array(py_dns_records, + frame, + &records, &num_records); + if (ret != 0) { + talloc_free(frame); + return NULL; + } + + werr = dns_common_replace(samdb, + frame, + dn, + false, /* Not adding a record */ + serial, + records, + num_records); + if (!W_ERROR_IS_OK(werr)) { + PyErr_SetWERROR(werr); + talloc_free(frame); + return NULL; + } + + talloc_free(frame); + Py_RETURN_NONE; +} + +static PyObject *py_dsdb_dns_replace_by_dn(PyObject *self, PyObject *args) +{ + struct ldb_context *samdb; + PyObject *py_ldb, *py_dn, *py_dns_records; + TALLOC_CTX *frame; + WERROR werr; + int ret; + struct ldb_dn *dn; + struct dnsp_DnssrvRpcRecord *records; + uint16_t num_records; + + /* + * TODO: This is a shocking abuse, but matches what the + * internal DNS server does, it should be pushed into + * dns_common_replace() + */ + static const int serial = 110; + + if (!PyArg_ParseTuple(args, "OOO", &py_ldb, &py_dn, &py_dns_records)) { + return NULL; + } + PyErr_LDB_OR_RAISE(py_ldb, samdb); + + PyErr_LDB_DN_OR_RAISE(py_dn, dn); + + frame = talloc_stackframe(); + + ret = py_dnsp_DnssrvRpcRecord_get_array(py_dns_records, + frame, + &records, &num_records); + if (ret != 0) { + talloc_free(frame); + return NULL; + } + + werr = dns_common_replace(samdb, + frame, + dn, + false, /* Not adding a node */ + serial, + records, + num_records); + if (!W_ERROR_IS_OK(werr)) { + PyErr_SetWERROR(werr); + talloc_free(frame); + return NULL; + } + + talloc_free(frame); + + Py_RETURN_NONE; +} + + +static PyObject *py_dsdb_dns_records_match(PyObject *self, PyObject *args) +{ + PyObject *py_recs[2]; + struct dnsp_DnssrvRpcRecord *rec1; + struct dnsp_DnssrvRpcRecord *rec2; + size_t i; + bool type_correct; + bool match; + + if (!PyArg_ParseTuple(args, "OO", &py_recs[0], &py_recs[1])) { + return NULL; + } + + for (i = 0; i < 2; i++) { + type_correct = py_check_dcerpc_type(py_recs[i], + "samba.dcerpc.dnsp", + "DnssrvRpcRecord"); + if (! type_correct) { + PyErr_SetString(PyExc_ValueError, + "DnssrvRpcRecord expected"); + return NULL; + } + } + + rec1 = (struct dnsp_DnssrvRpcRecord *)pytalloc_get_ptr(py_recs[0]); + rec2 = (struct dnsp_DnssrvRpcRecord *)pytalloc_get_ptr(py_recs[1]); + + match = dns_record_match(rec1, rec2); + return PyBool_FromLong(match); +} + + +static PyObject *py_dsdb_dns_unix_to_dns_timestamp(PyObject *self, PyObject *args) +{ + uint32_t timestamp; + time_t t; + long long lt; + + if (!PyArg_ParseTuple(args, "L", <)) { + return NULL; + } + + t = lt; + if (t != lt) { + /* time_t is presumably 32 bit here */ + PyErr_SetString(PyExc_ValueError, "Time out of range"); + return NULL; + } + timestamp = unix_to_dns_timestamp(t); + return Py_BuildValue("k", (unsigned long) timestamp); +} + +static PyObject *py_dsdb_dns_timestamp_to_nt_time(PyObject *self, PyObject *args) +{ + unsigned long long timestamp; + NTSTATUS status; + NTTIME nt; + if (!PyArg_ParseTuple(args, "K", ×tamp)) { + return NULL; + } + + if (timestamp > UINT32_MAX) { + PyErr_SetString(PyExc_ValueError, "Time out of range"); + return NULL; + } + status = dns_timestamp_to_nt_time(&nt, (uint32_t)timestamp); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetString(PyExc_ValueError, "Time out of range"); + return NULL; + } + return Py_BuildValue("L", (long long) nt); +} + + +static PyMethodDef py_dsdb_dns_methods[] = { + + { "lookup", PY_DISCARD_FUNC_SIG(PyCFunction, py_dsdb_dns_lookup), + METH_VARARGS|METH_KEYWORDS, + "Get the DNS database entries for a DNS name"}, + { "replace", (PyCFunction)py_dsdb_dns_replace, + METH_VARARGS, "Replace the DNS database entries for a DNS name"}, + { "replace_by_dn", (PyCFunction)py_dsdb_dns_replace_by_dn, + METH_VARARGS, "Replace the DNS database entries for a LDB DN"}, + { "records_match", (PyCFunction)py_dsdb_dns_records_match, + METH_VARARGS|METH_KEYWORDS, + "Decide whether two records match, according to dns update rules"}, + { "extract", (PyCFunction)py_dsdb_dns_extract, + METH_VARARGS, "Return the DNS database entry as a python structure from an Ldb.MessageElement of type dnsRecord"}, + { "unix_to_dns_timestamp", (PyCFunction)py_dsdb_dns_unix_to_dns_timestamp, + METH_VARARGS, + "Convert a time.time() value to a dns timestamp (hours since 1601)"}, + { "dns_timestamp_to_nt_time", (PyCFunction)py_dsdb_dns_timestamp_to_nt_time, + METH_VARARGS, + "Convert a dns timestamp to an NTTIME value"}, + {0} +}; + +static struct PyModuleDef moduledef = { + PyModuleDef_HEAD_INIT, + .m_name = "dsdb_dns", + .m_doc = "Python bindings for the DNS objects in the directory service databases.", + .m_size = -1, + .m_methods = py_dsdb_dns_methods, +}; + +MODULE_INIT_FUNC(dsdb_dns) +{ + PyObject *m; + + m = PyModule_Create(&moduledef); + + if (m == NULL) + return NULL; + + return m; +} diff --git a/source4/dns_server/wscript_build b/source4/dns_server/wscript_build new file mode 100644 index 0000000..ab0a241 --- /dev/null +++ b/source4/dns_server/wscript_build @@ -0,0 +1,98 @@ +#!/usr/bin/env python + +# dnsserver_common is enabled without the ad-dc to prevent imports from failing +# when samba-tool is called where the ad-dc was not built. The server-side dns +# code is used in the client when we do direct LDAP modification of DNS records. +bld.SAMBA_LIBRARY('dnsserver_common', + source='dnsserver_common.c', + deps='samba-util samba-errors ldbsamba clidns', + private_library=True + ) + +bld.SAMBA_MODULE('service_dns', + source='dns_server.c dns_query.c dns_update.c dns_utils.c dns_crypto.c', + subsystem='service', + init_function='server_service_dns_init', + deps='samba-hostconfig LIBTSOCKET LIBSAMBA_TSOCKET ldbsamba clidns gensec auth samba_server_gensec dnsserver_common', + local_include=False, + internal_module=False, + enabled=bld.AD_DC_BUILD_IS_ENABLED() + ) + +# a bind9 dlz module giving access to the Samba DNS SAM +bld.SAMBA_LIBRARY('dlz_bind9_10', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_10', + private_library=True, + link_name='modules/bind9/dlz_bind9_10.so', + realname='dlz_bind9_10.so', + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +bld.SAMBA_LIBRARY('dlz_bind9_11', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_11', + private_library=True, + link_name='modules/bind9/dlz_bind9_11.so', + realname='dlz_bind9_11.so', + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +bld.SAMBA_LIBRARY('dlz_bind9_12', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_12', + private_library=True, + link_name='modules/bind9/dlz_bind9_12.so', + realname='dlz_bind9_12.so', + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +bld.SAMBA_LIBRARY('dlz_bind9_14', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_14', + private_library=True, + link_name='modules/bind9/dlz_bind9_14.so', + realname='dlz_bind9_14.so', + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +bld.SAMBA_LIBRARY('dlz_bind9_16', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_16', + private_library=True, + link_name='modules/bind9/dlz_bind9_16.so', + realname='dlz_bind9_16.so', + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +bld.SAMBA_LIBRARY('dlz_bind9_18', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_18', + private_library=True, + link_name='modules/bind9/dlz_bind9_18.so', + realname='dlz_bind9_18.so', + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +bld.SAMBA_LIBRARY('dlz_bind9_for_torture', + source='dlz_bind9.c', + cflags='-DBIND_VERSION_9_16', + private_library=True, + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +pyldb_util = bld.pyembed_libname('pyldb-util') +pyrpc_util = bld.pyembed_libname('pyrpc_util') +pytalloc_util = bld.pyembed_libname('pytalloc-util') + +bld.SAMBA_PYTHON('python_dsdb_dns', + source='pydns.c', + deps='samdb %s %s dnsserver_common %s' % ( + pyldb_util, pyrpc_util, pytalloc_util), + realname='samba/dsdb_dns.so') |