2 Unix SMB/CIFS implementation.
4 Copyright (C) Gerald (Jerry) Carter 2006.
5 Copyright (C) Jeremy Allison 2007.
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 /* AIX resolv.h uses 'class' in struct ns_rr */
31 /* resolver headers */
33 #include <sys/types.h>
34 #include <netinet/in.h>
35 #include <arpa/nameser.h>
39 #define MAX_DNS_PACKET_SIZE 0xffff
41 #ifdef NS_HFIXEDSZ /* Bind 8/9 interface */
42 #if !defined(C_IN) /* AIX 5.3 already defines C_IN */
45 #if !defined(T_A) /* AIX 5.3 already defines T_A */
49 #if defined(HAVE_IPV6)
51 # define T_AAAA ns_t_aaaa
55 # define T_SRV ns_t_srv
56 #if !defined(T_NS) /* AIX 5.3 already defines T_NS */
61 # define NS_HFIXEDSZ HFIXEDSZ
63 # define NS_HFIXEDSZ sizeof(HEADER)
64 # endif /* HFIXEDSZ */
66 # define NS_PACKETSZ PACKETSZ
67 # else /* 512 is usually the default */
68 # define NS_PACKETSZ 512
69 # endif /* PACKETSZ */
73 /*********************************************************************
74 *********************************************************************/
76 static bool ads_dns_parse_query( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
77 uint8 **ptr, struct dns_query *q )
85 if ( !start || !end || !q || !*ptr)
88 /* See RFC 1035 for details. If this fails, then return. */
90 namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
95 q->hostname = talloc_strdup( ctx, hostname );
97 /* check that we have space remaining */
99 if ( PTR_DIFF(p+4, end) > 0 )
102 q->type = RSVAL( p, 0 );
103 q->in_class = RSVAL( p, 2 );
111 /*********************************************************************
112 *********************************************************************/
114 static bool ads_dns_parse_rr( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
115 uint8 **ptr, struct dns_rr *rr )
121 if ( !start || !end || !rr || !*ptr)
125 /* pull the name from the answer */
127 namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
132 rr->hostname = talloc_strdup( ctx, hostname );
134 /* check that we have space remaining */
136 if ( PTR_DIFF(p+10, end) > 0 )
139 /* pull some values and then skip onto the string */
141 rr->type = RSVAL(p, 0);
142 rr->in_class = RSVAL(p, 2);
143 rr->ttl = RIVAL(p, 4);
144 rr->rdatalen = RSVAL(p, 8);
148 /* sanity check the available space */
150 if ( PTR_DIFF(p+rr->rdatalen, end ) > 0 ) {
155 /* save a point to the rdata for this section */
165 /*********************************************************************
166 *********************************************************************/
168 static bool ads_dns_parse_rr_srv( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
169 uint8 **ptr, struct dns_rr_srv *srv )
176 if ( !start || !end || !srv || !*ptr)
179 /* Parse the RR entry. Coming out of the this, ptr is at the beginning
180 of the next record */
182 if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
183 DEBUG(1,("ads_dns_parse_rr_srv: Failed to parse RR record\n"));
187 if ( rr.type != T_SRV ) {
188 DEBUG(1,("ads_dns_parse_rr_srv: Bad answer type (%d)\n",
195 srv->priority = RSVAL(p, 0);
196 srv->weight = RSVAL(p, 2);
197 srv->port = RSVAL(p, 4);
201 namelen = dn_expand( start, end, p, dcname, sizeof(dcname) );
203 DEBUG(1,("ads_dns_parse_rr_srv: Failed to uncompress name!\n"));
206 srv->hostname = talloc_strdup( ctx, dcname );
211 /*********************************************************************
212 *********************************************************************/
214 static bool ads_dns_parse_rr_ns( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
215 uint8 **ptr, struct dns_rr_ns *nsrec )
222 if ( !start || !end || !nsrec || !*ptr)
225 /* Parse the RR entry. Coming out of the this, ptr is at the beginning
226 of the next record */
228 if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
229 DEBUG(1,("ads_dns_parse_rr_ns: Failed to parse RR record\n"));
233 if ( rr.type != T_NS ) {
234 DEBUG(1,("ads_dns_parse_rr_ns: Bad answer type (%d)\n",
241 /* ame server hostname */
243 namelen = dn_expand( start, end, p, nsname, sizeof(nsname) );
245 DEBUG(1,("ads_dns_parse_rr_ns: Failed to uncompress name!\n"));
248 nsrec->hostname = talloc_strdup( ctx, nsname );
253 /*********************************************************************
254 Sort SRV record list based on weight and priority. See RFC 2782.
255 *********************************************************************/
257 static int dnssrvcmp( struct dns_rr_srv *a, struct dns_rr_srv *b )
259 if ( a->priority == b->priority ) {
261 /* randomize entries with an equal weight and priority */
262 if ( a->weight == b->weight )
265 /* higher weights should be sorted lower */
266 if ( a->weight > b->weight )
272 if ( a->priority < b->priority )
278 /*********************************************************************
279 Simple wrapper for a DNS query
280 *********************************************************************/
282 #define DNS_FAILED_WAITTIME 30
284 static NTSTATUS dns_send_req( TALLOC_CTX *ctx, const char *name, int q_type,
285 uint8 **buf, int *resp_length )
287 uint8 *buffer = NULL;
289 int resp_len = NS_PACKETSZ;
290 static time_t last_dns_check = 0;
291 static NTSTATUS last_dns_status = NT_STATUS_OK;
292 time_t now = time(NULL);
294 /* Try to prevent bursts of DNS lookups if the server is down */
296 /* Protect against large clock changes */
298 if ( last_dns_check > now )
301 /* IF we had a DNS timeout or a bad server and we are still
302 in the 30 second cache window, just return the previous
303 status and save the network timeout. */
305 if ( (NT_STATUS_EQUAL(last_dns_status,NT_STATUS_IO_TIMEOUT) ||
306 NT_STATUS_EQUAL(last_dns_status,NT_STATUS_CONNECTION_REFUSED)) &&
307 (last_dns_check+DNS_FAILED_WAITTIME) > now )
309 DEBUG(10,("last_dns_check: Returning cached status (%s)\n",
310 nt_errstr(last_dns_status) ));
311 return last_dns_status;
317 TALLOC_FREE( buffer );
319 buf_len = resp_len * sizeof(uint8);
322 if ((buffer = TALLOC_ARRAY(ctx, uint8, buf_len))
324 DEBUG(0,("ads_dns_lookup_srv: "
325 "talloc() failed!\n"));
326 last_dns_status = NT_STATUS_NO_MEMORY;
327 last_dns_check = time(NULL);
328 return last_dns_status;
332 if ((resp_len = res_query(name, C_IN, q_type, buffer, buf_len))
334 DEBUG(3,("ads_dns_lookup_srv: "
335 "Failed to resolve %s (%s)\n",
336 name, strerror(errno)));
337 TALLOC_FREE( buffer );
338 last_dns_status = NT_STATUS_UNSUCCESSFUL;
340 if (errno == ETIMEDOUT) {
341 last_dns_status = NT_STATUS_IO_TIMEOUT;
343 if (errno == ECONNREFUSED) {
344 last_dns_status = NT_STATUS_CONNECTION_REFUSED;
346 last_dns_check = time(NULL);
347 return last_dns_status;
349 } while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE );
352 *resp_length = resp_len;
354 last_dns_check = time(NULL);
355 last_dns_status = NT_STATUS_OK;
356 return last_dns_status;
359 /*********************************************************************
360 Simple wrapper for a DNS SRV query
361 *********************************************************************/
363 static NTSTATUS ads_dns_lookup_srv( TALLOC_CTX *ctx,
365 struct dns_rr_srv **dclist,
368 uint8 *buffer = NULL;
370 struct dns_rr_srv *dcs = NULL;
371 int query_count, answer_count, auth_count, additional_count;
377 if ( !ctx || !name || !dclist ) {
378 return NT_STATUS_INVALID_PARAMETER;
381 /* Send the request. May have to loop several times in case
384 status = dns_send_req( ctx, name, T_SRV, &buffer, &resp_len );
385 if ( !NT_STATUS_IS_OK(status) ) {
386 DEBUG(3,("ads_dns_lookup_srv: Failed to send DNS query (%s)\n",
392 /* For some insane reason, the ns_initparse() et. al. routines are only
393 available in libresolv.a, and not the shared lib. Who knows why....
394 So we have to parse the DNS reply ourselves */
396 /* Pull the answer RR's count from the header.
397 * Use the NMB ordering macros */
399 query_count = RSVAL( p, 4 );
400 answer_count = RSVAL( p, 6 );
401 auth_count = RSVAL( p, 8 );
402 additional_count = RSVAL( p, 10 );
404 DEBUG(4,("ads_dns_lookup_srv: "
405 "%d records returned in the answer section.\n",
409 if ((dcs = TALLOC_ZERO_ARRAY(ctx, struct dns_rr_srv,
410 answer_count)) == NULL ) {
411 DEBUG(0,("ads_dns_lookup_srv: "
412 "talloc() failure for %d char*'s\n",
414 return NT_STATUS_NO_MEMORY;
420 /* now skip the header */
424 /* parse the query section */
426 for ( rrnum=0; rrnum<query_count; rrnum++ ) {
429 if (!ads_dns_parse_query(ctx, buffer,
430 buffer+resp_len, &p, &q)) {
431 DEBUG(1,("ads_dns_lookup_srv: "
432 "Failed to parse query record!\n"));
433 return NT_STATUS_UNSUCCESSFUL;
437 /* now we are at the answer section */
439 for ( rrnum=0; rrnum<answer_count; rrnum++ ) {
440 if (!ads_dns_parse_rr_srv(ctx, buffer, buffer+resp_len,
442 DEBUG(1,("ads_dns_lookup_srv: "
443 "Failed to parse answer record!\n"));
444 return NT_STATUS_UNSUCCESSFUL;
449 /* Parse the authority section */
450 /* just skip these for now */
452 for ( rrnum=0; rrnum<auth_count; rrnum++ ) {
455 if (!ads_dns_parse_rr( ctx, buffer,
456 buffer+resp_len, &p, &rr)) {
457 DEBUG(1,("ads_dns_lookup_srv: "
458 "Failed to parse authority record!\n"));
459 return NT_STATUS_UNSUCCESSFUL;
463 /* Parse the additional records section */
465 for ( rrnum=0; rrnum<additional_count; rrnum++ ) {
469 if (!ads_dns_parse_rr(ctx, buffer, buffer+resp_len,
471 DEBUG(1,("ads_dns_lookup_srv: Failed "
472 "to parse additional records section!\n"));
473 return NT_STATUS_UNSUCCESSFUL;
476 /* Only interested in A or AAAA records as a shortcut for having
477 * to come back later and lookup the name. For multi-homed
478 * hosts, the number of additional records and exceed the
479 * number of answer records. */
481 if (rr.type != T_A || rr.rdatalen != 4) {
482 #if defined(HAVE_IPV6)
483 /* FIXME. RFC2874 defines A6 records. This
484 * requires recusive and horribly complex lookups.
485 * Bastards. Ignore this for now.... JRA.
487 if (rr.type != T_AAAA || rr.rdatalen != 16)
492 for ( i=0; i<idx; i++ ) {
493 if ( strcmp( rr.hostname, dcs[i].hostname ) == 0 ) {
494 int num_ips = dcs[i].num_ips;
495 struct sockaddr_storage *tmp_ss_s;
497 /* allocate new memory */
499 if (dcs[i].num_ips == 0) {
500 if ((dcs[i].ss_s = TALLOC_ARRAY(dcs,
501 struct sockaddr_storage, 1 ))
503 return NT_STATUS_NO_MEMORY;
506 if ((tmp_ss_s = TALLOC_REALLOC_ARRAY(dcs,
508 struct sockaddr_storage,
511 return NT_STATUS_NO_MEMORY;
514 dcs[i].ss_s = tmp_ss_s;
518 /* copy the new IP address */
519 if (rr.type == T_A) {
521 memcpy(&ip, rr.rdata, 4);
522 in_addr_to_sockaddr_storage(
523 &dcs[i].ss_s[num_ips],
526 #if defined(HAVE_IPV6)
527 if (rr.type == T_AAAA) {
529 memcpy(&ip6, rr.rdata, rr.rdatalen);
530 in6_addr_to_sockaddr_storage(
531 &dcs[i].ss_s[num_ips],
539 qsort( dcs, idx, sizeof(struct dns_rr_srv), QSORT_CAST dnssrvcmp );
547 /*********************************************************************
548 Simple wrapper for a DNS NS query
549 *********************************************************************/
551 NTSTATUS ads_dns_lookup_ns(TALLOC_CTX *ctx,
552 const char *dnsdomain,
553 struct dns_rr_ns **nslist,
556 uint8 *buffer = NULL;
558 struct dns_rr_ns *nsarray = NULL;
559 int query_count, answer_count, auth_count, additional_count;
565 if ( !ctx || !dnsdomain || !nslist ) {
566 return NT_STATUS_INVALID_PARAMETER;
569 /* Send the request. May have to loop several times in case
572 status = dns_send_req( ctx, dnsdomain, T_NS, &buffer, &resp_len );
573 if ( !NT_STATUS_IS_OK(status) ) {
574 DEBUG(3,("ads_dns_lookup_ns: Failed to send DNS query (%s)\n",
580 /* For some insane reason, the ns_initparse() et. al. routines are only
581 available in libresolv.a, and not the shared lib. Who knows why....
582 So we have to parse the DNS reply ourselves */
584 /* Pull the answer RR's count from the header.
585 * Use the NMB ordering macros */
587 query_count = RSVAL( p, 4 );
588 answer_count = RSVAL( p, 6 );
589 auth_count = RSVAL( p, 8 );
590 additional_count = RSVAL( p, 10 );
592 DEBUG(4,("ads_dns_lookup_ns: "
593 "%d records returned in the answer section.\n",
597 if ((nsarray = TALLOC_ARRAY(ctx, struct dns_rr_ns,
598 answer_count)) == NULL ) {
599 DEBUG(0,("ads_dns_lookup_ns: "
600 "talloc() failure for %d char*'s\n",
602 return NT_STATUS_NO_MEMORY;
608 /* now skip the header */
612 /* parse the query section */
614 for ( rrnum=0; rrnum<query_count; rrnum++ ) {
617 if (!ads_dns_parse_query(ctx, buffer, buffer+resp_len,
619 DEBUG(1,("ads_dns_lookup_ns: "
620 " Failed to parse query record!\n"));
621 return NT_STATUS_UNSUCCESSFUL;
625 /* now we are at the answer section */
627 for ( rrnum=0; rrnum<answer_count; rrnum++ ) {
628 if (!ads_dns_parse_rr_ns(ctx, buffer, buffer+resp_len,
629 &p, &nsarray[rrnum])) {
630 DEBUG(1,("ads_dns_lookup_ns: "
631 "Failed to parse answer record!\n"));
632 return NT_STATUS_UNSUCCESSFUL;
637 /* Parse the authority section */
638 /* just skip these for now */
640 for ( rrnum=0; rrnum<auth_count; rrnum++ ) {
643 if ( !ads_dns_parse_rr(ctx, buffer, buffer+resp_len,
645 DEBUG(1,("ads_dns_lookup_ns: "
646 "Failed to parse authority record!\n"));
647 return NT_STATUS_UNSUCCESSFUL;
651 /* Parse the additional records section */
653 for ( rrnum=0; rrnum<additional_count; rrnum++ ) {
657 if (!ads_dns_parse_rr(ctx, buffer, buffer+resp_len,
659 DEBUG(1,("ads_dns_lookup_ns: Failed "
660 "to parse additional records section!\n"));
661 return NT_STATUS_UNSUCCESSFUL;
664 /* only interested in A records as a shortcut for having to come
665 back later and lookup the name */
667 if (rr.type != T_A || rr.rdatalen != 4) {
668 #if defined(HAVE_IPV6)
669 if (rr.type != T_AAAA || rr.rdatalen != 16)
674 for ( i=0; i<idx; i++ ) {
675 if (strcmp(rr.hostname, nsarray[i].hostname) == 0) {
676 if (rr.type == T_A) {
678 memcpy(&ip, rr.rdata, 4);
679 in_addr_to_sockaddr_storage(
683 #if defined(HAVE_IPV6)
684 if (rr.type == T_AAAA) {
686 memcpy(&ip6, rr.rdata, rr.rdatalen);
687 in6_addr_to_sockaddr_storage(
702 /****************************************************************************
703 Store and fetch the AD client sitename.
704 ****************************************************************************/
706 #define SITENAME_KEY "AD_SITENAME/DOMAIN/%s"
708 static char *sitename_key(const char *realm)
712 if (asprintf(&keystr, SITENAME_KEY, strupper_static(realm)) == -1) {
720 /****************************************************************************
721 Store the AD client sitename.
722 We store indefinately as every new CLDAP query will re-write this.
723 ****************************************************************************/
725 bool sitename_store(const char *realm, const char *sitename)
731 if (!gencache_init()) {
735 if (!realm || (strlen(realm) == 0)) {
736 DEBUG(0,("sitename_store: no realm\n"));
740 key = sitename_key(realm);
742 if (!sitename || (sitename && !*sitename)) {
743 DEBUG(5,("sitename_store: deleting empty sitename!\n"));
744 ret = gencache_del(key);
749 expire = get_time_t_max(); /* Store indefinately. */
751 DEBUG(10,("sitename_store: realm = [%s], sitename = [%s], expire = [%u]\n",
752 realm, sitename, (unsigned int)expire ));
754 ret = gencache_set( key, sitename, expire );
759 /****************************************************************************
760 Fetch the AD client sitename.
762 ****************************************************************************/
764 char *sitename_fetch(const char *realm)
766 char *sitename = NULL;
769 const char *query_realm;
772 if (!gencache_init()) {
776 if (!realm || (strlen(realm) == 0)) {
777 query_realm = lp_realm();
782 key = sitename_key(query_realm);
784 ret = gencache_get( key, &sitename, &timeout );
787 DEBUG(5,("sitename_fetch: No stored sitename for %s\n",
790 DEBUG(5,("sitename_fetch: Returning sitename for %s: \"%s\"\n",
791 query_realm, sitename ));
796 /****************************************************************************
797 Did the sitename change ?
798 ****************************************************************************/
800 bool stored_sitename_changed(const char *realm, const char *sitename)
806 if (!realm || (strlen(realm) == 0)) {
807 DEBUG(0,("stored_sitename_changed: no realm\n"));
811 new_sitename = sitename_fetch(realm);
813 if (sitename && new_sitename && !strequal(sitename, new_sitename)) {
815 } else if ((sitename && !new_sitename) ||
816 (!sitename && new_sitename)) {
819 SAFE_FREE(new_sitename);
823 /********************************************************************
824 Query with optional sitename.
825 ********************************************************************/
827 static NTSTATUS ads_dns_query_internal(TALLOC_CTX *ctx,
828 const char *servicename,
829 const char *dc_pdc_gc_domains,
831 const char *sitename,
832 struct dns_rr_srv **dclist,
837 name = talloc_asprintf(ctx, "%s._tcp.%s._sites.%s._msdcs.%s",
838 servicename, sitename,
839 dc_pdc_gc_domains, realm);
841 name = talloc_asprintf(ctx, "%s._tcp.%s._msdcs.%s",
842 servicename, dc_pdc_gc_domains, realm);
845 return NT_STATUS_NO_MEMORY;
847 return ads_dns_lookup_srv( ctx, name, dclist, numdcs );
850 /********************************************************************
852 ********************************************************************/
854 NTSTATUS ads_dns_query_dcs(TALLOC_CTX *ctx,
856 const char *sitename,
857 struct dns_rr_srv **dclist,
862 status = ads_dns_query_internal(ctx, "_ldap", "dc", realm, sitename,
865 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
866 NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED)) {
871 ((!NT_STATUS_IS_OK(status)) ||
872 (NT_STATUS_IS_OK(status) && (numdcs == 0)))) {
873 /* Sitename DNS query may have failed. Try without. */
874 status = ads_dns_query_internal(ctx, "_ldap", "dc", realm,
875 NULL, dclist, numdcs);
880 /********************************************************************
882 ********************************************************************/
884 NTSTATUS ads_dns_query_gcs(TALLOC_CTX *ctx,
886 const char *sitename,
887 struct dns_rr_srv **dclist,
892 status = ads_dns_query_internal(ctx, "_ldap", "gc", realm, sitename,
895 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
896 NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED)) {
901 ((!NT_STATUS_IS_OK(status)) ||
902 (NT_STATUS_IS_OK(status) && (numdcs == 0)))) {
903 /* Sitename DNS query may have failed. Try without. */
904 status = ads_dns_query_internal(ctx, "_ldap", "gc", realm,
905 NULL, dclist, numdcs);
910 /********************************************************************
912 Even if our underlying kerberos libraries are UDP only, this
913 is pretty safe as it's unlikely that a KDC supports TCP and not UDP.
914 ********************************************************************/
916 NTSTATUS ads_dns_query_kdcs(TALLOC_CTX *ctx,
917 const char *dns_forest_name,
918 const char *sitename,
919 struct dns_rr_srv **dclist,
924 status = ads_dns_query_internal(ctx, "_kerberos", "dc",
925 dns_forest_name, sitename, dclist,
928 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
929 NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED)) {
934 ((!NT_STATUS_IS_OK(status)) ||
935 (NT_STATUS_IS_OK(status) && (numdcs == 0)))) {
936 /* Sitename DNS query may have failed. Try without. */
937 status = ads_dns_query_internal(ctx, "_kerberos", "dc",
938 dns_forest_name, NULL,
944 /********************************************************************
945 Query for AD PDC. Sitename is obsolete here.
946 ********************************************************************/
948 NTSTATUS ads_dns_query_pdc(TALLOC_CTX *ctx,
949 const char *dns_domain_name,
950 struct dns_rr_srv **dclist,
953 return ads_dns_query_internal(ctx, "_ldap", "pdc", dns_domain_name,
954 NULL, dclist, numdcs);
957 /********************************************************************
958 Query for AD DC by guid. Sitename is obsolete here.
959 ********************************************************************/
961 NTSTATUS ads_dns_query_dcs_guid(TALLOC_CTX *ctx,
962 const char *dns_forest_name,
963 const struct GUID *domain_guid,
964 struct dns_rr_srv **dclist,
967 /*_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName */
970 const char *guid_string;
972 guid_string = GUID_string(ctx, domain_guid);
974 return NT_STATUS_NO_MEMORY;
978 domains = talloc_asprintf(ctx, "%s.domains", guid_string);
980 return NT_STATUS_NO_MEMORY;
983 return ads_dns_query_internal(ctx, "_ldap", domains, dns_forest_name,
984 NULL, dclist, numdcs);